_ro
(@ro)
12 Marzec 2007 11:21
#1
Ostatnio zamulił mi się komputer… mam szybki internet a niektóre strony mi się bardzo wolno ładują (tylko niektóre), jak pytałem znajomych czy im się wolno ładują te strony, to odpowiedź brzmiała: NIE.
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Alcohol\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\AllPlayer\ALLPlayer\ALLPlayer.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\Instalki\Systemowe\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.prest.pl:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: XBTP01621 - {9EBBE90B-282E-4c39-8A7E-120749169F0F} - C:\PROGRA~1\BEARSH~1\MediaBar.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~2\BEARSH~1\MediaBar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O3 - Toolbar: BearShare MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\BearShare MediaBar\MediaBar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{411D8F55-075D-4168-9728-7C477342104D}: NameServer = 85.255.114.14,85.255.112.88 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\xxx\USTAWI~1\Temp\hpdj.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol\Alcohol 120\StarWind\StarWindService.exe
sdar
(sdar)
12 Marzec 2007 11:28
#2
@ro Proszę zastosować się do zaleceń zawartych w TYM temacie. W przeciwnym wypadku temat zostanie usunięty.
Aqui
(Aqui89)
12 Marzec 2007 12:57
#3
O17 - HKLM\System\CCS\Services\Tcpip…{411D8F55-075D-4168-9728-7C477342104D}: NameServer = 85.255.114.14,85.255.112.88 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88
Efekt dzialania Roootkita Windows Security Center.
Uzyj Fixwareout
Nastepnie otworz notatnik i wklej w nim:
plik>>Zapisz jako >> zmień rozszerzenie z txt na wszystkie pliki >>> i zapisz pod nazwą FIX.BAT uruchom powstaly plik w trybie awaryjnym.
W hijackthis zaznacz te wpisy:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O2 - BHO: XBTP01621 - {9EBBE90B-282E-4c39-8A7E-120749169F0F} - C:\PROGRA~1\BEARSH~1\MediaBar.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~2\BEARSH~1\MediaBar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O3 - Toolbar: BearShare MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\BearShare MediaBar\MediaBar.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
I kliknij Fix checked
Sam ustawiales proxy?
??
Wroc z nowym logiem z Hijackthis +SilentRunners.
_ro
(@ro)
12 Marzec 2007 18:52
#4
Proxy nie ustawiałem, ale na pewno mam dobrze ustawione…
Nowy log:
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BearShare\BearShare.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Alcohol\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe D:\Instalki\Systemowe\HijackThis.exe D:\Program Files\Gadu-Gadu\gg.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.prest.pl:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{411D8F55-075D-4168-9728-7C477342104D}: NameServer = 85.255.114.14,85.255.112.88 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\xxx\USTAWI~1\Temp\hpdj.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol\Alcohol 120\StarWind\StarWindService.exe
adam9870
(adam9870)
12 Marzec 2007 19:22
#5
Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:
Użyj progrmu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp .
O17 - HKLM\System\CCS\Services\Tcpip…{411D8F55-075D-4168-9728-7C477342104D}: NameServer = 85.255.114.14,85.255.112.88 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\xxx\USTAWI~1\Temp\hpdj.exe (file missing)
Usuń wpisy HJT.
Użyj narzędzia FixWareOut .
Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\fixwareout\report.txt
adam9870
(adam9870)
12 Marzec 2007 21:15
#7
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
O17 - HKLM\System\CCS\Services\Tcpip…{411D8F55-075D-4168-9728-7C477342104D}: NameServer = 85.255.114.14,85.255.112.88 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.14 85.255.112.88
Usuń wpisy HJT.
Po wykonaniu wklej nowe logi.
_ro
(@ro)
13 Marzec 2007 14:59
#10
Wielkie dzięki… gdyby na forum była możliwość dawania + to na pewno bym Ci go dał.