CentrumXP Forum Tematyka portalu CentrumXP.pl Windows XP Zamulenie systemu

Zamulenie systemu

Złapałem wczoraj spysherifa, ale go usunalem za pomoca hijacka, ale dziala mi tak powoli komp, ze szok! uzycie procesora skacze z 74% do 100%. Pomocy!!!

Odpowiedzi: 9

Ty niku formatuj wszystkie swoje dyski jakie masz pod reka, ale nie rzucaj tutaj takich światłych rad. Wsadz je sobie w ...buty.
EL NINO
Dodano
31.12.2005 20:01:25
ja bym osobiście sfortmatował dysk ale moźesz spróbować jeszcze przeczyścić rejestr progamem EasyCleaner.
niku
Dodano
31.12.2005 18:01:58
Teraz sprawa się troszkę rozjaśniła.

Nie podoba mi się:
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{E6FB5E20–DE35–11CF–9C87–00AA005127ED}" = "WebCheck"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\xp2720312.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WebCheck" = "{E6FB5E20–DE35–11CF–9C87–00AA005127ED}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\xp2720312.dll" [null data]


Wklej więc do notatnika taki tekst:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20–DE35–11CF–9C87–00AA005127ED}]
@="WebCheck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20–DE35–11CF–9C87–00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20–DE35–11CF–9C87–00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"


Zapisz z rozszerzeniem reg i dodaj do rejestru.
Z dysku skasuj plik xp2720312.dll

P.S. Tego posta z działu bezpieczeństwo w zbiorczym temacie usuwam, w tamtym mijscu jest niepotrzebny.
Bobi
Dodano
29.12.2005 14:48:16
właśnie zaden tak bardzo, svchost.exe / sytem jest wpisany dwa razy i raz zajmuje 9292KB a raz 1504KB
explorer.exe 12000KB do 16000KB
eplorer.exe 27660KB

a To z Silent Runnera:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["Gadu–Gadu Sp. z oo"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [file not found]
"{E6FB5E20–DE35–11CF–9C87–00AA005127ED}" = "WebCheck"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\xp2720312.dll" [null data]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BF05BB6E–442C–428B–8025–82280B7BC26C}" = "Zen Micro Media Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WebCheck" = "{E6FB5E20–DE35–11CF–9C87–00AA005127ED}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\xp2720312.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kuba Osinski\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
EmOa
Dodano
29.12.2005 12:12:57
Jaki konkretnie proces zabiera moc procesora?
O permanentnym usunięciu folderu Links – Łącza było na forum.
Bobi
Dodano
29.12.2005 10:29:40
no i dalej jest tak powoli tyle, ze teraz uzycie procesora 100% i czasem spada do 88%
Co ja mam robić ?!
A dodatkowo w ulubionych cały czas nawet po usunieciu pojawia mi sie katalog Links, jak go skutecznei usunac?


Logfile of HijackThis v1.99.1
Scan saved at 07:28:22, on 2005–12–29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kuba Osinski\Pulpit\hijackthis1.99.1\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: SoundMan.lnk = C:\Program Files\Realtek AC97\SoundMan.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
EmOa
Dodano
29.12.2005 08:24:00
Usun wpisy O4 z unregmp2.exe – pliku nie powinno byc w tym miejscu w rejestrze.
EL NINO
Dodano
29.12.2005 00:58:49
co ja mam z tym zrobic...
juz sprawdzalem na stonie hijack'a
mój log to:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:48, on 2005–12–28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kuba Osinski\Pulpit\hijackthis1.99.1\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: SoundMan.lnk = C:\Program Files\Realtek AC97\SoundMan.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O18 – Protocol: msnim – {828030A1–22C1–4009–854F–8E305202313F} – "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
EmOa
Dodano
28.12.2005 23:36:56
Współczuć jednie wypada przy takiej ilości danych.
Poszukaj sobie jakiegoś robactwa w systemie – HijackThis się przyda.
Bobi
Dodano
28.12.2005 19:31:49
EmOa
Dodano:
28.12.2005 16:58:00
Komentarzy:
9
Strona 1 / 1