proces

IP: *.adsl.inetia.pl 01.03.07, 17:16
co to jest za proces irdvxc.exe i za co odpowiada? czy to jakiś wirus?
    • Gość: @ Re: proces IP: *.chello.pl 01.03.07, 17:50
      To jest proces wirusa ,zrób log i wklej na forum.
      <a href=" http://www.mgregor.republika.pl/">Log z HijackThis</a>
      • Gość: Ville Re: proces IP: *.adsl.inetia.pl 01.03.07, 17:56
        Udalo mi sie usunąc ten proces ale jakos dziwnie chodzi takze wklejam log

        Logfile of HijackThis v1.99.1
        Scan saved at 17:54:19, on 2007-03-01
        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        C:\WINDOWS\System32\CTsvcCDA.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\WINDOWS\System32\nvsvc32.exe
        C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
        C:\WINDOWS\System32\CTHELPER.EXE
        C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
        C:\Program Files\Opera\Opera.exe
        C:\Program Files\Winamp\winamp.exe
        C:\prog\hijackthis\HijackThis.exe

        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
        O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
        O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
        O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
        O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
        O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
        O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
        O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
        O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
        O17 - HKLM\System\CCS\Services\Tcpip\..\{4F635C20-629E-497A-BFE4-F692E6CC205B}: NameServer = 83.238.255.76 213.241.79.37
        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
        O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
        O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

        • Gość: Kolobos Re: proces IP: *.escom.net.pl 01.03.07, 18:33
          Log wyglada ok.
          • Gość: Ville Re: proces IP: *.adsl.inetia.pl 01.03.07, 18:59
            A mógłbys sprawdzić loga z Silent Runners? Moze wszystko sie nie usunęło po tym wirusie.


            "Silent Runners.vbs", revision R50, www.silentrunners.org/
            Operating System: Windows XP
            Output limited to non-default values, except where indicated by "{++}"


            Startup items buried in registry:
            ---------------------------------

            HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
            "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
            "SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
            "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
            "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
            "UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
            "Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
            "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
            "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

            HKLM\Software\Microsoft\Active Setup\Installed Components\
            >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
            \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
            {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
            -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
            \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
            {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
            -> {HKLM...CLSID} = "SSVHelper Class"
            \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
            "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
            -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
            \InProcServer32\(Default) = "deskpan.dll" [file not found]
            "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
            -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
            \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
            "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
            -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
            \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
            "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
            -> {HKLM...CLSID} = "AVG7 Find Extension Class"
            \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
            "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
            -> {HKLM...CLSID} = "DesktopContext Class"
            \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
            "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
            -> {HKLM...CLSID} = "Desktop Explorer"
            \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
            "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
            -> {HKLM...CLSID} = (no title provided)
            \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
            "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
            -> {HKLM...CLSID} = "nView Desktop Context Menu"
            \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
            "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
            -> {HKLM...CLSID} = "7-Zip Shell Extension"
            \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
            "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
            -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
            \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
            "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
            -> {HKLM...CLSID} = (no title provided)
            \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
            "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
            -> {HKLM...CLSID} = "NVIDIA CPL Extension"
            \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

            HKLM\System\CurrentControlSet\Control\SecurityProviders\
            <<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll,, msnsspc.dll"

            HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
            {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
            -> {HKLM...CLSID} = "PDF Shell Extension"
            \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

            HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
            7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
            -> {HKLM...CLSID} = "7-Zip Shell Extension"
            \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
            AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
            -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
            \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

            HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
            7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
            -> {HKLM...CLSID} = "7-Zip Shell Extension"
            \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

            HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
            AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
            -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
            \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]


            Group Policies {GPedit.msc branch and setting}:
            -----------------------------------------------

            Note: detected settings may not have any effect.

            HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

            "NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
            {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
            Disable customizing browser toolbar buttons}

            "NoBandCustomize" = (REG_DWORD) hex:0x00000000
            {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
            Disable customizing browser toolbars}

            HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

            "DisableRegistryTools" = (REG_DWORD) hex:0x00000000
            {User Configuration|Administrative Templates|System|
            Prevent access to registry editing tools}

            HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

            "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
            {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
            Shutdown: Allow system to be shut down without having to log on}

            "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
            {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
            Devices: Allow undock without having to log on}


            Active Desktop and Wallpaper:
            -----------------------------

            Active Desktop may be disabled at this entry:
            HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

            Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
            HKCU\Softwa
            • Gość: Kolobos Re: proces IP: *.escom.net.pl 01.03.07, 20:03
              Nie zmiescil sie caly.
              • Gość: Ville Re: proces IP: *.adsl.inetia.pl 01.03.07, 21:17
                Oto cały:
                www.him.thorrgal.lap.pl/raport.txt
    • Gość: Ville Re: proces IP: *.adsl.inetia.pl 02.03.07, 20:32
      Moze ktos i sprawdzic tego loga ktorego wczesniej podalem?
      • Gość: Kolobos Re: proces IP: *.escom.net.pl 02.03.07, 21:30
        Log jest ok.
Pełna wersja