Błąd cssrss.exe

czarny13 · 12 Kwiecień 2008 10:21

Cześć

Podczas uruchamianai kompa wyskakuje mi komunikat ze aplikacja cssrss.exe bedzie zamknieta…Wiem ze juz wielokrotnie byl poruszany ten watek, mimo wszystko poprosze o pokierowanie mnie w dalszym dzialaniu Ponizej log z Hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:51, on 2008-04-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\FTRTSVC.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\CameraFixer.exe

C:\WINDOWS\tsnpstd3.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\vsnpstd3.exe

C:\WINDOWS\system32\svchost.exe

D:\Programy\iTunes\iTunesHelper.exe

C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\neostrada tp\neostradatp.exe

C:\Program Files\neostrada tp\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Toaster.exe

C:\PROGRA~1\NEOSTR~1\Inactivity.exe

C:\PROGRA~1\NEOSTR~1\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\Program Files\neostrada tp\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM…\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe

O4 - HKLM…\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe

O4 - HKLM…\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime

O4 - HKLM…\Run: [iTunesHelper] “D:\Programy\iTunes\iTunesHelper.exe”

O4 - HKLM…\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

O4 - HKCU…\Run: [soundMan] " SOUNDMAN.EXE"

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O17 - HKLM\System\CCS\Services\Tcpip…{FF1E1E0A-B55D-4646-B16C-1C10351ABAD2}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

–

End of file - 6325 bytes

huber2t · 12 Kwiecień 2008 10:44

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\cssrss.exe

C:\WINDOWS\System32\CcEvtSvc.exe

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

czarny13 · 12 Kwiecień 2008 11:18

Zrobilem tak jak podpowiedziales…Ponizej log z Combo:

ComboFix 08-04-11.8 - Kazia 2008-04-13 13:43:36.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.117 [GMT 2:00]

Running from: C:\Documents and Settings\Kazia\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kazia\Pulpit\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\WINDOWS\System32\CcEvtSvc.exe

C:\WINDOWS\system32\cssrss.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

C:\WINDOWS\system32\cssrss.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CCEVTSVC

-------\Legacy_ZZZDRV_LICH

-------\Service_CcEvtSvc

-------\Service_ZZZdrv_lich

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

2008-04-13 12:29 . 2008-04-13 12:29

2008-04-13 11:53 . 2008-04-13 11:53 4,992 --a------ C:\WINDOWS\system32\tBSJnx.syz

2008-04-13 11:52 . 2008-04-13 11:51 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-04-13 11:52 . 2008-04-13 11:51 298,104 --a------ C:\WINDOWS\system32\imon.dll

2008-04-13 11:52 . 2008-04-13 11:51 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-04-13 11:51 . 2008-04-13 12:03

2008-04-13 11:47 . 2008-04-13 11:47 4,992 --a------ C:\WINDOWS\system32\sqVbaD.syz

2008-04-09 22:20 . 2008-04-09 22:20 4,992 --a------ C:\WINDOWS\system32\H9pRx7.syz

2008-04-09 22:08 . 2008-04-09 22:08 4,992 --a------ C:\WINDOWS\system32\cVb9No.syz

2008-04-09 21:38 . 2008-04-09 21:38

2008-04-09 21:34 . 2008-04-09 21:34 4,992 --a------ C:\WINDOWS\system32\V0bQOz.syz

2008-04-07 11:01 . 2008-04-07 11:01 4,992 --a------ C:\WINDOWS\system32\p6ihRo.syz

2008-04-07 10:55 . 2008-04-07 10:55 4,992 --a------ C:\WINDOWS\system32\Lqn51A.syz

2008-04-07 10:44 . 2008-04-07 10:44 4,992 --a------ C:\WINDOWS\system32\TwTdUI.syz

2008-04-07 10:40 . 2008-04-07 10:40 4,992 --a------ C:\WINDOWS\system32\Uq0f9T.syz

2008-04-05 21:36 . 2008-04-05 21:36 4,992 --a------ C:\WINDOWS\system32\YSdIdu.syz

2008-04-04 22:10 . 2008-04-04 22:10 4,992 --a------ C:\WINDOWS\system32\ISpxLQ.syz

2008-03-31 10:25 . 2008-03-31 10:25 4,992 --a------ C:\WINDOWS\system32\4ajPDP.syz

2008-03-31 10:16 . 2008-03-31 10:16 4,992 --a------ C:\WINDOWS\system32\E2bF28.syz

2008-03-23 12:14 . 2008-03-23 12:14 4,992 --a------ C:\WINDOWS\system32\wyAAfJ.syz

2008-03-23 12:09 . 2008-03-23 12:09 4,992 --a------ C:\WINDOWS\system32\HVUMXV.syz

2008-03-23 11:55 . 2008-03-23 11:55 4,992 --a------ C:\WINDOWS\system32\pRk6H1.syz

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 11:33 --------- d-----w C:\Program Files\neostrada tp

2008-04-13 11:33 --------- d-----w C:\Documents and Settings\Kazia\Dane aplikacji\Skype

2008-04-13 10:02 1,033,728 ----a-w C:\WINDOWS\explorer.exe

2008-04-13 09:53 8,192 ----a-w C:\lich.sys

2008-02-21 20:04 24,576 ----a-w C:\WINDOWS\system32\winrkq32.dll

2008-02-21 20:04 24,576 ----a-w C:\WINDOWS\system32\winbfi32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-11-16 19:04 139264]

“SoundMan”=" SOUNDMAN.EXE" [2007-11-02 19:14 3072 C:\WINDOWS\system32\ SOUNDMAN.EXE]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-09-13 14:31 22880040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-16 09:35 7630848]

“nwiz”=“nwiz.exe” [2006-08-16 09:35 1617920 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-16 09:35 86016]

“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]

“RTHDCPL”=“RTHDCPL.EXE” [2006-12-19 05:12 16062464 C:\WINDOWS\RTHDCPL.EXE]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40 155648]

“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49 20480]

“WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55 32768]

“CameraFixer”=“C:\WINDOWS\CameraFixer.exe” [2005-10-03 12:23 20480]

“tsnpstd3”=“C:\WINDOWS\tsnpstd3.exe” [2005-11-04 16:05 90112]

“snpstd3”=“C:\WINDOWS\vsnpstd3.exe” [2005-09-05 16:55 339968]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 20:51 39792]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-12-11 11:56 286720]

“iTunesHelper”=“D:\Programy\iTunes\iTunesHelper.exe” [2007-12-11 13:10 267048]

“WMDM PMSP Service”=“C:\WINDOWS\system32\cssrss.exe” []

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2008-04-13 11:51 949376]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhab32]

winhab32.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“D:\Programy\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-09-19 11:03]

S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-09-15 11:07]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8345b211-60cc-11dc-95cd-806d6172696f}]

\Shell\AutoRun\command - E:\Setup.exe

.

Contents of the ‘Scheduled Tasks’ folder

“2008-01-05 21:37:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 13:45:06

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-13 13:45:32

ComboFix-quarantined-files.txt 2008-04-13 11:45:21

Pre-Run: 15,494,815,744 bajtów wolnych

Post-Run: 15,486,050,304 bajtów wolnych

.

2007-12-26 14:15:23 — E O F —

Czy ma teraz zrestartowac i usunac folder Qoobox?

Leon1 · 12 Kwiecień 2008 16:54

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

czarny13 · 12 Kwiecień 2008 20:04

Done

ComboFix 08-04-11.8 - Kazia 2008-04-13 22:27:54.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.186 [GMT 2:00]

Running from: C:\Documents and Settings\Kazia\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Kazia\Pulpit\CFScript.txt

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\lich.sys

C:\WINDOWS\system32\4ajPDP.syz

C:\WINDOWS\system32\cVb9No.syz

C:\WINDOWS\system32\E2bF28.syz

C:\WINDOWS\system32\H9pRx7.syz

C:\WINDOWS\system32\HVUMXV.syz

C:\WINDOWS\system32\ISpxLQ.syz

C:\WINDOWS\system32\Lqn51A.syz

C:\WINDOWS\system32\p6ihRo.syz

C:\WINDOWS\system32\pRk6H1.syz

C:\WINDOWS\system32\sqVbaD.syz

C:\WINDOWS\system32\TwTdUI.syz

C:\WINDOWS\system32\Uq0f9T.syz

C:\WINDOWS\system32\V0bQOz.syz

C:\WINDOWS\system32\winbfi32.dll

C:\WINDOWS\system32\winrkq32.dll

C:\WINDOWS\system32\wyAAfJ.syz

C:\WINDOWS\system32\YSdIdu.syz

.