siergiej
(Siergiej Oporny)
24 Lipiec 2007 10:51
#1
Komp sie restartuje jak uzywam przegladarki internetowej; na IE niekiedy nawet 2 godziny leci, ale jak wlacze firefoxa albo opere to po 2 min. sie restartuje. przeskanowalem kompa antyvirusami w tym semantec-online. Sprawdzalem tez z iny zasilaczem i ina karta sieciowa i bylo to samo. wklejam loga z hijackthis i silent runners:
hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 12:45:51, on 24.07.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\PC Tools Firewall Plus\FWService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Gadu-Gadu\gg.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\Internet Explorer\IEXPLORE.EXE C:\Programme\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM…\Run: [00PCTFW] “C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe” -s O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Programme\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{00EB1CA3-1DA9-4461-A2F0-26722F80F00F}: NameServer = 81.173.194.68 194.8.194.60 O17 - HKLM\System\CS1\Services\Tcpip…{00EB1CA3-1DA9-4461-A2F0-26722F80F00F}: NameServer = 81.173.194.68 194.8.194.60 O17 - HKLM\System\CS2\Services\Tcpip…{00EB1CA3-1DA9-4461-A2F0-26722F80F00F}: NameServer = 81.173.194.68 194.8.194.60 O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Programme\PC Tools Firewall Plus\FWService.exe O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
silentrunners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Programme\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “00PCTFW” = ““C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe” -s” [“PC Tools”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “CPL-Erweiterung für Anzeigeverschiebung” -> {HKLM…CLSID} = “CPL-Erweiterung für Anzeigeverschiebung” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Erweiterung für HyperTerminal-Icons” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook-Dateisymbolerweiterung” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoInternetIcon” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop| Hide Internet Explorer icon on desktop} “NoInstrumentation” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ForceClassicControlPanel” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Dokumente und Einstellungen\USER\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssmypics.scr” [MS] Startup items in “USER” & “All Users” startup folders: ------------------------------------------------------ C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart “Microsoft Office” -> shortcut to: “C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ PC Tools Firewall Plus, PCToolsFirewallPlus, “C:\Programme\PC Tools Firewall Plus\FWService.exe” [“PC Tools”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 41 seconds. ---------- (total run time: 193 seconds)
jessica
(jessica)
24 Lipiec 2007 11:00
#2
W tych logach nie widać żadnej infekcji.
Może, na wszelki wypadek, daj jeszcze log z Combo ** Fix** .
Opis użycia ComboFix jest na tej stronie z linku.
Log może być długi, więc zapisz go sobie gdzieś, a potem wklej na http://wklej.org/ , a tu daj tylko link.
.
siergiej
(Siergiej Oporny)
24 Lipiec 2007 11:20
#3
link do loga z ComboFix: http://wklej.org/id/cfa436cb1b
wywalilem BitDefenwera z autostartu i ine klucze ktore zostawil
jessica
(jessica)
24 Lipiec 2007 11:58
#4
Też nic podejrzanego.
Nic tu po mnie
.
Jak już usuwasz z Autostartu, to usuń też te “zamulacze”
, by nie obciążały niepotrzebnie systemu.
One nie będą całkowicie usunięte, lecz tylko z Autostartu.:
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
ten wpis usuwamy przez Start >>> Programy >>> Autostart >>> kasacja z prawokliku
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
Panel sterowania >>> Ustawienia regionalne >>> Języki >>> Detale >>> Zaawansowane >>> odznaczyć
usługi tekstowe, zrób tak jeżeli nie używasz wielu języków.
Oczywiście u Ciebie to będzie trochę inaczej wyglądało, bo ty masz niemiecki Windows , ale myśle, że potrafisz dopasować wszystko.
.
siergiej
(Siergiej Oporny)
24 Lipiec 2007 12:24
#5
dzieki,
juz nie wiem jak to ugrysc