gumi111
(Bmazur85)
23 Lipiec 2006 16:44
#1
Witam. Mam nastepujacy problem. Komputer przy wlaczaniu zawiesza sie, czasem wczesniej czasem pozniej, czasemdochodzi do sprawdzania dysku- wtedy zawiesza sie zawsze na odliczaniu do spr dysku na 8 sekundzie. Gdy go zrestartuje pojawia sie ekran z wyborem trybu uruchomienia: trym awaryjny, wiersz polecen itd. komp wlacza sie tylko gdy wybiore “poprzednia znana dobra konfiguracja”. przy trybie awaryjnym sie zawiesza. ciezko mi cos z tym zrobic bo programy ktore wymagaja restartu po instalacji nie lapia sie na to- przez wybor “ost znana dobra konfiguracja”. w zwiazku z tym prosze o jakas rade. a szczegolnie jak wywalic to ll5.exe.
Logfile of HijackThis v1.99.1 Scan saved at 18:34:14, on 2006-07-23 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ll5.exe c:\usr\MYSQL\bin\mysqld.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe C:\Program Files\Opera\Opera.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Gumi\USTAWI~1\Temp\Rar$EX00.221\HijackThis.exe C:\Documents and Settings\Gumi\Moje dokumenty\ewido-setup_4.0.0.172b.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKCU…\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe O4 - HKCU…\Run: [Registry] “C:\Program Files\Greatis\RegRunSuite\lsoon.exe” -1 30 “C:\Program Files\Greatis\RegRunSuite\rescue.exe” /a “c:\backreg\rstore.ini” O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O17 - HKLM\System\CCS\Services\Tcpip…{1D5A15A7-66BF-412B-A8AD-F6E69896F2D0}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe O23 - Service: NETWORK SERVICE - Unknown owner - C:\WINDOWS\ctfmonn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Ściągnij Windows Woorms Door Cleaner , odpal>>>zmień wszystkie znaczki z disable na enable>>>po użyciu narzedzia wymagany jest reset kompa.
start>>>uruchom>>>services.msc>>>zatrzymaj i wyłącz usługę NETWORK SERVICE
Ściągnij Pocket Killbox >>>uruchom>>>zaznacz opcje “Delete on Reboot”>>>w polu “Full path of file” wklej ścieżki:
Po wklejeniu każdej ścieżki z osobna klikasz X, dopiero gdy wkleisz ostatnią ścieżkę, zgadzasz się na restart kompa.
skasuj hijackiem
gumi111
(Bmazur85)
23 Lipiec 2006 17:48
#3
mimo szczerej checi zamkniecia portow tym programem nie dalem rady. po restarcie dalej sa otwarte. komp dalej sie zawiesza przy pierwszym uruchomieniu. zrobilem wszystko jak mowiles w kazdym razie i log wyglada tak:
Logfile of HijackThis v1.99.1 Scan saved at 19:44:09, on 2006-07-23 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe c:\usr\MYSQL\bin\mysqld.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Gumi\USTAWI~1\Temp\Rar$EX00.123\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized O4 - HKCU…\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe O4 - HKCU…\Run: [Registry] “C:\Program Files\Greatis\RegRunSuite\lsoon.exe” -1 30 “C:\Program Files\Greatis\RegRunSuite\rescue.exe” /a “c:\backreg\rstore.ini” O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O17 - HKLM\System\CCS\Services\Tcpip…{1D5A15A7-66BF-412B-A8AD-F6E69896F2D0}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: l5 - Unknown owner - C:\WINDOWS\system32\ll5.exe (file missing) O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe O23 - Service: NETWORK SERVICE - Unknown owner - C:\WINDOWS\ctfmonn.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
chyba ze moze chodzi o co innego…
start>>>uruchom>>>services.msc>>>zatrzymaj i wyłącz usługę l5 i network service, skasuj wpisy hijackiem.
tzn co ? zmieniasz znaczki na zielone, a po restarcie są już czerwone ? może to być wynik działania trojana, który je otwiera. Przeskanuj system skanerami online itp. Wklej loga z silent runners (opis tam gdzie hijack)
gumi111
(Bmazur85)
23 Lipiec 2006 19:18
#5
tak dokladnie- zmieniaja sie na czerwone. a jaki skaner polecasz?
Oto log z silent runners. robil sie z pol godziny a i tak chyba niedokonczony. czy to normalne ze tak dlugo?
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “!ewido” = ““C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0E5CBF21-D15F-11d0-8301-00AA005B4383}” = “Łą&cza” -> {HKLM…CLSID} = “Łą&cza” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{7487cd30-f71a-11d0-9ea7-00805f714772}” = “Miniatura” -> {HKLM…CLSID} = “Miniatura” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{568804CA-CBD7-11d0-9816-00C04FD91972}” = “Folder powłoki menu” -> {HKLM…CLSID} = “Folder powłoki menu” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM32\SHDOCVW.DLL” [MS] “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}” = “Shell Menu DeskBar” -> {HKLM…CLSID} = “Shell Menu DeskBar” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}” = “Shell Menu BandSite” -> {HKLM…CLSID} = “Shell Menu BandSite” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}” = “IShellFolderBand” -> {HKLM…CLSID} = “IShellFolderBand” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{9E5E1445-6CEA-4761-8E45-AA19F654571E}” = “MagicRotation Shell Extension” -> {HKLM…CLSID} = “BkgndCtxMenuExt Class” \InProcServer32(Default) = “C:\WINDOWS\System32\mpvthook.dll” [“Samsung Electronics, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealOne Player\rpshellext.dll” [“RealNetworks”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Enabled Scheduled Tasks: ------------------------ “Uruchomienie aplikacji dostrajania” -> launches: “walign” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 10 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
kasperskiego, pande / Skanery do wyboru
log czysty
gumi111
(Bmazur85)
23 Lipiec 2006 19:33
#7
avast mi mowil ze mam cos w pamieci operacyjnej ale niebardzo mogl to usunac, bo potrzebowal restartu, a ja musialem wybrac poprzednie dobre ustawienia, ktore nie obejmowaly jego uruchomienia… dzieki za Twoj czas, pobawie sie tymi skanerami.hej