Log -> niebieskie tlo i restart kompa

PrYmEk · 5 Grudzień 2005 17:28

od paru dni komp niespodziewanie wyswietla niebieskie tlo z bialymi napisami ze cos nie tak i komp zostanie wylaczony. myslalem ze to problem z ramem ale mam 512MB i przewaznie kolo 300Mb jest wolne, wiec chyba to wirus. mam Trend Micro Office Skan, ale nic nie wykrywa

a to log

Logfile of HijackThis v1.99.1

Scan saved at 18:25:26, on 05-12-2005

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TEMP\PD6506.EXE

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

F:\PRYMEK\PROGRAMY\FIREFOX\FIREFOX.EXE

F:\PrYmEk\pobierane\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://10.140.2.91:4343/officescan/console/ClientInstall/WinNTChk.cab

O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://10.140.2.91:4343/officescan/console/ClientInstall/setupini.cab

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://10.140.2.91:4343/officescan/console/ClientInstall/setup.cab

O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_22.cab

O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://10.140.2.91:4343/officescan/console/ClientInstall/RemoveCtrl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115365885271

O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_30.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_23.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_23.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{77C6B001-4843-4FB4-86E6-CB8D9891CE89}: NameServer = 194.150.96.2,194.150.98.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{EAF255A0-11DD-48A1-9F9D-C8DFDFBF24C9}: NameServer = 192.168.0.1

O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Skanowanie w czasie rzeczywistym OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: Zapora osobista OfficeScanNT (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: Odbiornik OfficeScanNT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Gutek · 5 Grudzień 2005 17:42

W trybie awaryjnym opróżnij TEMP - ten C:\WINDOWS\TEMP\ PD6506.EXE

proszę o LOG z Silent Runners

Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989

PrYmEk · 5 Grudzień 2005 18:01

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"Steam" = (empty string)


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "SimpleShlExt extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {CLSID}\InProcServer32\(Default) = "F:\PrYmEk\programy\alkochol\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]

"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]

"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WPKontakt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"

  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 44

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" = "REALBAR" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll" ["Visicom Media"]


"{86227D9C-0EFE-4F8A-AA55-30386A3F5686}" = "YourSiteBar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\YourSiteBar\ysb.dll" [file not found]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Agent SAP, NwSapAgent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Odbiornik OfficeScanNT, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" ["Trend Micro Inc."]

Skanowanie w czasie rzeczywistym OfficeScanNT, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]

Usługa klienta dla systemu NetWare, NWCWorkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}

Zapora osobista OfficeScanNT, OfcPfwSvc, "C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe" ["Trend Micro Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HPW9 Language Monitor\Driver = "HPW9lmn.dll" [file not found]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Monitor 2 języka BJ\Driver = "CNBJMON2.DLL" [MS]

PDFCreator\Driver = "pdfcmnnt.dll" [null data]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 117 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 13 seconds.

---------- (total run time: 203 seconds)

Gutek · 5 Grudzień 2005 18:28

Jest czysto jaki błąd wywala na niebielski tle?

Ten KernelFaultCheck możesz usunąć Hijackiem i całkowicie zapobiec powstawaniu tego wpisu poprzez:

Panel sterowania >>> System >>> Zaawansowne >>> Uruchamianie i odzyskiwanie

Klikasz Ustawienia i w sekcji Zapisywanie informacji o debugowaniu ustaw opcję na Brak.

PrYmEk · 5 Grudzień 2005 19:05

Wykonalem wszystko mam nadzieje ze bedzie poprawa.

To znika bardzo szybko… nie jestem wstanie przeczytac dokladnie o co chodzi

Wielkie dzieki Gutek2222

___________

Jeszcze jedno…

od tamtego czasu zauważyłem ze po przejściu w stan wstrzymana komputer później nie wstaje. Jest to laptop i bardzo czesto zamiast zamykac sysytem poprostu składam monitor i komp automatycznie przechodzi w stan wstrzymania.