Szczepi
(Szczepi0804)
8 Listopad 2007 17:43
#1
Miałem problemy z systemem, ale jakos nie chcialo mi sie bawic, a ze dawno tego nie robilem, zrobilem sobie format C (w czasie instalacji odlaczylem od sieci, po instalacji systemu uzylem wwdc [czy jakos tak] i zainstalowalem firewalla a potem dopiero podlaczylem wtyczke). Ale mimo to mam problemy z aplikacjami (m.in gadu gadu, winamp itp), czesto mi sie zawieszaja, albo pasek zadan mi sie wiesza, podczas ładowania systemu jest sprawdzana spojnosc danych na partycji E (nie formatowana od 6 miesiecy jakos), byc moze ta partycja jest zasyfiona, nie wiem, ale wolalbym jej nie formatowac… No i postanowiłem siegnac waszej rady [; Pomozcie…
log z hjt:
Logfile of HijackThis v1.99.1 Scan saved at 18:42:55, on 2007-11-08 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\wuauclt.exe C:\Programy\Xfire\Xfire.exe C:\Programy\Mozilla Firefox\firefox.exe C:\Programy\BearShare\BearShare.exe C:\Programy\Winamp\winamp.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe D:\Instalki\hijackthis\HijackThis.exe D:\Instalki\hijackthis\Szczepan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [RivaTunerStartupDaemon] “C:\Programy\RivaTuner v2.06\RivaTuner.exe” /S O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
log z silent runners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ZoneAlarm Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “RivaTunerStartupDaemon” = ““C:\Programy\RivaTuner v2.06\RivaTuner.exe” /S” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO” -> {HKLM…CLSID} = “My Global Search Bar BHO” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{37B85A29-692B-4205-9CAD-2626E4993404}” -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{37B85A29-692B-4205-9CAD-2626E4993404}” = (no title provided) -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 79 seconds, including 18 seconds for message boxes)
arekmalek
(arekmalek)
8 Listopad 2007 18:20
#2
Start-> Uruchom -> CMD i OK.
wklep te polecenia:
Potem Fix’ nij te wpisy: (jeśli będą)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/
Użyj combofix (temat przyklejony w tym dziale)
Daj z niego log + nowy hijackthis. Czekam
Złączono Posta : 08.11.2007 (Czw) 19:22
I bardzo dobrze by było jakbyś zainstalował Service Pack 2 lub 3 (testowy)
Szczepi
(Szczepi0804)
8 Listopad 2007 18:34
#3
combofix:
“szczepan” - 2007-11-08 19:29:49 - ComboFix 07-07-07.3 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL C:\Program Files\myglobalsearch\bar\Cache\files.ini C:\Program Files\myglobalsearch\bar\History\search ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) 2007-11-08 18:57 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-11-08 17:44 2007-11-06 22:40 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:27 2007-11-06 21:17 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-11-06 21:17 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-11-06 21:17 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-11-06 21:17 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-11-06 21:17 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-11-06 21:15 2007-11-06 21:14 2007-11-06 21:11 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-11-06 21:11 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-11-06 21:11 639,066 --a------ C:\WINDOWS\system32\divx.dll 2007-11-06 21:11 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-11-06 21:11 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-11-06 21:11 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-11-06 21:11 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-11-06 21:11 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-11-06 21:11 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-11-06 21:11 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-11-06 21:11 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll 2007-11-06 21:11 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-11-06 21:07 2007-11-06 21:06 0 --a------ C:\WINDOWS\nsreg.dat 2007-11-06 21:01 2007-11-06 21:01 2007-11-06 20:58 524,288 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-11-06 20:58 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll 2007-11-06 20:58 2007-11-06 20:58 2007-11-06 20:58 2007-11-06 20:53 75,512 --a------ C:\WINDOWS\zllsputility.exe 2007-11-06 20:53 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-11-06 20:53 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-11-06 20:52 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll 2007-11-06 20:52 2007-11-06 20:52 2007-11-06 20:51 214 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-06 20:51 2007-11-06 20:50 61,440 --a------ C:\WINDOWS\system32\Process.exe 2007-11-06 20:50 57,856 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-06 20:50 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-06 20:49 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-11-06 20:02:57 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-11-06 20:02:57 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-11-06 19:41:24 -------- d-----w C:\Program Files\Usługi online ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02] “RivaTunerStartupDaemon”=“C:\Programy\RivaTuner v2.06\RivaTuner.exe” [2007-10-30 19:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2001-10-26 18:29] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} rundll32 iesetup.dll,IEAccessUserInst ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 19:30:26 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-11-08 19:30:59 C:\ComboFix-quarantined-files.txt … 2007-11-08 19:30 — E O F —
nowy log hjt:
Logfile of HijackThis v1.99.1 Scan saved at 19:33:38, on 2007-11-08 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\wuauclt.exe C:\Programy\Xfire\Xfire.exe C:\Programy\BearShare\BearShare.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe D:\Instalki\hijackthis\HijackThis.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Gadu-Gadu\gg.exe C:\WINDOWS\explorer.exe C:\Programy\Mozilla Firefox\firefox.exe D:\Instalki\hijackthis\Szczepan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [RivaTunerStartupDaemon] “C:\Programy\RivaTuner v2.06\RivaTuner.exe” /S O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Złączono Posta : 08.11.2007 (Czw) 19:37
co masz na mysli mowiac testowy? Moglbys podac jakiegos linka do takowego?
Gutek
(Gutek)
8 Listopad 2007 23:09
#4
Proszę pokaż jeszcze log:
Pobierz program SDFix