system
(system)
14 Grudzień 2007 13:28
#1
witam w dziale problemy, opisałem sytuacje że po stracie systemu wystapił błąd z aplikacją explorer.EXE i po tym połowa programów sie nie pokazuje na pasku zadań choć powinno, jeden użytkownik poradził żebym dał loga i sądzi że winą może być spybot, któty już od dawna mi wariuje. a oto log:
Logfile of HijackThis v1.99.1 Scan saved at 14:21:48, on 2007-12-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe C:\WINDOWS\explorer.exe c:\program files\a-squared free\a2service.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Advanced Registry Doctor\RegManServ.exe D:\Takie tam\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Lukasz\USTAWI~1\Temp\Rar$EX14.031\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKCU…\Run: [speedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\Takie tam\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Firewall auto setup] C:\DOCUME~1\Lukasz\USTAWI~1\Temp\winlogon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6114378140 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
system
(system)
22 Grudzień 2007 07:01
#3
daje niżej loga z ComboFixa, dodam tylko że gdy Combofix skończył skanować i sie zrestartował system to wszystko jak narazie dobrze ruszyło tzn. przy stracie systemu niewyświetlił sie błąd z explorer.exe i pojawiły sie wszystkie ikonki programów na pasku zadań
ComboFix 07-12-22.1 - Lukasz 2007-12-22 7:47:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.264 [GMT 1:00] Running from: C:\Documents and Settings\Lukasz\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0JT3MEO\ComboFix[1].exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Common Files\sstem3~1 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0000 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0001 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0002 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0003 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0004 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0005 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0006 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-461.0007 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0000 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0001 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0002 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0003 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0004 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0005 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0006 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-462.0007 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0000 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0001 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0002 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0003 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0004 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0005 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0006 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-463.0007 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0000 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0001 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0002 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0003 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0004 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0005 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0006 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-464.0007 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0000 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0001 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0002 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0003 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0004 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0005 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0006 C:\Program Files\Common Files\sstem3~1\SSTEM3~1\ctxad-465.0007 C:\Program Files\tclock\tclock_install.exe C:\WINDOWS\system32\components C:\WINDOWS\system32\w32sys0.exe C:\WINDOWS\system32\w32sys4.exe C:\WINDOWS\system32\wnscpit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SYSLIBRARY -------\SysLibrary ((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 ))))))))))))))))))))))))))))))) . 2007-12-16 09:29 . 2007-12-16 09:29 2007-12-12 16:42 . 2007-12-12 16:42 7,923 --a------ C:\WINDOWS\system32\DefLib.sys 2007-12-10 17:12 . 2007-12-10 17:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp 2007-12-10 17:12 . 2007-12-10 17:12 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat 2007-12-08 15:59 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2007-12-08 15:59 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-12-08 15:59 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2007-12-08 15:59 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll 2007-12-08 15:59 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-12-08 15:59 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-12-08 15:59 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-12-08 15:59 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll 2007-12-08 15:59 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-12-08 15:59 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-12-04 15:49 . 2007-12-04 15:49 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-12-04 15:49 . 2007-12-04 15:49 270,336 --a------ C:\WINDOWS\system32\imon.dll 2007-11-23 14:23 . 2007-11-23 14:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-11-23 14:23 . 2007-11-23 14:23 1,409 --a------ C:\WINDOWS\QTFont.for 2007-11-22 19:45 . 2007-11-22 19:45 2007-11-22 19:44 . 2007-11-25 13:36 2007-11-22 19:41 . 2007-11-22 19:41 2007-11-22 19:41 . 2007-11-22 19:42 2007-11-22 18:28 . 2007-11-22 18:28 112,112,943 --a------ C:\Program Files\OpenOfficeT7_2.3.0.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-22 06:49 --------- d-----w C:\Program Files\TClock 2007-12-21 17:27 --------- d-----w C:\Program Files\Winamp 2007-12-20 14:36 --------- d-----w C:\Program Files\a-squared Free 2007-11-18 17:53 --------- d-----w C:\Documents and Settings\Lukasz\Dane aplikacji\Skype 2007-11-18 16:01 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-11-18 16:01 --------- d-----w C:\Documents and Settings\Lukasz\Dane aplikacji\skypePM 2007-11-18 15:58 --------- d-----w C:\Program Files\Skype 2007-11-18 15:58 --------- d-----w C:\Program Files\Common Files\Skype 2007-11-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-11-15 08:36 --------- d-----w C:\Program Files\Common Files\LogoManager 2007-10-31 16:55 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-02-09 18:32 94,080 ----a-w C:\Documents and Settings\Lukasz\Dane aplikacji\ezplay.sys 2007-02-09 18:32 87,608 ----a-w C:\Documents and Settings\Lukasz\Dane aplikacji\ezpinst.exe 2007-02-09 18:32 47,360 ----a-w C:\Documents and Settings\Lukasz\Dane aplikacji\pcouffin.sys 2006-12-31 07:32 88 --sh–r C:\WINDOWS\system32\4751A5B21F.sys 2006-12-31 07:32 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe ----a-w 155,648 2001-07-09 10:50:42 C:\WINDOWS\system32\NeroCheck.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedX”=“C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe” [2006-06-27 13:11] “Gadu-Gadu”=“D:\Takie tam\Gadu-Gadu\gg.exe” [2005-03-31 11:18] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2005-05-17 17:48 C:\WINDOWS\SOUNDMAN.EXE] “NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-12-04 15:49] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan\Service] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\IVT BlueSoleil\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bdbh] C:\WINDOWS\system32\logonui.exe -vt yax [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup] 2007-12-12 14:21 34304 --a------ C:\DOCUME~1\Lukasz\USTAWI~1\Temp\winlogon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] D:\Takie tam\Gadu-Gadu\gg.exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray] 2004-06-03 19:51 131072 --a------ C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegDfrgSch] C:\Program Files\Advanced Registry Doctor\RegDfrgSch.exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2006-05-03 01:56 36975 --a------ C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe] C:\Program Files\TClock\tclock_install.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-12-24 16:11 33792 --a------ C:\Program Files\Winamp\winampa.exe S0 FO_PAnt;FotoOffice VirtualDisc Driver;C:\WINDOWS\system32\Drivers\FO_PAnt.sys [] S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 15:32] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-22 07:50:56 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\Program Files\Eset\pr_imon.dll . Completion time: 2007-12-22 7:52:55 - machine was rebooted
Gutek
(Gutek)
22 Grudzień 2007 21:19
#4
No Combofix usunął co miał usnąć, nic więcej nie widzę
system
(system)
6 Styczeń 2008 09:13
#5
tak, własnie widać że czysto sie zrobiło. dzięki wielkie a czy są jakieś zalecane zabiegi aby to niewróciło w przyszłości?