Problem z svchost.exe, nie dzialajaca przegladarka firefox

Dla specjalistów Bezpieczeństwo
#1

Mam problem z komputerem. po wlaczeniu wyskakuje blad programu svchost.exe, firefoxa mozna jedynie raz wlaczyc drugi raz juz nie chce sie wlaczyc, usuwalem juz pelno wirusow AVG, AVG Anti-Spyware, mam tez SPybot SD, ale ten program czegos tam nie moze usunac. Mam windowsa 2000, wszystkie bierzace aktualizacje. Po wyswietleniu bledu svchost.exe nie mozna kopiowac wklejac itp. Ponizej logi z Hijack i Combofixa.

Deckard's System Scanner v20070611.50

Run by Bober on 2007-10-09 at 23:17:36

Computer is in Normal Mode.

--------------------------------------------------------------------------------


Backed up registry hives.


Performed disk cleanup.



-- HijackThis (run as Bober.exe) -----------------------------------------------


Logfile of HijackThis v1.99.1

Scan saved at 23:18:13, on 2007-10-09

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\HPZipm12.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINDOWS\system32\config\SVCHOST.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

F:\HP\HP Software Update\HPWuSchd2.exe

C:\WINNT\system32\wfxsnt40.exe

C:\WINNT\system32\internat.exe

E:\pulpit\dss.exe

E:\pulpit\Bober.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nb4f.com.cn

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun

O4 - HKLM\..\Run: [HP Software Update] F:\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office\OSA9.EXE

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182380700994

O17 - HKLM\System\CCS\Services\Tcpip\..\{61B1D289-4FDD-487F-BB83-4BBE0371B21F}: NameServer = 194.204.159.1,194.204.152.34

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Background Support Transfer Service (BSTS) - Unknown owner - C:\WINNT\system32\lssas.exe (file missing)

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DNS Clients (Dnscanche) - Unknown owner - C:\WINNT\system32\Dns.exe (file missing)

O23 - Service: EvenSystem - Unknown owner - c:\Recycler\svchost.exe (file missing)

O23 - Service: Wirelerss Zesro Configuration (Exrsplorer) - Unknown owner - C:\WINNT\system32\aa.exe (file missing)

O23 - Service: dsaffdsa (ffsdaf) - Unknown owner - C:\WINNT\system32\aa.exe (file missing)

O23 - Service: Mesangerr - Unknown owner - c:\Recyclers\svchost.exe (file missing)

O23 - Service: Microsoft Exchange Engine - Unknown owner - C:\WINNT\System32\infoters.exe (file missing)

O23 - Service: Microsoft Exchange Routing Eng - Unknown owner - C:\WINNT\System32\interinfo.exe

O23 - Service: netpasssend (netpass) - Unknown owner - C:\WINNT\system32\svohst.exe (file missing)

O23 - Service: Ô¶łĚąÜŔíČíĽţĎÔĘľĐĹϢ (netservice) - Unknown owner - C:\Documents and Settings\All Users\Ulubione\netservice.exe

O23 - Service: Network DDE Service - Unknown owner - C:\WINNT\System\netsrv.exe (file missing)

O23 - Service: NOD32 Kernel Services (Nod32krn) - Unknown owner - C:\WINNT\system32\nod32krn.exe (file missing)

O23 - Service: NOD32 Kernel Services update (Nod32upd) - Unknown owner - C:\WINNT\system32\nod32upd.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfmonss.exe (file missing)

O23 - Service: Porformance services (Perrormance Logs) - Unknown owner - C:\WINNT\system32\aa.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: Remote Access Connection Managers (rassman) - Unknown owner - C:\WINNT\system32\lsess.exe (file missing)

O23 - Service: Remote Procedure Call System (Rdbs) - Unknown owner - C:\WINNT\system32\Rdbs.exe (file missing)

O23 - Service: Microsoft windows updata (Windows updata) - Unknown owner - C:\WINNT\wupdmgr.exe (file missing)

O23 - Service: windowsafe - Unknown owner - c:\dos\svchost.exe (file missing)

O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINNT\system32\Test.exe (file missing)



-- File Associations -----------------------------------------------------------


[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/COLOR]



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------


R3 alcan5wn (Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\winnt\system32\drivers\alcan5wn.sys 

R3 alcaudsl (Alcatel Speed Touch ADSL Modem ATM Transport) - c:\winnt\system32\drivers\alcaudsl.sys 

R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys 


S0 BTHidMgr (Bluetooth HID Manager Service) - c:\winnt\system32\drivers\bthidmgr.sys (file missing)

S3 BlueletAudio (Bluetooth Audio Service) - c:\winnt\system32\drivers\blueletaudio.sys (file missing)

S3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\winnt\system32\drivers\blueletscoaudio.sys (file missing)

S3 BT (Bluetooth PAN Network Adapter) - c:\winnt\system32\drivers\btnetdrv.sys (file missing)

S3 BTHidEnum (Bluetooth HID Enumerator) - c:\winnt\system32\drivers\vbtenum.sys (file missing)

S3 VComm (Virtual Serial port driver) - c:\winnt\system32\drivers\vcomm.sys (file missing)

S3 VcommMgr (Bluetooth VComm Manager Service) - c:\winnt\system32\drivers\vcommmgr.sys (file missing)

S3 Winacpci - c:\winnt\system32\drivers\winacpci.sys 



-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------


R2 Windowsclients (Network Provisioning Services) - c:\windows\system32\config\svchost.exe


S2 BSTS (Background Support Transfer Service) - c:\winnt\system32\lssas.exe (file missing)

S2 Dnscanche (DNS Clients) - c:\winnt\system32\dns.exe (file missing)

S2 EvenSystem - c:\recycler\svchost.exe (file missing)

S2 Exrsplorer (Wirelerss Zesro Configuration) - c:\winnt\system32\aa.exe (file missing)

S2 ffsdaf (dsaffdsa) - c:\winnt\system32\aa.exe (file missing)

S2 Mesangerr - c:\recyclers\svchost.exe (file missing)

S2 Microsoft Exchange Engine - c:\winnt\system32\infoters.exe (file missing)

S2 Microsoft Exchange Routing Eng - c:\winnt\system32\interinfo.exe

S2 netpass (netpasssend) - c:\winnt\system32\svohst.exe -netsata (file missing)

S2 netservice (Ô¶łĚąÜŔíČíĽţĎÔĘľĐĹϢ) - c:\documents and settings\all users\ulubione\netservice.exe

S2 Network DDE Service - c:\winnt\system\netsrv.exe (file missing)

S2 Nod32krn (NOD32 Kernel Services) - c:\winnt\system32\nod32krn.exe (file missing)

S2 Nod32upd (NOD32 Kernel Services update) - c:\winnt\system32\nod32upd.exe (file missing)

S2 perfmons (perfmons Service) - c:\winnt\system32\perfmonss.exe (file missing)

S2 Perrormance Logs (Porformance services) - c:\winnt\system32\aa.exe (file missing)

S2 rassman (Remote Access Connection Managers) - c:\winnt\system32\lsess.exe (file missing)

S2 Rdbs (Remote Procedure Call System) - c:\winnt\system32\rdbs.exe (file missing)

S2 Windows updata (Microsoft windows updata) - c:\winnt\wupdmgr.exe (file missing)

S2 windowsafe - c:\dos\svchost.exe (file missing)

S2 WindowsRemote (Windows Accounts Driver) - c:\winnt\system32\test.exe (file missing)



-- Files created between 2007-09-09 and 2007-10-09 -----------------------------


2007-10-09 22:03:59 0 -ra------ C:\WINNT\system32\TFTP868

2007-10-09 22:03:51 0 -ra------ C:\WINNT\system32\TFTP880

2007-10-09 22:03:39 0 -ra------ C:\WINNT\system32\TFTP972

2007-10-09 22:03:39 0 -ra------ C:\WINNT\system32\TFTP1740

2007-10-09 21:50:32 0 -ra------ C:\WINNT\system32\TFTP1448

2007-10-09 21:49:12 61 --a------ C:\WINNT\system32\i

2007-10-09 21:48:05 0 -ra------ C:\WINNT\system32\TFTP1656

2007-10-09 21:48:05 0 -ra------ C:\WINNT\system32\TFTP1300

2007-10-09 21:46:40 0 -ra------ C:\WINNT\system32\TFTP804

2007-10-09 21:46:40 0 -ra------ C:\WINNT\system32\TFTP1688

2007-10-09 21:46:36 0 -ra------ C:\WINNT\system32\TFTP1536

2007-10-09 21:31:34 0 -ra------ C:\WINNT\system32\TFTP1684

2007-10-09 21:27:20 0 -ra------ C:\WINNT\system32\TFTP1220

2007-10-09 19:53:58 0 -ra------ C:\WINNT\system32\TFTP1412

2007-10-09 19:52:00 0 -ra------ C:\WINNT\system32\TFTP1096

2007-10-08 22:20:52 0 d-------- C:\WINDOWS

2007-10-08 18:00:05 510 --a------ C:\WINNT\run2.vbs

2007-10-04 13:10:18 1091 --a------ C:\WINNT\run.vbs

2007-10-03 11:21:51 20480 --a------ C:\WINNT\system32\tongji.exe 

2007-09-30 22:23:31 0 d--h----- C:\WINNT\PIF

2007-09-28 19:53:29 5370 --a------ C:\WINNT\system32\iget.vbs

2007-09-25 13:47:51 0 d-------- C:\WINNT\system32\inf

2007-09-23 18:47:50 427520 -r-hs---- C:\WINNT\system32\interinfo.exe

2007-09-20 21:06:32 0 d-------- C:\dos

2007-09-15 19:27:11 0 d-------- C:\mp3

2007-09-15 14:12:36 15360 --a------ C:\WINNT\system32\Down(0).exe



-- Find3M Report ---------------------------------------------------------------


2007-10-09 23:14:32 0 d-------- C:\Documents and Settings\Bober\Dane aplikacji\Skype

2007-10-09 23:13:51 0 d-------- C:\Program Files\AutoConnect

2007-10-09 22:22:08 0 d-------- C:\Documents and Settings\Bober\Dane aplikacji\AVG7

2007-10-09 19:48:53 1107738 ---h----- C:\WINNT\ShellIconCache

2007-09-17 18:50:15 184832 -----n--- C:\WINNT\comsysapp.pif

2007-09-03 11:25:59 184832 -----n--- C:\WINNT\svchost.pif

2007-08-07 18:57:35 7681 --a------ C:\WINNT\zethan.exe 



-- Registry Dump ---------------------------------------------------------------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Synchronization Manager"="mobsync.exe /logon"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

"nwiz"="nwiz.exe /install"

"Device Detector"="DevDetect.exe -autorun"

"HP Software Update"="F:\\HP\\HP Software Update\\HPWuSchd2.exe"

"WinFaxAppPortStarter"="wfxsnt40.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"internat.exe"="internat.exe"

"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

"AutoConnect"="C:\\Program Files\\AutoConnect\\AutoConnect.exe"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"internat.exe"="internat.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"Userinit"="rundll32.exe C:\\WINNT\\system32\\winsys16_071004.dll start"

"melove"="C:\\WINNT\\system32\\dream.exe"

"dream"="C:\\WINNT\\system32\\dream.exe"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"StartMenuLogOff"=dword:00000001


[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

"{7F4D1081-25FD-44F5-99C6-FF271CFB7EC2}"=""


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

   Authentication Packages	REG_MULTI_SZ msv1_0\0\0

   Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0

   Notification Packages	REG_MULTI_SZ scecli\0\0


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

rpcss	REG_MULTI_SZ RpcSs\0\0

wugroup	REG_MULTI_SZ wuauserv\0\0

BITSgroup	REG_MULTI_SZ BITS\0\0

Systcem	REG_MULTI_SZ Systcem\0\0




-- End of Deckard's System Scanner: finished at 2007-10-09 at 23:18:57 ---------

ComboFix 07-06-13.3
#2

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix

Dodatkowo użyj

Pobierz program SDFix