Temp2.exe - wyskakujący komunikat z błędem

Mustarastas · 11 Wrzesień 2007 10:18

Witam,

mam problem z wyskakującym przy uruchamianiu Windows komunikatem o błedzie aplikacji temp2.exe. Log zrobiony hijackiem wygląda następująco:

Logfile of HijackThis v1.99.1 

Scan saved at 11:15:23, on 2007-09-11 

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) 


Running processes: 

C:\WINDOWS\System32\smss.exe 

C:\WINDOWS\system32\csrss.exe 

C:\WINDOWS\system32\winlogon.exe 

C:\WINDOWS\system32\services.exe 

C:\WINDOWS\system32\lsass.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\system32\spoolsv.exe 

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 

C:\Program Files\Norton AntiVirus\navapsvc.exe 

C:\Program Files\Spyware Doctor\sdhelp.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\system32\wdfmgr.exe 

C:\WINDOWS\system32\ZoneLabs\vsmon.exe 

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe 

C:\WINDOWS\System32\alg.exe 

C:\WINDOWS\system32\WgaTray.exe 

C:\WINDOWS\Explorer.EXE 

C:\Program Files\Common Files\Symantec Shared\ccApp.exe 

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe 

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe 

C:\Program Files\Picasa2\PicasaMediaDetector.exe 

C:\Program Files\QuickTime\qttask.exe 

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 

C:\Program Files\iTunes\iTunesHelper.exe 

C:\Program Files\Beniamin\tguard.exe 

C:\WINDOWS\ZSSnp211.exe 

C:\WINDOWS\system32\temp1.exe 

C:\WINDOWS\Domino.exe 

C:\WINDOWS\system32\ctfmon.exe 

C:\Program Files\iPod\bin\iPodService.exe 

C:\Program Files\Spyware Doctor\swdoctor.exe 

C:\Program Files\WinRAR\WinRAR.exe 

C:\Program Files\WinRAR\WinRAR.exe 

C:\Program Files\Messenger\msmsgs.exe 

C:\DOCUME~1\user\USTAWI~1\Temp\Rar$EX18.270\HijackThis.exe 


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.przyroda.org/index.htm?sid=ba74c547235c59120b92be91c9a609fc 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) 

R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) 

F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe 

O1 - Hosts: 212.77.100.101 

O1 - Hosts: 212.77.100.101 http://www.forcedteenmovies.com/ 

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 

O2 - BHO: Reactivator Class - {6C31790D-1EDF-4b05-83DC-925B3A8E2318} - C:\Program Files\FreeShield Toolbar\elertz.dll 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) 

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll 

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll 

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll 

O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll 

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll 

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll 

O3 - Toolbar: Free Shield Toolbar - {0C6DD65A-F36B-4ac8-89EB-6175AEE6BB8C} - C:\Program Files\FreeShield Toolbar\elertz.dll 

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe 

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer 

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe" 

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime 

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" 

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart 

O4 - HKLM\..\Run: [tguard] C:\Program Files\Beniamin\tguard.exe 

O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe 

O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe 

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized 

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q 

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe 

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL 

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll 

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab 

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.33/g_bin/pl/boards_2_0_0_34.cab 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab 

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab 

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL 

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL 

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll 

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe 

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe 

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe 

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe 

O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe 

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe 

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe 

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe 

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

jessica · 11 Wrzesień 2007 10:21

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file) R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe O1 - Hosts: 212.77.100.101 O1 - Hosts: 212.77.100.101 http://www.forcedteenmovies.com/ O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Potem daj log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

ComboFix powinien samoczynnie usunąć ten “temp2”.

Nie jestem natomiast pewna, czy ComboFix usunie C:\WINDOWS** svchost.exe**.

Po użyciu ComboFixa sprawdź, czy na dysku nie ma tego pliku. (Plik może być ukryty).

Tylko nie pomyl:

jessi

Mustarastas · 11 Wrzesień 2007 10:51

Nie jestem pewein, czy wszystko załapałem (informatycznym mózgiem nie jestem):

W Hijack robię ponownie skan, zaznaczam podne przez Ciebie fragmenty jako Fix checked
Zamykam Hijack (w instrukcji do CombFixa jest, że wszystko musi być zamknięte)
Uruchamiam CombFix, czekam na loga.
I tu nie za bardzo łapię - dajmy, że zapiszę sobie loga, wkleję go na wklej.org A post z linkiem gdzie mam wstawić - tu na forum? (wybacz, jeśli pytanie wyda się niedorzeczne). Po prostu z oboma programami mam zero obycia.

jessica · 11 Wrzesień 2007 11:11

Po wklejeniu logu na “wklej.org” - po prostu skopiuj adres z paska adresów i wklej go tu do swojego postu.

Jeśli będą jakieś problemy, to daj ten log do postu - może się zmieści.

Resztę robisz tak, jak napisałeś.

jessi

Mustarastas · 11 Wrzesień 2007 13:43

link do loga z CombFIx:

http://www.wklej.org/id/af32769f90

jessica · 11 Wrzesień 2007 14:50

Usuwanie poszło bardzo dobrze.

Czy problem ustąpił?

Oczywiście problem natychmiast powróci po użyciu zainfekowanego dysku przenośnego “E”.

Na teraz to wszystko.

jessi

Mustarastas · 11 Wrzesień 2007 17:29

ustąpił, bardzo dziękuję za pomoc.

Pozdrawiam