Zawieszki, trojan, niebieski ekran+restarty

lehooo · 17 Czerwiec 2007 11:10

Witam

Od parunastu ładnych dni komp się zawiesza po paru godzinach pracy, ale od przedwczoraj robi to co chwila. Kilka dni temu avast wyłapał trojana “win32:trojn-gen.{other}”(znajdował się w pliku c:\windows\system32\KTKBDHK3.DLL) którego nie mógł się pozbyć (dawałem i kwarantanne i usuń), ale dzisiaj (jak już udało się uruchomić win bez zawieszki) to go nie wykrył. Pozatym wczoraj ładnych parę razy pojawił się niebieski ekran i automatyczny reset, a jak startował od nowa to czasem znów się restartował zanim jeszcze załadował win(niezależnie czy w trybie normalnym czy awaryjnym). Proszę więc o sprawdzenie logów…

Log z Hijackthis

Logfile of HijackThis v1.99.1 Scan saved at 11:47:49, on 2007-06-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AIDA32 - Enterprise System Information\aida32.bin C:\Documents and Settings\Leszek\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: FraudEliminator - {A5181F8A-0B9D-43AC-8BE5-EB61651DB685} - C:\Program Files\FraudEliminator\2.4.1\FETB.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe

Log z combofix

ComboFix 07-06-13.3 - BĄd CScript: Dost©p do Hosta skrypt˘w systemu Windows jest wyĄczony na tym komputerze. Skontaktuj si© z administratorem, aby uzyska† szczeg˘owe informacje. “Leszek” - 2007-06-17 12:25:01 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 ))))))))))))))))))))))))))))))) 2007-06-17 01:50 2007-06-17 01:22 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-17 00:39 786,432 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-16 13:32 524,288 --ah----- C:\DOCUME~1\ADMINI~1.CAS\NTUSER.DAT 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 11:54 2007-06-13 14:04 52 --a------ C:\WINDOWS\system\ACD2.CMD 2007-06-13 14:04 52 --a------ C:\WINDOWS\system\ACD.CMD 2007-06-11 21:33 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll 2007-06-11 21:33 20,480 --a------ C:\WINDOWS\system32\PAC.EXE 2007-06-11 21:33 180,224 --a------ C:\WINDOWS\system32\Ijl11.dll 2007-06-02 13:22 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2007-06-02 13:22 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2007-06-02 13:22 2007-06-02 13:08 2007-06-01 15:49 2007-06-01 15:49 2007-05-25 22:37 2007-05-25 22:32 2007-05-25 22:32 2007-05-25 22:30 2007-05-25 22:28 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll 2007-05-25 22:28 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe 2007-05-25 22:28 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe 2007-05-25 22:28 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll 2007-05-25 22:28 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-05-25 22:28 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll 2007-05-25 22:28 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll 2007-05-25 22:27 2007-05-25 22:22 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll 2007-05-25 22:22 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll 2007-05-25 22:22 14,916 --------- C:\WINDOWS\hphmdl12.dat 2007-05-25 22:22 126,804 --a------ C:\WINDOWS\HPHins12.dat 2007-05-22 15:52 376,832 —hs---- C:\WINDOWS\system32\activexdebugger32.exe 2007-05-20 19:19 2007-05-20 11:32 2007-05-20 11:24 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-17 09:34:29 -------- d-----w C:\Program Files\AIDA32 - Enterprise System Information 2007-06-16 23:28:49 -------- d-----w C:\Program Files\freeCommander2006 2007-06-15 00:39:15 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\Tlen.pl 2007-06-12 20:07:22 1,080 ----a-w C:\WINDOWS\AUTOLNCH.REG 2007-06-08 22:16:47 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\foobar2000 2007-06-05 17:01:15 -------- d-----w C:\Program Files\StrongDC++ 2007-06-03 09:50:29 -------- d-----w C:\Program Files\Opera 2007-06-01 13:49:09 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-25 20:29:42 -------- d-----w C:\Program Files\Hewlett-Packard 2007-05-17 16:23:42 -------- d-----w C:\Program Files\IrfanView 2007-05-17 11:31:00 -------- d-----w C:\Program Files\Ashampoo 2007-05-15 11:49:51 -------- d-----w C:\Program Files\iViVo 2007-05-14 21:35:30 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\ivivo 2007-05-11 08:13:49 -------- d-----w C:\Program Files\ffdshow 2007-05-09 09:49:18 -------- d-----w C:\Program Files\Tlen.pl 2007-05-03 07:56:58 -------- d-----w C:\Program Files\Google 2007-05-03 07:56:57 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-02 21:37:02 -------- d-----w C:\Program Files\SiSoftware 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-27 10:26:17 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\Help 2007-04-21 19:33:34 205 ----a-w C:\WINDOWS\system32\lsprst7.dll 2007-04-21 19:26:05 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll 2007-04-21 19:25:25 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll 2007-04-21 19:25:25 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\ssprs.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\serauth2.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\serauth1.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\nsprs.dll 2007-03-30 13:44:54 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll 2007-03-30 13:43:20 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll 2007-03-25 10:41:46 79,408 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 10:41:46 458,022 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “nwiz”=“nwiz.exe” [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-08-11 21:43 C:\WINDOWS\system32\nvmctray.dll] “ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-06-16 07:03] “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-06-16 07:03] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “WheelMouse”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” [2006-05-14 10:37] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2007-02-12 12:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ClearRecentDocsOnExit”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1f5bc5b8-127c-11dc-a9f1-0014858b370e}] Auto\command- I:\activexdebugger32.exe f AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f explore\Command- I:\activexdebugger32.exe f open\Command- I:\activexdebugger32.exe f [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4a130ec2-9375-11db-99e8-0014858b370e}] Auto\command- I:\activexdebugger32.exe f AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f explore\Command- I:\activexdebugger32.exe f open\Command- I:\activexdebugger32.exe f [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{78d60be4-e2a0-11db-9ac3-0014858b370e}] AutoRun\command- J:\LaunchU3.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-17 12:27:28 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-17 12:29:01 — E O F —

Zawartość plików minidmp (skrócone)

Use !analyze -v to get detailed debugging information. BugCheck 50, {a58e64f8, 1, 8054b607, 0} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntoskrnl.exe ( nt+74607 ) Followup: MachineOwner --------- ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 24, {1902fe, f2905338, f2905034, f723c126} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntkrnlpa.exe ( nt+21c3f ) Followup: MachineOwner -------- ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {d2a06008, 0, 8062c7e2, 0} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntkrnlpa.exe ( nt+1557e2 ) Followup: MachineOwner ----------- ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {40000060, 2, 0, f6281467} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. *** WARNING: Unable to verify timestamp for USBPORT.SYS *** ERROR: Module load completed but symbols could not be loaded for USBPORT.SYS Probably caused by : USBPORT.SYS ( USBPORT+6467 ) Followup: MachineOwner ------------ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck F4, {3, 86a38210, 86a38384, 805c7ae2} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntkrnlpa.exe ( nt+21c3f ) Followup: MachineOwner --------- ****************************************************************************** * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck F4, {3, 86a325d0, 86a32744, 805fa428} *** WARNING: Unable to verify timestamp for mssmbios.sys *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntoskrnl.exe ( nt+5c736 ) Followup: MachineOwner ---------

To tyle danych. Jeszcze tylko dodam, że temperatura po paru godzinach pracy wynosi:

-płyta główna 36 C,

-procesor (Semporn 2600+) 71 C,

-AUX 25 C.

Z góry dzięki za pomoc

Gutek · 18 Czerwiec 2007 14:16

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Brakujace pliki Windows:

Wejdź w start>>>Uruchom>>>sfc /scannow