Komp po formacie, ciągły błąd, restart, proszę o sprawdzenie

Kinga86 · 29 Grudzień 2006 21:26

Już miałam tutaj podobny temat ale nie mogę go znaleźć. Miałam robionego dziś formata tylko, że znów weskakuje mi błąd, po którym komp się resetuje. Ktoś mi cześniej podał szczepionki, które mam użyć ale nie mogę ich znaleźć

logi z Hijacka

Logfile of HijackThis v1.99.1 Scan saved at 22:29:30, on 2006-12-29 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\alg.exe D:\Program Files\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\explore.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Kinga\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [stmRst] C:\WINDOWS\StmClean.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: WConfig.lnk = ? O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Application Layer Gateway Services - Unknown owner - C:\WINDOWS\alg.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: Windows explorer - Unknown owner - C:\WINDOWS\explore.exe

adam9870 · 29 Grudzień 2006 21:42

Start => uruchom => cmd => wpisz:

Pliki usuń w trybie awaryjnym (nie pomyl nazwy!), a wpisy w hjt.

Przeskanuj plik:

na stronie http://virusscan.jotti.org/. Jeśli okaże się szkodnikiem - usuń.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners.

Kinga86 · 29 Grudzień 2006 22:01

Sorry ale jestem naprawdę niekumata w tych sprawach więc wytłumacz mi jak głupiej po prsotu jak mam to zrobić:

adam9870 · 29 Grudzień 2006 22:04

Dobrze. Zrobimy inaczej - start => uruchom => wpisz notepad i kliknij ok => w okienku notatnika wklej:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT i uruchom go w trybie awaryjnym.

Potem tylko skasuj wpisy w hjt.

Aha, hijacka nie trzymaj w TEMPie - umieść go np. na pulpicie.

Kinga86 · 29 Grudzień 2006 22:20

Te zaznaczone usunąć w trybie awaryjnym, tak?

alg.exe już usunęłam

Bieniol · 29 Grudzień 2006 22:22

Kinga86 , żebyś się zbytnio nie męczyła przejdź przez tę instrukcję:

Pobierz i uruchom narzędzie The Avenger. Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK. Po restarcie odpali Ci się Hijack, więc: Do a system scan only i zaznaczasz wpisy:

I klikasz na dole Fix Checked.

Kasujesz ręcznie z dysku plik: C:\Avenger\ backup.zip i wklejasz na forum raport: C:\ avenger.txt + nowy log z Hijacka + log z Silent Runners

Kinga86 · 29 Grudzień 2006 22:38

Ok

AVENGER - raport

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\glpsqbce ******************* Script file located at: ??\C:\WINDOWS\System32\dxyotwqe.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver Windows explorer unloaded successfully. Driver Application Layer Gateway Services unloaded successfully. File C:\WINDOWS\alg.exe deleted successfully. File C:\WINDOWS\explore.exe deleted successfully. Program C:\Documents and Settings\Kinga\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe successfully set up to run once on reboot. Completed script processing. ******************* Finished! Terminate.

Hijack

Logfile of HijackThis v1.99.1 Scan saved at 23:35:17, on 2006-12-29 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Kinga\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [stmRst] C:\WINDOWS\StmClean.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: WConfig.lnk = ? O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

Silent runners

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “StmRst” = “C:\WINDOWS\StmClean.exe” [file not found] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe” [“France Télécom R&D”] “!AVG Anti-Spyware” = ““D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “D:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\Program Files\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\Program Files\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Kinga” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WConfig” -> shortcut to: “C:\Program Files\WLAN\WConfig\WConfig.exe” [“WirelessLan Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “D:\Program Files\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”] France Telecom Routing Table Service, FTRTSVC, “C:\WINDOWS\System32\FTRTSVC.exe” [“France Telecom”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 27 seconds. ---------- (total run time: 132 seconds)

Bieniol · 29 Grudzień 2006 22:43

Odpalasz Hijacka -> Do a system scan only i zaznaczasz wpisy:

I klikasz na dole Fix Checked

Po zabiegach dla pewności daj nowe logi

Kinga86 · 29 Grudzień 2006 22:48

proszę:

Logfile of HijackThis v1.99.1 Scan saved at 23:50:53, on 2006-12-29 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\FTRTSVC.exe C:\Documents and Settings\Kinga\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: WConfig.lnk = ? O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

tych:

nie było…

Bieniol · 29 Grudzień 2006 22:49

Wszystko jest już OK

Proponuję zainstalować Service Packa 2 -> http://www.microsoft.com/poland/windows … fault.mspx

Kinga86 · 29 Grudzień 2006 22:53

Dzięki wielkie!