Problem Z Win Xp

[f1zZ]

Witam,

ostatnio zauważylem, ze komp mi sie samoistnie restartuje. Wg mnie powoem tego nie jest harware a jakies wiry, spyware adware itp. DOdatkowo po kazdym restarcie winda pokazuje komunikat o odzyskaniu sprawnosci po powaznym bledzie(czy cos takiego ;)), oraz komunikat blad internat.exe, nie znaleziono wpisu getprocessflags w bibliotece kernel32.dll (screen załączony) , czytalem na jakims zagranicznym forum ze to tez spowodowane jest spywarem.

 

 

Zalaczam log z hjt:

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:08:36, on 2005-04-07

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\drivers\crauto.exe

C:\Documents and Settings\contact\Pulpit\FanSpeed1_2_0\fanspeedNT.exe

C:\WINDOWS\System32\drivers\IMountSRV.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\msoffice.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\Razer\razerhid.exe

C:\WINDOWS\isrvs\desktop.exe

C:\WINDOWS\System32\private-zone.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\WINDOWS\Xhrmy.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Razer\razertra.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\System32\atts.exe

C:\Program Files\Razer\razerofa.exe

C:\WINDOWS\System32\n?tdde.exe

C:\PROGRA~1\COMMON~1\fzkw\fzkwm.exe

C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Documents and Settings\contact\Moje dokumenty\HJT\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll

F3 - REG:win.ini: run=C:\WINDOWS\System32\msoffice.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: (no name) - {59AB33CE-97A0-4CDC-9D56-750F91D1690C} - (no file)

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O2 - BHO: (no name) - {9024881A-019D-4833-AAAB-428FE8911FF2} - C:\WINDOWS\System32\wmshj.dll

O2 - BHO: (no name) - {A009B81B-2CDE-7D76-879E-00A2D9A232C5} - C:\WINDOWS\System32\wmshj.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [internat.exe] E:\WINDOWS\SYSTEM\INTERNAT.EXE

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\System32\web.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe

O4 - HKLM\..\Run: [surfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Wras] C:\WINDOWS\System32\atts.exe

O4 - HKCU\..\Run: [Tgxwj] C:\WINDOWS\System32\n?tdde.exe

O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exe

O4 - HKCU\..\Run: [fzkw] C:\PROGRA~1\COMMON~1\fzkw\fzkwm.exe

O4 - HKCU\..\Run: [surfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Microsoft AntiSpyware helper - {2A260D4E-8C47-4542-AF3C-68A648B9213B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2A260D4E-8C47-4542-AF3C-68A648B9213B} - (no file) (HKCU)

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.addictivetechnologies.net

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.f1organizer.com

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.[ciach!]to.biz

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2fucked.biz

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.traffic2cash.biz

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.ysbweb.com

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {126A89A4-A8FB-7259-D53B-465566FB52E4} - http://67.19.178.86/1/rdgPL1742.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe

O16 - DPF: {25FB41D0-0815-7A88-5017-7E6E2A8B743A} - http://67.19.178.86/1/rdgPL1742.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112540980688

O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} - http://advnt01.com/dialer/internazionale_ver10.CAB

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O23 - Service: ArcaBit NetMonitor (ABNetMon) - Unknown owner - C:\Program Files\MKS\Bin\NetMonSV.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe

O23 - Service: FanSpeedNT Service - Unknown owner - C:\Documents and Settings\contact\Pulpit\FanSpeed1_2_0\fanspeedNT.exe" (file missing)

O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe

O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe

O23 - Service: PMounter - Unknown owner - C:\WINDOWS\SYSTEM32\PMounter.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

[Domik]

standard ad aware +natywirus.

[Leon_xm]

zacznij od włączenia skanera on-line pandy antivirus, a później avas! po odłączeniu się od sieci powinno zadziałać :wink:

[Paszczu]

Co Wy mu piszecie za idiotyzmy, z logów widać że chłopak ma dwa antywirusy (!). Wieczorem postaram się napisać czego się pozbyć z tego loga o ile ktoś mnie nie uprzedzi.

[SGJ]

C:\WINDOWS\System32\msoffice.exe

C:\WINDOWS\System32\devldr32.exe

[2002JSQ]

W jakis sposob sie 'restartuje"? Zamyka sie normalnie system i restart, czy wyglada to na reset?

 

Wejdz we wlasciwosci systemu - zaawansowane - [uruchamianie i odzyskiwanie ] Ustawienia - tam ODZNACZ opcje 'Automatycznie uruchom ponownie'.

[f1zZ]

reset jest nagly bez zadnych bluescreenow i komunikatow, tak jakby odlaczono zasilanie. Skanowanie ... hmm pomyslcie ... najepierw wszystko skanowalem. 3 antywirami juz, dodatkowo ad aware i s&d. Jakies pomysly jeszcze ?

a denerwuje mnie ten komuniat przy kazdym wlaczeniu kompa ... jak to usunac ?

Edytowane 7 Kwietnia 2005 przez f1zZ

[Paszczu]

Z loga wywal:

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exeO4 - HKLM\..\Run: [WebRun] C:\WINDOWS\System32\web.exeO4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exeO4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exeO4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exeO4 - HKCU\..\Run: [Tgxwj] C:\WINDOWS\System32\n?tdde.exeO4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\private-zone.exeO15 - Trusted Zone: *.addictivetechnologies.comO15 - Trusted Zone: *.addictivetechnologies.netO15 - Trusted Zone: *.admin2cash.bizO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.bettersearch.bizO15 - Trusted Zone: *.c4tdownload.comO15 - Trusted Zone: *.clickspring.netO15 - Trusted Zone: *.crazywinnings.comO15 - Trusted Zone: *.f1organizer.comO15 - Trusted Zone: *.finefind.nettraffic2cash.bizO15 - Trusted Zone: *.iframe.bizO15 - Trusted Zone: *.megapornix.comO15 - Trusted Zone: *.mt-download.comO15 - Trusted Zone: *.newiframe.bizO15 - Trusted Zone: *.overpro.comO15 - Trusted Zone: *.[COLOR=red][ciach!][/COLOR]to.bizO15 - Trusted Zone: *.private-dialer.bizO15 - Trusted Zone: *.private-iframe.bizO15 - Trusted Zone: *.slotch.comO15 - Trusted Zone: *.sp2admin.bizO15 - Trusted Zone: *.sp2fucked.bizO15 - Trusted Zone: *.topconverting.comO15 - Trusted Zone: *.traffic2cash.bizO15 - Trusted Zone: *.vse-moe.bizO15 - Trusted Zone: *.windupdates.comO15 - Trusted Zone: *.ysbweb.comO16 - DPF: {126A89A4-A8FB-7259-D53B-465566FB52E4} - http://67.19.178.86/1/rdgPL1742.exeO16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exeO16 - DPF: {25FB41D0-0815-7A88-5017-7E6E2A8B743A} - http://67.19.178.86/1/rdgPL1742.exeO16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} - http://advnt01.com/dialer/internazionale_ver10.CABO18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

no i tradycyjnie - zmień przeglądarkę.

[f1zZ]

dzialam na operze tylko z przyczyn odgornych (format), musialem jakos downloadnac opere wykorzystujac ie ... no dzieki