Странен проблем с работния плот на Windows

Night_Raven · Декември 8, 2007

Не е нужно да преименуваш HijackThis всеки път. Нужно е просто да не се казва "HijackThis".

Преди да продължиш, изключи System Restore: десен клик върху My Computer -> Properties -> System Restore -> слагаш отметка на Turn off System Restore on all drives -> потвърждаваш с Yes. Ако System Restore е правила снимки на дяла, е много вероятно тези "снимки" да са оклепани с гадинки.

Повтаряш операцията с текстовия файл, описана по-горе, но този път пействаш следния текст:

File::
C:\WINDOWS\system32\swsc.exe
C:\WINDOWS\system32\swxcacls.exe
C:\WINDOWS\system32\VFind.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system32"=-

Не е нужно да пишеш разширението (.txt), ако не се вижда, пиши само името в такъв случай - CFScript.

Така и така ще рестартираш, можеш да сложиш и отметки на следните обекти в HijackThis, след което да кликнеш Fix checked и потвърдиш с Yes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://free.fr/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll (file missing)
O4 - HKLM\..\Run: [sunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\PC\Desktop\qttask.exe" -atboottime
O9 - Extra button: I?aaaae - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\DOCUME~1\PC\Desktop\WEBTRA~1\wt2ie.dll (file missing)

Макар те да не са особено проблемни.

След като поправиш обектите с HijackThis и извършиш процедурата с ComboFix, рестартирай компютъра и качи новия LOG на ComboFix, а ако искаш, качи и на HijackThis. Ако гадинката упорства, ще пробваме и други инструменти.

Minchakis · Декември 8, 2007

Преди да ти предоставя информацията искам да ти благодаря Night_Raven за това,че продължаваш да "упорстваш" на проблема заедно с мене и не се отказваш

А сега по същество:

ComboFix:

ComboFix 07-12-09.1 - PC 2007-12-09 22:39:14.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.20 [GMT 2:00]

Running from: C:\Documents and Settings\PC\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\PC\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\WINDOWS\system32\swsc.exe

C:\WINDOWS\system32\swxcacls.exe

C:\WINDOWS\system32\VFind.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\swsc.exe

C:\WINDOWS\system32\swxcacls.exe

C:\WINDOWS\system32\VFind.exe

.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))

.

2007-12-08 16:48 . 2007-12-08 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-12-08 16:38 . 2007-12-08 16:38 <DIR> d-------- C:\Documents and Settings\PC\Application Data\SUPERAntiSpyware.com

2007-12-07 00:33 . 2007-12-07 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MimarSinan

2007-12-05 21:12 . 2007-12-08 19:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-05 21:12 . 2007-12-05 21:12 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys

2007-12-05 20:18 . 2007-12-05 20:18 <DIR> d-------- C:\Program Files\VirtualDJ

2007-12-01 15:22 . 2007-12-01 15:22 <DIR> d-------- C:\Program Files\SA Dictionary

2007-11-26 17:48 . 2007-11-26 17:49 921,654 --a------ C:\WINDOWS\xnview wallpaper.bmp

2007-11-26 17:07 . 2007-11-26 17:07 <DIR> d-------- C:\Program Files\Webteh

2007-11-26 17:07 . 2007-12-04 11:36 <DIR> d-------- C:\Documents and Settings\PC\Application Data\BSplayer Pro

2007-11-26 14:45 . 2004-08-23 16:59 124,800 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys

2007-11-24 23:02 . 2007-11-24 23:02 <DIR> d-------- C:\Program Files\K-Lite Codec Pack

2007-11-24 22:56 . 2007-11-24 22:56 <DIR> d-------- C:\Program Files\SVD

2007-11-24 18:23 . 2007-11-26 16:57 <DIR> d-------- C:\Documents and Settings\PC\Application Data\skypePM

2007-11-24 18:21 . 2007-11-24 18:21 <DIR> d-------- C:\Program Files\Skype

2007-11-24 18:21 . 2007-11-24 18:21 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-11-24 12:24 . 2007-11-24 12:25 <DIR> d-------- C:\Program Files\Winamp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-09 20:37 --------- d-----w C:\Documents and Settings\PC\Application Data\Skype

2007-11-24 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype

2007-10-10 02:00 --------- d-----w C:\Documents and Settings\PC\Application Data\Audacity

2005-09-01 08:34 1,312,392 ----a-w C:\Documents and Settings\PC\NPSWF32.dll

2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll

2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll

2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll

.

((((((((((((((((((((((((((((( snapshot@2007-12-08_19.46.30.99 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-12-08 14:26:53 15,440 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{9B05AA2D-AAAF-4F22-9905-260BFCC1B1DD}.bin

+ 2007-12-08 18:35:02 15,440 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{9B05AA2D-AAAF-4F22-9905-260BFCC1B1DD}.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BlazeServoTool"="C:\Documents and Settings\PC\Desktop\BlazeDVD 5 Professional\MediaDetector.exe" []

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48]

"SUPERAntiSpyware"="C:\Documents and Settings\PC\Desktop\SUPERAntiSpyware.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48]

"QuickTime Task"="C:\Documents and Settings\PC\Desktop\qttask.exe" []

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 16:05]

"FineReader7NewsReaderPro"="C:\Documents and Settings\PC\Desktop\AbbyyNewsReader.exe" []

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-23 16:28]

"Nokia.PCSync"="C:\Documents and Settings\PC\Desktop\Nokia PC Suite 6\PcSync2.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-23 16:30 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Documents and Settings\PC\Desktop\SASSEH.DLL [ ]

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys

R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys

S2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe"

.

**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-09 22:43:02

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-09 22:44:43

.

--- E O F ---

Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 10:50:01 PM, on 12/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\PC\Desktop\hijackthis\Pc.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Documents and Settings\PC\Desktop\AbbyyNewsReader.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKCU\..\Run: [blazeServoTool] "C:\Documents and Settings\PC\Desktop\BlazeDVD 5 Professional\MediaDetector.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Documents and Settings\PC\Desktop\SUPERAntiSpyware.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - Unknown owner - C:\Program Files\GizmoPlugin\GizmoPlugin.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Night_Raven · Декември 8, 2007

Като изключим C:\WINDOWS\SoftwareDistribution\EventCache\{9B05AA2D-AAAF-4F22-9905-260BFCC1B1DD}.bin, другото вече е чисто. можеш да повториш операцията с текстовия файл, като пейстнеш само:

File::
C:\WINDOWS\SoftwareDistribution\EventCache\{9B05AA2D-AAAF-4F22-9905-260BFCC1B1DD}.bin

или да се опиташ да го изтриеш ръчно файла.

Иначе, както казах, другото изглежда чисто. Проблемът още ли е налице?

Minchakis · Декември 8, 2007

ComboFix 07-12-09.1 - PC 2007-12-09 23:38:19.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.22 [GMT 2:00]

Running from: C:\Documents and Settings\PC\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\PC\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\WINDOWS\SoftwareDistribution\EventCache\{9B05AA2D-AAAF-4F22-9905-260BFCC1B1DD}.bin