zawieszanie się paska start po zalogowaniu

[Mnawrock89]

Witam wszystkich - mam taki mały problem. Po formacie i reinstalce systemu Win XP Professional, po zalogowaniu na konto (obojętnie które) po chwili pasek Start się zawiesza i przy kliknięciu w niego słychać tylko dźwięk klikania. Co ciekawe, gdy w Menedżerze Urządzeń wyłącze explorer.exe i włącze jeszce raz, pasek działa normalnie. Czy może ktoś wie co mogę zrobić żebym nie musiał po każdym logowaniu bawić się w wyłączanie i włączanie explorer.exe ?

Załączam log HijackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:34:00, on 2007-08-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\ATKKBService.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\mknxmvjb.exe
F:\Program Files\CyberLink\Shared files\RichVideo.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\PROGRA~1\NEOSTR~1\CnxMon.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Draco Software\Draco Organizer 3\Organizer.exe
F:\Program Files\Gadu-Gadu\gg.exe
F:\WINDOWS\system32\imapi.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Neostrada TP\NeostradaTP.exe
F:\Program Files\Neostrada TP\ComComp.exe
F:\Program Files\Neostrada TP\Watch.exe
F:\Program Files\Mozilla Firefox\firefox.exe
\?\F:\WINDOWS\system32\WBEM\WMIADAP.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WooCnxMon] F:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [WebAccelerator] "F:\Program Files\Web Accelerator\webxl.exe"
O4 - HKLM\..\Run: [Startup Manager Scanner] F:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [atipta] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpdj taskbar utility] f:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [winampagent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [remotecontrol] "f:\program files\cyberlink\powerdvd\pdvdserv.exe"
O4 - HKLM\..\Run: [nerofiltercheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [languageshortcut] "F:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ccapp] "f:\program files\common files\symantec shared\ccapp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "F:\WINDOWS\system32\dhclensc.dll",forkonce
O4 - HKCU\..\Run: [Draco Organizer] "F:\Program Files\Draco Software\Draco Organizer 3\Organizer.exe" /tray
O4 - HKCU\..\Run: [STYLEXP] F:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] f:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msmsgs] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "F:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D22F7E7-9FFB-4B1E-8E30-43E9BF4EFD37}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - F:\WINDOWS\system32\mknxmvjb.exe
O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVScan - Unknown owner - F:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7023 bytes

[wojtas]

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach)
Start do awaryjnego ( F8 ) przy starcie komputera.

start>uruchom>cmd>wpisz

sc stop DomainService

enter

sc delete DomainService

enter

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "F:\WINDOWS\system32\dhclensc.dll",forkonce
O23 - Service: DomainService - - F:\WINDOWS\system32\mknxmvjb.exe

Odpalasz hijackthis i zaznaczasz ptaszkami powyższe wpisy i dajesz Fix checked.
Pogrubione pliki usuwasz ręcznie z dysku

potem zastosuj:

smitfraudfix z opcji 2:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

oraz te skanery po kilka razy

VundoFix
http://www.atribune.org/ccount/click.php?id=4

VirtumundoBeGone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

FixVundo
http://securityresponse.symantec.com/avcenter/FixVundo.exe


potem nowy log z hijacka oraz z combofixa

[Mnawrock89]

Po zastosowaniu wyżej wymienionych czynności, problem niestety nie został rozwiązany. Nadal przy logowaniu pasek start się zawiesza

logi :

ComboFix

Kod: Zaznacz wszystko

ComboFix 07-08-14.4 - "Marcin" 2007-08-15 19:15:48.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.280 [GMT 2:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


F:\WINDOWS\system32\engabajw.dll
F:\WINDOWS\system32\urqopnn.dll
F:\WINDOWS\system32\winjyg32.dll


(((((((((((((((((((((((((   Files Created from 2007-07-15 to 2007-08-15  )))))))))))))))))))))))))))))))


2007-08-15 19:15   51,200   --a------   F:\WINDOWS\nircmd.exe
2007-08-15 18:37   545,280   --a------   F:\WINDOWS\system32\win6458.dll
2007-08-15 17:44   3,184   --a------   F:\WINDOWS\system32\tmp.reg
2007-08-15 15:50   162,816   --a------   F:\WINDOWS\system32\fmod.dll
2007-08-15 15:50   <DIR>   d--------   F:\Program Files\Warblade
2007-08-15 14:02   545,280   --a------   F:\WINDOWS\system32\win54973.dll
2007-08-15 10:05   545,280   --a------   F:\WINDOWS\system32\win1473.dll
2007-08-15 10:05   39,936   --a------   F:\WINDOWS\system32\winresponse32.exe
2007-08-15 09:28   <DIR>   d--------   F:\DOCUME~1\Marcin\DANEAP~1\AdobeUM
2007-08-15 07:33   <DIR>   d--------   F:\Program Files\Trend Micro
2007-08-15 07:17   <DIR>   d--h-----   F:\WINDOWS\$hf_mig$
2007-08-15 07:03   643,042   ---hs----   F:\WINDOWS\system32\fgjlm.bak2
2007-08-15 06:59   <DIR>   d--------   F:\Program Files\xchat
2007-08-15 06:59   <DIR>   d--------   F:\DOCUME~1\Marcin\DANEAP~1\X-Chat 2
2007-08-14 14:05   6,461   ---hs----   F:\WINDOWS\system32\fgjlm.bak1
2007-08-14 14:05   243,296   --a------   F:\WINDOWS\system32\mljgf.dll.vir
2007-08-14 14:00   31,254   --a------   F:\WINDOWS\system32\yayvvtq.dll.vir
2007-08-14 13:35   <DIR>   d--------   F:\Program Files\Common Files\Adobe Systems Shared
2007-08-14 13:35   <DIR>   d--------   F:\DOCUME~1\ALLUSE~1\DANEAP~1\Adobe Systems
2007-08-14 10:38   <DIR>   d--------   F:\Program Files\mIRC
2007-08-14 10:00   36,864   --a------   F:\WINDOWS\system32\vcmgcd32.dll
2007-08-14 09:59   <DIR>   d--------   F:\WINDOWS\Prefetch
2007-08-14 09:56   9,728   --a--c---   F:\WINDOWS\system32\dllcache\rwnh.dll
2007-08-14 09:56   9,728   --a--c---   F:\WINDOWS\system32\dllcache\query.exe
2007-08-14 09:56   9,216   --a--c---   F:\WINDOWS\system32\dllcache\wamps51.dll
2007-08-14 09:56   86,073   --a--c---   F:\WINDOWS\system32\dllcache\voicesub.dll
2007-08-14 09:56   80,384   --a--c---   F:\WINDOWS\system32\dllcache\rwia330.dll
2007-08-14 09:56   80,384   --a--c---   F:\WINDOWS\system32\dllcache\rwia001.dll
2007-08-14 09:56   8,704   --a--c---   F:\WINDOWS\system32\dllcache\snmptrap.exe
2007-08-14 09:56   77,312   --a--c---   F:\WINDOWS\system32\dllcache\wam51.dll
2007-08-14 09:56   76,288   --a--c---   F:\WINDOWS\system32\dllcache\uniime.dll
2007-08-14 09:56   74,240   --a--c---   F:\WINDOWS\system32\dllcache\w3ext.dll
2007-08-14 09:56   70,144   --a--c---   F:\WINDOWS\system32\dllcache\pintlphr.exe
2007-08-14 09:56   7,680   --a--c---   F:\WINDOWS\system32\dllcache\pwsdata.dll
2007-08-14 09:56   7,168   --a--c---   F:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll
2007-08-14 09:56   67,584   --a--c---   F:\WINDOWS\system32\dllcache\pmigrate.dll
2007-08-14 09:56   6,144   --a--c---   F:\WINDOWS\system32\dllcache\snmpmib.dll
2007-08-14 09:56   6,144   --a--c---   F:\WINDOWS\system32\dllcache\pmxgl.dll
2007-08-14 09:56   57,856   --a--c---   F:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-08-14 09:56   53,760   --a--c---   F:\WINDOWS\system32\dllcache\pintlcsd.dll
2007-08-14 09:56   53,248   --a--c---   F:\WINDOWS\system32\dllcache\wamreg51.dll
2007-08-14 09:56   5,632   --a--c---   F:\WINDOWS\system32\dllcache\w3svapi.dll
2007-08-14 09:56   5,632   --a--c---   F:\WINDOWS\system32\dllcache\smimsgif.dll
2007-08-14 09:56   5,632   --a--c---   F:\WINDOWS\system32\dllcache\smierrsy.dll
2007-08-14 09:56   48,256   --a--c---   F:\WINDOWS\system32\dllcache\w32.dll
2007-08-14 09:56   47,104   --a--c---   F:\WINDOWS\system32\dllcache\svcext51.dll
2007-08-14 09:56   464,384   --a--c---   F:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-08-14 09:56   46,592   --a--c---   F:\WINDOWS\system32\dllcache\sspifilt.dll
2007-08-14 09:56   455,168   --a--c---   F:\WINDOWS\system32\dllcache\tintsetp.exe
2007-08-14 09:56   45,056   --a--c---   F:\WINDOWS\system32\dllcache\ssinc51.dll
2007-08-14 09:56   44,032   --a--c---   F:\WINDOWS\system32\dllcache\tintlphr.exe
2007-08-14 09:56   426,041   --a--c---   F:\WINDOWS\system32\dllcache\voicepad.dll
2007-08-14 09:56   41,600   --a--c---   F:\WINDOWS\system32\dllcache\weitekp9.dll
2007-08-14 09:56   40,448   --a--c---   F:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-08-14 09:56   4,608   --a--c---   F:\WINDOWS\system32\dllcache\w3ctrs51.dll
2007-08-14 09:56   4,096   --a--c---   F:\WINDOWS\system32\dllcache\rpcref.dll
2007-08-14 09:56   38,912   --a--c---   F:\WINDOWS\system32\dllcache\sm9aw.dll
2007-08-14 09:56   366,080   --a--c---   F:\WINDOWS\system32\dllcache\w3svc.dll
2007-08-14 09:56   358,400   --a--c---   F:\WINDOWS\system32\dllcache\snmpincl.dll
2007-08-14 09:56   32,256   --a--c---   F:\WINDOWS\system32\dllcache\snmp.exe
2007-08-14 09:56   31,744   --a--c---   F:\WINDOWS\system32\dllcache\smb6w.dll
2007-08-14 09:56   31,744   --a--c---   F:\WINDOWS\system32\dllcache\sma3w.dll
2007-08-14 09:56   31,360   --a--c---   F:\WINDOWS\system32\dllcache\weitekp9.sys
2007-08-14 09:56   31,232   --a--c---   F:\WINDOWS\system32\dllcache\tools.dll
2007-08-14 09:56   30,208   --a--c---   F:\WINDOWS\system32\dllcache\sm87w.dll
2007-08-14 09:56   30,208   --a--c---   F:\WINDOWS\system32\dllcache\sm81w.dll
2007-08-14 09:56   29,184   --a--c---   F:\WINDOWS\system32\dllcache\sm8cw.dll
2007-08-14 09:56   26,624   --a--c---   F:\WINDOWS\system32\dllcache\sm93w.dll
2007-08-14 09:56   26,624   --a--c---   F:\WINDOWS\system32\dllcache\sm92w.dll
2007-08-14 09:56   26,624   --a--c---   F:\WINDOWS\system32\dllcache\rw330ext.dll
2007-08-14 09:56   26,112   --a--c---   F:\WINDOWS\system32\dllcache\sm90w.dll
2007-08-14 09:56   26,112   --a--c---   F:\WINDOWS\system32\dllcache\sm8dw.dll
2007-08-14 09:56   26,112   --a--c---   F:\WINDOWS\system32\dllcache\sm8aw.dll
2007-08-14 09:56   26,112   --a--c---   F:\WINDOWS\system32\dllcache\sm89w.dll
2007-08-14 09:56   26,112   --a--c---   F:\WINDOWS\system32\dllcache\EXCH_seos.dll
2007-08-14 09:56   259,072   --a--c---   F:\WINDOWS\system32\dllcache\snmpcl.dll
2007-08-14 09:56   25,088   --a--c---   F:\WINDOWS\system32\dllcache\sm59w.dll
2007-08-14 09:56   25,088   --a--c---   F:\WINDOWS\system32\dllcache\rw001ext.dll
2007-08-14 09:56   236,544   --a--c---   F:\WINDOWS\system32\dllcache\smi2smir.exe
2007-08-14 09:56   23,040   --a--c---   F:\WINDOWS\system32\dllcache\EXCH_regtrace.exe
2007-08-14 09:56   221,696   --a--c---   F:\WINDOWS\system32\dllcache\seo.dll
2007-08-14 09:56   21,896   --a--c---   F:\WINDOWS\system32\dllcache\tdipx.sys
2007-08-14 09:56   20,736   --a--c---   F:\WINDOWS\system32\dllcache\ramdisk.sys
2007-08-14 09:56   19,464   --a--c---   F:\WINDOWS\system32\dllcache\tdspx.sys
2007-08-14 09:56   188,416   --a--c---   F:\WINDOWS\system32\dllcache\snmpsmir.dll
2007-08-14 09:56   185,344   --a--c---   F:\WINDOWS\system32\dllcache\thawbrkr.dll
2007-08-14 09:56   18,944   --a--c---   F:\WINDOWS\system32\dllcache\simptcp.dll
2007-08-14 09:56   175,104   --a--c---   F:\WINDOWS\system32\dllcache\pintlcsa.dll
2007-08-14 09:56   16,896   --a--c---   F:\WINDOWS\system32\dllcache\status.dll
2007-08-14 09:56   16,896   --a--c---   F:\WINDOWS\system32\dllcache\quser.exe
2007-08-14 09:56   15,872   --a--c---   F:\WINDOWS\system32\dllcache\smierrsm.dll
2007-08-14 09:56   143,422   --a--c---   F:\WINDOWS\system32\dllcache\softkey.dll
2007-08-14 09:56   14,848   --a--c---   F:\WINDOWS\system32\dllcache\register.exe
2007-08-14 09:56   14,336   --a--c---   F:\WINDOWS\system32\dllcache\tsprof.exe
2007-08-14 09:56   131,584   --a--c---   F:\WINDOWS\system32\dllcache\pmxviceo.dll
2007-08-14 09:56   13,192   --a--c---   F:\WINDOWS\system32\dllcache\tdasync.sys
2007-08-14 09:56   12,800   --a--c---   F:\WINDOWS\system32\dllcache\EXCH_smtpctrs.dll
2007-08-14 09:56   11,264   --a--c---   F:\WINDOWS\system32\dllcache\pmxmcro.dll
2007-08-14 09:56   103,936   --a--c---   F:\WINDOWS\system32\dllcache\uihelper.dll
2007-08-14 09:56   101,376   --a--c---   F:\WINDOWS\system32\dllcache\srusbusd.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 18:38   359936   --a--c---   F:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-08-15 18:38   359936   --a------   F:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-14 09:12   253952   --a------   F:\WINDOWS\UNRecode.exe
2007-08-14 09:11   253952   --a------   F:\WINDOWS\UNNeroVision.exe
2007-08-14 09:11   253952   --a------   F:\WINDOWS\UNNeroShowTime.exe
2007-08-14 09:11   253952   --a------   F:\WINDOWS\UNNeroMediaHome.exe
2007-08-14 09:11   253952   --a------   F:\WINDOWS\UNNeroBackItUp.exe
2007-08-14 09:09   155648   --a------   F:\WINDOWS\system32\NeroCheck.exe
2007-08-14 08:34   45056   --a------   F:\Program Files\Common Files\ldrsup.exe
2007-08-13 10:47   2426   --a------   F:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-08-13 10:42   8972   --a------   F:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
   ---------      F:\Program Files\Usługi online


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WooCnxMon"="F:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 19:07]
"SpeedTouch USB Diagnostics"="F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"WOOWATCH"="F:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 19:07]
"WOOTASKBARICON"="F:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 19:07]
"WebAccelerator"="F:\Program Files\Web Accelerator\webxl.exe" [2007-08-14 08:51]
"Startup Manager Scanner"="F:\Program Files\Startup Mechanic\StartupMonitor.exe" []
"atipta"="F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-08-14 08:33]
"hpdj taskbar utility"="f:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2007-08-14 09:10]
"winampagent"="F:\Program Files\Winamp\winampa.exe" [2007-08-14 08:52]
"remotecontrol"="f:\program files\cyberlink\powerdvd\pdvdserv.exe" [2007-08-14 08:36]
"nerofiltercheck"="F:\WINDOWS\system32\NeroCheck.exe" [2007-08-14 09:09]
"languageshortcut"="F:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-08-14 08:35]
"ccapp"="f:\program files\common files\symantec shared\ccapp.exe" [2003-08-28 10:09]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 F:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Draco Organizer"="F:\Program Files\Draco Software\Draco Organizer 3\Organizer.exe" [2007-06-30 19:14]
"STYLEXP"="F:\Program Files\TGTSoft\StyleXP\StyleXP.exe" []
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2004-08-04 00:44]
"msmsgs"="F:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:55]
"bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}"="F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-08-14 08:34]
"Gadu-Gadu"="F:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]

F:\Documents and Settings\Marcin\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

F:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [2005-05-13 09:48:16]



Contents of the 'Scheduled Tasks' folder
2007-08-15 17:19:29 F:\WINDOWS\Tasks\Symantec NetDetect.job - F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 19:19:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  ctfmon.exe = f:\windows\system32\ctfmon.exe
  bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa} = "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 19:20:41 - machine was rebooted
F:\ComboFix-quarantined-files.txt ... 2007-08-15 19:20

   --- E O F ---


HijackThis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21:27, on 2007-08-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\ATKKBService.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\CyberLink\Shared files\RichVideo.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\wscntfy.exe
F:\PROGRA~1\NEOSTR~1\CnxMon.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
F:\Program Files\Winamp\winampa.exe
F:\program files\cyberlink\powerdvd\pdvdserv.exe
F:\WINDOWS\system32\wuauclt.exe
F:\program files\common files\symantec shared\ccapp.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\Draco Software\Draco Organizer 3\Organizer.exe
F:\Program Files\Gadu-Gadu\gg.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WooCnxMon] F:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [WebAccelerator] "F:\Program Files\Web Accelerator\webxl.exe"
O4 - HKLM\..\Run: [Startup Manager Scanner] F:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [atipta] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpdj taskbar utility] f:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [winampagent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [remotecontrol] "f:\program files\cyberlink\powerdvd\pdvdserv.exe"
O4 - HKLM\..\Run: [nerofiltercheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [languageshortcut] "F:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ccapp] "f:\program files\common files\symantec shared\ccapp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Draco Organizer] "F:\Program Files\Draco Software\Draco Organizer 3\Organizer.exe" /tray
O4 - HKCU\..\Run: [STYLEXP] F:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] f:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msmsgs] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "F:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVScan - Unknown owner - F:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

--
End of file - 7430 bytes


Edit. Po kolejnym zeskanowaniu tymi trzema programami problem został naprawiony

[wojtas]

daj nowe logi z combofixa i hijacka