kontrola logu

kky · Příspěvekod **kky** » 20 lis 2006 13:24

Muzete prosim nekdo na to mrknout? dik.

Logfile of HijackThis v1.99.1
Scan saved at 22:37:17, on 19.11.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\SERVICES.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\WF2K.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MILOSS~1\LOCALS~1\Temp\$wc\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://192.168.1.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F3 - REG:win.ini: run=C:\WINNT\inet20101\services.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\MILOSS~1\LOCALS~1\Temp\MegaHost.dll
O3 - Toolbar: @msdxmLC.dll,-1@1029,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINNT\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Uninstall.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} (SBIInetInstall Control) -
O16 - DPF: {4ADC518E-B607-11D4-B395-0001020F4519} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://66.117.37.13/cza2106.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://66.117.37.13/cza2106.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C7336E6-86DB-49EC-B9B4-DABC3428D212}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{89F3F6E2-65A5-4F4C-A0E6-E97A15D8DC44}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Reklama

mijaja · Příspěvekod **mijaja** » 20 lis 2006 16:35

Stáhni si Fixwareout a Killbox Ulož je a rozbal na plochu.

Restartuj do nouzáku a spusť Fixwareout, klikni na Next, potom na Install, zvolíš možnost Run fixit a klikni na Finish.
▪ Začne čistící proces a ty postupuj dle instrukcí.
▪ V případě odolnějších variant je vyžadován restart počítače, takže restartuj.
▪ Počítač může trochu déle nabíhat, po vstupu do Windows by mělo vyběhnout okno s logem z Fixwareoutu, tento log vloží zde do fóra. Jestliže se výpis neobjeví, najdeš jej v C:\fixwareout\report.txt

kky · Příspěvekod **kky** » 23 lis 2006 21:09

Tak tady je ten protokol z fixwareoutu. Co si o tom prosim te myslis? Podarilo se to vycistit?
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D871CBA8EFE8-942A-DBF4-D44B-16389B27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xgcmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmcgx.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSUFJ.EXE 51 772 2006-09-23
C:\WINNT\SYSTEM32\DMCGX.EXE 62 041 2003-06-19

Other suspects.
Directory of C:\WINNT\system32
{F3F38A39-3509-477F-8323-6D973AF10191}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

mijaja · Příspěvekod **mijaja** » 24 lis 2006 07:50

Pošli nový log z Hijackthisu. Tam to uvidíme.
Měl bys ještě, než pošleš nový logHJT, zkontrolovat podle doporučení Fixwareoutu na Jottiscanu, nebo Virustotalu tyto soubory:

C:\WINNT\SYSTEM32\CSUFJ.EXE 51 772 2006-09-23
C:\WINNT\SYSTEM32\DMCGX.EXE 62 041 2003-06-19
C:\WINNT\system32
{F3F38A39-3509-477F-8323-6D973AF10191}.exe

Výsledky dej sem potom i s tím novým logem HJT.

kontrola logu

kontrola logu

Kdo je online