Log z hijackthis

tommy1104 · Napísal **tommy1104**: 10.07.2008 15:29

Prosim o kontrolu, ci tam nieco nahodou neostalo. Precistene Avastom. Je to Pentium 1, riadne stare, ale bolo riadne zavirene. Bolo tu 41 virusov, z toho polovica v systeme, neslo opravit, musel som mazat, ale nastastie ide. Vsimnite si najma jeden subor v Program Files a to je "TSAdbot.exe", pamatam si, ze som nieco take mazal, ale vzdy ked zapnem toto PC tak vyhdoi, ze tento subor chyba, cize ho asi chce stale spustat, alebo co. Logicky dedukujem, ze sa jedna o nejaky adware.

Kód:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:08, on 10.7.2008
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\VetMsgNT.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\INOCUL~1\VetTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tuzvo.sk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tuzvo.sk:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSAdBot.exe"
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VetTray.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\S-1-5-21-574054711-890905055-1703228666-500\..\Run: [internat.exe] internat.exe (User '?')
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O13 - WWW. Prefix: http://
O16 - DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002 Cz\InstFred.ocx
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD 2002 Cz\AcDcToday.ocx
O16 - DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002 Cz\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD 2002 Cz\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tuzvo.sk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tuzvo.sk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 194.160.170.6 194.160.170.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tuzvo.sk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 194.160.170.6 194.160.170.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 194.160.170.6 194.160.170.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Windows Time Service (CSRRS) - Unknown owner - C:\WINNT\system\csrrs.exe (file missing)
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINNT\System32\VetMsgNT.exe

--
End of file - 4839 bytes

br4n0 · Napísal **br4n0**: 10.07.2008 16:35

Fixni:

O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSAdBot.exe"

A vymaž C:\Program Files\TimeSink
A odinštaluj InoculateIT AntiVirus.

tommy1104 · Napísal autor témy **tommy1104**: 11.07.2008 15:05

Ok ked sa dostanem k tomu PC vykonám.

pistak · Napísal **pistak**: 14.07.2008 20:32

Skontroluj si to na dole uvedenej stranke, mas tam toho dost vela zleho, ale pre istotu pozrite mu to viaceri, ja sa do toho moc nerozumiem

Kód:

http://www.hijackthis.de/cz

br4n0 · Napísal **br4n0**: 15.07.2008 1:40

Nič sa nemení. Podľa toho webu má fixnúť adresy dns, čo je blbosť.

tommy1104 · Napísal autor témy **tommy1104**: 16.07.2008 9:56

Vymazané, fixnuté a odinštalované. Ešte by som potreboval poradiť ohľadom nejakého programu, ktorý by dokázal všetko natvrdo mazať, ostali mi tu totiž nejaké .dll knižnice po programoch, ktoré nešlo odinštalovať, resp. nemali uninstall.

don jebot · Napísal **don jebot**: 16.07.2008 10:02

kill box

tommy1104 · Napísal autor témy **tommy1104**: 16.07.2008 10:09

Nejde. Je tu Windows NT. Neviem, či to je príčina, ale píše pri spustení, že nenašlo nejaký súbor v kernel32 alebo niečo také, čiže podľa môjho skromného názoru je kernel jadro, čiže asi nepôjde s jadrom NT. Niečo čo by šlo...

//edit:
A ešte je tu jeden problém, asi vírus: už dávnejšie tu v koši blbne nejký v´írus, chvíľami to už vyzeralo čisté, ale vždy keď niečo vymažem tak sa v C:/Recycler objavia adresáre Dc1, alevo Dc a nejakáňé číslo(idú vždy postupne)a suúbory Dc0.exe, Dc1.exe atď. V tom adresári Dc1 je teraz podadresár Logs a v ňom súbor kb.log (vytvorený dnes-asi niečo s killboxom). Ale tie súbory sa tam generujú už dávno. Avast ho nenašiel, a mám podozrenie, že je to červ Autoit.DC.

Napr. teraz som vyskúšal vytvoriť texťák ab.txt, vymazal som ho a v koši sa objavil pod názvom Dc2.txt.

//edit2: A potrebujem vymazať súbor C:/Program Files/SuperAntispyware/Sasctxmn.dll
keď ho dám vymazať, napíše že sa nedá odstrániť, pretože ho používa systém Windows.

//edit3: Unlocker 1.8 mi tiež nejde, znova nejaký problém s kernel32 databázou.

Kosak · Napísal **Kosak**: 16.07.2008 12:18

Ahoj, nudzovy rezim si skusil? Skus mi na mail poslat log zo SysInspectoru.

tommy1104 · Napísal autor témy **tommy1104**: 16.07.2008 13:37

Ee, pomoze daco nudzovy? Ten SysInspector je free? Teraz este zhanam nejaky process manager, lebo sa mi zdaju dake divne procesy naspustane.

//edit: Klikol som v tvojom podpise na sysinspector a podporu NT nepisu, a naozaj tu uz viacej veci neslo, tak neviem, ci to ma vobec vyznam...

Myslite, ze spustim Process Explorer na NTčku?

Kosak · Napísal **Kosak**: 16.07.2008 15:05

Napisany NT nie je, ale 2000, XP su zalozene na NT.

ESET Software píše:

Ide o užitočný nástroj pre diagnostiku počítača na platforme Windows NT

tommy1104 · Napísal autor témy **tommy1104**: 17.07.2008 9:33

A este tu bezia taketo procesy napr.:
ashWebSv.exe, ashMaiSv.exe, ashDisp.exe, ashServ.exe, aswUpdSw.exe, LOADWC.exe, internat.exe, NDDEAGNT.exe, OSA.exe, PSTORES.exe, WINLOGON.exe, LSASS.exe, SPOOLSS.exe, SMSS.exe, CSRSS.exe atd.
Je to v poriadku?

don jebot · Napísal **don jebot**: 17.07.2008 9:37

ash.... su avast aplikacie a ostatne si pekne skopiruj pouzi google a precitaj si co to je ved nebude ti to robit niekto za teba hladat info o kazdom procese v tvojom PC....

petos · Napísal **petos**: 17.07.2008 9:44

tommy1104 píše:

...WINLOGON.exe, LSASS.exe, SMSS.exe, CSRSS.exe...

tieto procesy bezia aj mne :rolleyes:

su to sucasti windowsu

tommy1104 · Napísal autor témy **tommy1104**: 17.07.2008 11:27

Ok diky.

//edit:

Prosím o kontrolu ďalšieho logu z HJT. (nechcel som zbytočne zakladať novú tému) Tentokrát sa jedná o Pentium 2 a operačný systém Windows XP Professional.

Kód:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:35, on 17. 7. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nod32m2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tuzvo.sk/sk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHQFSLAN\document.pif
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System MScvb] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHQFSLAN\document.pif
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDD329F3-45A7-4C34-B1EE-5803AFE6F8B9}: Domain = tuzvo.sk
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDD329F3-45A7-4C34-B1EE-5803AFE6F8B9}: NameServer = 194.160.170.5,194.160.170.6
O23 - Service: ANSYS FLEXlm license manager - GLOBEtrotter Software Inc. - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: NOD32 Service (NOD32Service) - Unknown owner - C:\WINDOWS\system32\nod32m2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6246 bytes

Kosak · Napísal **Kosak**: 17.07.2008 13:01

Stiahni si Ultimate Process Manager -> Rozbal -> Spust upm.exe -> Dalsie nastroje -> Sluzby -> Zmaz tuto:

NOD32 Service

Pouzi Avenger s tymto skriptom:

Kód:

Files to delete:
C:\WINDOWS\system32\nod32m2.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHQFSLAN\document.pif

Posli mi na mail zalohu backup.zip z adresara C:\Avenger na mail, vdaka.

Fixni v HijackThis:

O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHQFSLAN\document.pif
O4 - HKCU\..\Run: [System MScvb] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHQFSLAN\document.pif
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/I ... _EN_XP.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Log z hijackthis

Podobné témy