Kontrola logu, vir, spravce systemu zakazan, regedit zakazan
Napsal: 22 led 2009 21:03
Zdravim,
prosim potreboval bych pomoct, behem dneska se mi do PC dostal nejaky vir a ne a ne se ho zbavit, skousel jsem i combofix jen ma to jeden hacek a to ten ze kdyz se spoustim do stavu nouze v jakemkoli rezimu ( v siti, MS DOST ) tak mi to nacita konfiguracni soubory a spadne, takze podle meho nazoru ten vir nejak zabranil systemu nouze. Kdyz jsem spustil combofix z normalniho rezimu tak uz jsem videl jenom jestli mam odesilat spravu o padu aplikace ...
Dalsi vec kterou jsem si vsiml je ze nemuzu pouzivat Spravce zarizeni, kdyz jsem ho chtel povol pres regedit, zjistil jsem ze ani ten nefunguje.
Zajmava vec je taky ta, ze kdyz spustim hijackthis, a dam log zkontrolovat na hijackthis.cz, tak se mi to sekne prave u ctfrmon.exe, abych zjistil u ceho se to seka tak jsem si prenesl log na jiny PC.
Prikladam zde log z hijackthis a byl bych rad kdyby mi nekdo pomohl, predem dekuji :)
Logfile of HijackThis v1.99.1
Scan saved at 21:01:49, on 22.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\bsh\bin\bash.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bsh\bin\ssh.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefoxx\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingsdx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hvbnms.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqogug.exe
C:\QIP Infium JadrisPack\infium.exe
C:\Documents and Settings\Administrator\Plocha\hijackthis.exe
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
btw: skousel jsem to regedit disable fixnout ale porad se mi to tam vracelo
prosim potreboval bych pomoct, behem dneska se mi do PC dostal nejaky vir a ne a ne se ho zbavit, skousel jsem i combofix jen ma to jeden hacek a to ten ze kdyz se spoustim do stavu nouze v jakemkoli rezimu ( v siti, MS DOST ) tak mi to nacita konfiguracni soubory a spadne, takze podle meho nazoru ten vir nejak zabranil systemu nouze. Kdyz jsem spustil combofix z normalniho rezimu tak uz jsem videl jenom jestli mam odesilat spravu o padu aplikace ...
Dalsi vec kterou jsem si vsiml je ze nemuzu pouzivat Spravce zarizeni, kdyz jsem ho chtel povol pres regedit, zjistil jsem ze ani ten nefunguje.
Zajmava vec je taky ta, ze kdyz spustim hijackthis, a dam log zkontrolovat na hijackthis.cz, tak se mi to sekne prave u ctfrmon.exe, abych zjistil u ceho se to seka tak jsem si prenesl log na jiny PC.
Prikladam zde log z hijackthis a byl bych rad kdyby mi nekdo pomohl, predem dekuji :)
Logfile of HijackThis v1.99.1
Scan saved at 21:01:49, on 22.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\bsh\bin\bash.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bsh\bin\ssh.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefoxx\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingsdx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hvbnms.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqogug.exe
C:\QIP Infium JadrisPack\infium.exe
C:\Documents and Settings\Administrator\Plocha\hijackthis.exe
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
btw: skousel jsem to regedit disable fixnout ale porad se mi to tam vracelo
