LOG - proszę o sprawdzenie

Trebron · 15 Styczeń 2005 08:27

Do systemu wwalił mi się jakiś spyware, bardzo odporny na usuwania. Oto LOG. Proszę o sprawdzenie

LOG:

Logfile of HijackThis v1.99.0 Scan saved at 09:25:30, on 2005-01-15 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Webroot\Accelerate\accelerate.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\Program Files\NetLimiter\NetLimiter.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\Windows Enabler 1.0\Windows Enabler.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe C:\Program Files\GlobalSCAPE\CuteFTP Professional\ftpte.exe C:\Program Files\PRC View 3.7.3.1\PrcView.exe C:\Documents and Settings\Norbi\Pulpit\10_01_2005\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Norbi\USTAWI~1\Temp\sp.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Norbi\USTAWI~1\Temp\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe, O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Local Spool Net support DLL - {41943050-65CC-454B-81E4-9C8A9D7CBAEA} - C:\WINDOWS\System32\localsplnet.dll O2 - BHO: (no name) - {93FDFFBD-527C-48AF-84CB-A1D0C3B5AEF1} - C:\WINDOWS\System32\hcldc.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM…\Run: [sCANINICIO] “C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe” O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE” /s O4 - HKLM…\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM…\RunServices: [PANDA ANTISPAM SERVER SERVICE] “C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe” O4 - Startup: Enabler.lnk = C:\Program Files\Windows Enabler 1.0\Windows Enabler.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe O17 - HKLM\System\CCS\Services\Tcpip…{E38376BE-78EE-4C20-8F24-F69562AC4683}: NameServer = 194.204.159.1,194.204.152.34 O18 - Filter: text/html - {874B2C45-F38E-4A4D-B2D4-4293A19A3472} - C:\WINDOWS\System32\hcldc.dll O18 - Filter: text/plain - {874B2C45-F38E-4A4D-B2D4-4293A19A3472} - C:\WINDOWS\System32\hcldc.dll O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda Antispam Server Service - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe O23 - Service: Panda Function Service - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe O23 - Service: Panda Pavkre - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe O23 - Service: Panda PavProt - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe O23 - Service: Panda Preventium+ Service - Unknown - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

detektyw · 15 Styczeń 2005 08:31

przeskanuj dysk:

Ad-Aware:

http://www.dobreprogramy.pl/index.php?dz=2&id=107&t=55

SpyBot:

http://www.dobreprogramy.pl/index.php?dz=2&id=188&t=55

sam DAP ma w sobie spyware, wywal go.

Kamcia_18 · 15 Styczeń 2005 08:45

sprawdz sobie pozycje siamm

/O4 - Autostart programów z kluczy rejestru lub folderu Startup/

–PacMan’s Startup List–

http://www.sysinfo.org/startuplist.php

http://www.liutilities.com/products/win … sslibrary/

/02 - BHO czyli Browser Helper Objects/

/O3 - Paski narzędziowe w IE/

–BHO & Toolbar List–

http://www.sysinfo.org/bholist.php

wpisujesz

CLSID List - danej aplikacji

np.

O2 - BHO: Local Spool Net support DLL - {41943050-65CC-454B-81E4-9C8A9D7CBAEA} - C:\WINDOWS\System32\localsplnet.dll

41943050-65CC-454B-81E4-9C8A9D7CBAEA - CLSID

pozycje X - grozne /kasacja/

reszte ja sprawdze

ok to tak

kasujesz tak /tryb awaryjny/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {93FDFFBD-527C-48AF-84CB-A1D0C3B5AEF1} - C:\WINDOWS\System32\hcldc.dll

O18 - Filter: text/html - {874B2C45-F38E-4A4D-B2D4-4293A19A3472} - C:\WINDOWS\System32\hcldc.dll

O18 - Filter: text/plain - {874B2C45-F38E-4A4D-B2D4-4293A19A3472} - C:\WINDOWS\System32\hcldc.dll

[wywaalasz takze wszystkie pliki hcldc.dll]

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht! http://82.179.166.130/e9xr2.chm::/file.exe

O2 - BHO: Local Spool Net support DLL - {41943050-65CC-454B-81E4-9C8A9D7CBAEA} - C:\WINDOWS\System32\localsplnet.dll

[znasz zostawiasz /NIE/ kasacja]

tak jak z pozycjami

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Norbi\USTAWI~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Norbi\USTAWI~1\Temp\sp.dll/sp.html

[znasz zostawiasz /NIE/ kasacja]

standordowa procedura dalej >>>

1.)

sciagasz PestPatrol

http://download.zonelabs.com/bin/free/p … olHome.exe

oraz

ETD Security Scanner 3.0

http://www.download.com/ETD-Security-Sc … 29424.html

INFO:

skan partycji systemowej

2.)

skan skanerami AV

–F-Secure–

http://support.f-secure.com/enu/home/ols.shtml

–GeCAD (RAV)–

http://www.ravantivirus.com/scan/

lub

–Softwin (BitDefender)–

http://www.bitdefender.com/scan/licence.php

3.)

zabezpieczasz przegladarki softem SpywareBlaster

http://www.javacoolsoftware.com/sbdownload.html

4.)

na koniec skan skenerem na zadanie G DATA Software

http://dobreprogramy.com/index.php?dz=2&t=30&id=846

Trebron · 15 Styczeń 2005 09:01

Skanowałem Ad-Aware i SpyBotem, pousuwałem wszystko, co znaleźli, dalej nic. Próbowałem usuwać ręcznie - Spyware wytrzymał wszystko

krasnalek52 · 15 Styczeń 2005 09:07

to tylko format

a tym probowales Zero Spyware & Adware Remover Lite 1.0???

Trebron · 15 Styczeń 2005 09:21

Ale mnie pocieszyłeś, sam se zrób formata

POST 2

I obyło się bez formata

Wielkie podziekowania dla Kamcia_18. SpyWare’a usunąłem, w Dodaj \ Usuń programy był taki wpis “Search Assistance”, uruchomiłem go i spywar zaliczył autodestrukcje. Wyczyściłem rejestr i wzystko gra.

Temat można zamknąć