SPYSHERIFF znów atakuje!

macko · 6 Sierpień 2005 00:37

Fachowcy!! co mam wykreślicz z listy żeby pozbyć się tych robaków ?!

udalo mi sie pozbyc napisu z desktopu (KillAD-em) ale dalej nie mogę włączyć menadżera zadań a jak uruchamiam sieć to znów sheriff miesza

co robić?!

oto lista z hijackthisa:

Logfile of HijackThis v1.99.1 

Scan saved at 00:45:57, on 2005-08-06 

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) 


Running processes: 

C:\WINDOWS\System32\smss.exe 

C:\WINDOWS\system32\winlogon.exe 

C:\WINDOWS\system32\services.exe 

C:\WINDOWS\system32\lsass.exe 

C:\WINDOWS\System32\ibmpmsvc.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\system32\spoolsv.exe 

C:\WINDOWS\System32\atievxx.exe 

C:\Program Files\ThinkPad\TouchBoard\LOGONCMD.exe 

C:\WINDOWS\System32\svchost.exe 

C:\Program Files\ThinkPad\TouchBoard\touchbrd.exe 

C:\WINDOWS\Explorer.exe 

C:\WINDOWS\System32\tp4mon.exe 

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe 

C:\Program Files\UPDD\TBSysTry.exe 

C:\WINDOWS\System32\Atiptaxx.exe 

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE 

C:\WINDOWS\System32\PRPCUI.exe 

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe 

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe 

C:\WINDOWS\System32\kernels32.exe 

C:\Program Files\IBM\IBM Ink Manager Pro\InkXfer.exe 

C:\WINDOWS\System32\tsproto.exe 

C:\Program Files\IBM\IBM Ink Manager Pro\pim.exe 

C:\WINDOWS\System32\ltcm000c.exe 

C:\WINDOWS\System32\RunDll32.exe 

C:\WINDOWS\System32\rundll32.exe 

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe 

C:\Program Files\ThinkPad\Utilities\tponscr.exe 

C:\WINDOWS\System32\qkshoubn.exe 

C:\WINDOWS\System32\ctfmon.exe 

C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE 

C:\Program Files\Skype\Phone\Skype.exe 

C:\Program Files\ACD Systems\ImageFox\ImageFox.exe 

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe 

C:\Program Files\PowerArchiver\POWERARC.EXE 

C:\Program Files\BullsEye Network\bin\bargains.exe 

C:\Program Files\Internet Explorer\iexplore.exe 

C:\Documents and Settings\Slawus\Pulpit\HijackThis.exe 


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4041 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4041 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStartEnter/Portal/portal.html 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe 

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts 

O1 - Hosts: 82.179.166.164 lender-search.com 

O1 - Hosts: 82.179.166.165 hot-searches.com 

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing) 

O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll 

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll 

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll 

O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing) 

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx 

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe 

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe 

O4 - HKLM\..\Run: [TBSysTry] C:\Program Files\UPDD\TBSysTry.exe 

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe 

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE 

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe 

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe 

O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe 

O4 - HKLM\..\Run: [Ink Transfer] C:\Program Files\IBM\IBM Ink Manager Pro\InkXfer.exe 

O4 - HKLM\..\Run: [Ink QuickNote] C:\Program Files\IBM\IBM Ink Manager Pro\reminder.exe 

O4 - HKLM\..\Run: [Ink PIM] C:\Program Files\IBM\IBM Ink Manager Pro\pim.exe 

O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9 

O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor 

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s 

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe 

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe 

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s 

O4 - HKLM\..\Run: [qArb6jR] C:\WINDOWS\gkcur.exe 

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" 

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe 

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe 

O4 - HKLM\..\Run: [qkshoubn] C:\WINDOWS\System32\qkshoubn.exe 

O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\YourSiteBar\ysb.dll" 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe 

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo 

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized 

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe 

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe 

O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe 

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe 

O4 - Global Startup: ImageFox.lnk = ? 

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll 

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll 

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe 

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) 

O10 - Hijacked Internet access by New.Net 

O10 - Hijacked Internet access by New.Net 

O10 - Hijacked Internet access by New.Net 

O10 - Hijacked Internet access by New.Net 

O10 - Hijacked Internet access by New.Net 

O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll 

O12 - Plugin for .ivr: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll 

O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll 

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll 

O15 - Trusted Zone: *.blazefind.com 

O15 - Trusted Zone: *.clickspring.net 

O15 - Trusted Zone: *.flingstone.com 

O15 - Trusted Zone: *.mt-download.com 

O15 - Trusted Zone: *.my-internet.info 

O15 - Trusted Zone: *.searchbarcash.com 

O15 - Trusted Zone: *.searchmiracle.com 

O15 - Trusted Zone: *.skoobidoo.com 

O15 - Trusted Zone: *.slotch.com 

O15 - Trusted Zone: *.slotchbar.com 

O15 - Trusted Zone: *.windupdates.com 

O15 - Trusted Zone: *.xxxtoolbar.com 

O15 - Trusted Zone: *.ysbweb.com 

O15 - Trusted Zone: *.blazefind.com (HKLM) 

O15 - Trusted Zone: *.clickspring.net (HKLM) 

O15 - Trusted Zone: *.flingstone.com (HKLM) 

O15 - Trusted Zone: *.mt-download.com (HKLM) 

O15 - Trusted Zone: *.my-internet.info (HKLM) 

O15 - Trusted Zone: *.searchbarcash.com (HKLM) 

O15 - Trusted Zone: *.searchmiracle.com (HKLM) 

O15 - Trusted Zone: *.skoobidoo.com (HKLM) 

O15 - Trusted Zone: *.slotch.com (HKLM) 

O15 - Trusted Zone: *.slotchbar.com (HKLM) 

O15 - Trusted Zone: *.windupdates.com (HKLM) 

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) 

O15 - Trusted Zone: *.ysbweb.com (HKLM) 

O15 - Trusted IP range: 67.19.178.84 

O15 - Trusted IP range: 67.19.178.84 (HKLM) 

O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex/controls/office/outlctlx.CAB 

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSInstallers/MetaStream3.cab?url=http://martenek.com/ThumbnailFrame.html 

O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/eng5/common/AXWebMonProj1.cab 

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe 

O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://207.229.32.203:20099/VatDec.cab 

O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab 

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab 

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.113.232.40/activex/AxisCamControl.cab 

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://wrosystem.um.wroc.pl/kamera/wg_webeye.cab 

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://207.229.32.203:20099/h263ctrl.cab 

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab 

O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll 

O21 - SSODL: System - {D33A4D9D-78E9-4E96-B792-1FEEDF7B98F7} - vr_sys.dll (file missing) 

O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINDOWS\System32\ibmpmsvc.exe 

O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe 

O23 - Service: Logon CMD (logoncmd) - Unknown owner - C:\Program Files\ThinkPad\TouchBoard\LOGONCMD.exe [quote][/quote]

squeet · 6 Sierpień 2005 08:33

Dużo tego syfu masz… Przeskanuj system:

Skanery on-line

Oprócz tego:

Masz firewalla i antywirusa w komputerze jakiegoś?

Zainstaluj wwdc

TUTAJ

Zabezpiecz komputer XP AntiSpy

I jak już zeskanujesz i pousuwasz wszystko, daj nowy log!

kuz5 · 6 Sierpień 2005 14:32

No niestety ale wątpie by te skany sobie poradziły poprostu za poważny syf no ale…

W Dodaj/Usuń odinstaluj NewDotNet (oraz inny syf o podobnych czy też tych samych nazwach co syf podany niżej)

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4041 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4041 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStartEnter/Portal/portal.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 82.179.166.164 lender-search.com O1 - Hosts: 82.179.166.165 hot-searches.com O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll(file missing) O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing) O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll O4 - HKLM…\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM…\Run: [system] C:\WINDOWS\System32\kernels32.exe O4 - HKLM…\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s O4 - HKLM…\Run: [qArb6jR] C:\WINDOWS\gkcur.exe O4 - HKLM…\Run: [internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe” O4 - HKLM…\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM…\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM…\Run: [qkshoubn] C:\WINDOWS\System32\qkshoubn.exe O4 - HKLM…\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 “C:\Program Files\YourSiteBar\ysb.dll” O4 - HKCU…\Run: [sNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll O21 - SSODL: System - {D33A4D9D-78E9-4E96-B792-1FEEDF7B98F7} - vr_sys.dll (file missing)

Pliki i foldery na czerwono usun ręcznie z dysku

Jeżeli wpisy 015 będą stawiać opór to usuń je narzędziem KillTrusted 0.7

Wpisy 010 usuwasz programem LSPFix

Odpal LSP-Fix i napisz jakie pliki znajdują sie w oknie Keep a my ci napiszemy jak i jaki plik usunąć.

Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy

Jeżeli bedziesz miał problem z usunieciem niektórych plików to użyj Pocket Killbox jeżeli nie wiesz jak sie ni obsługiwać to napisz

Jak już zrobisz to co napisałem to koniecznie dajesz nowego loga.