Spider_MK
(Spider Mk)
19 Grudzień 2007 15:38
#1
Nawchodziło mi syfu do kompa. jak mogę sie tego pozbyć ?
log z hijackthis
Logfile of HijackThis v1.99.1 Scan saved at 16:10, on 2007-12-19 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ArcaVir\Bin\NetMonSv.exe C:\Program Files\ArcaVir\Bin\avmonsv.exe C:\Program Files\ArcaVir\Bin\ABmenu.exe C:\Program Files\ArcaVir\Bin\ABregmon.exe C:\Program Files\Microsoft Security Adviser\msctrl.exe C:\Program Files\Microsoft Security Adviser\msavsc.exe C:\Program Files\Microsoft Security Adviser\msscan.exe C:\Program Files\Microsoft Security Adviser\msiemon.exe C:\Program Files\ArcaVir\Bin\arcascan.exe C:\Program Files\Microsoft Security Adviser\msfw.exe C:\Program Files\Microsoft Security Adviser\mssadv.exe D:\wwszystko co bylo na pulpicie\programy\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Programy\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ABmenu] C:\Program Files\ArcaVir\Bin\ABmenu.exe O4 - HKLM…\Run: [ABREGMON] C:\Program Files\ArcaVir\Bin\ABregmon.exe O4 - HKLM…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKLM…\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKCU…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKCU…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKCU…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKCU…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKCU…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Download with GetRight - E:\Programy\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Programy\GetRight\GRbrowse.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294f4c8dd02 … xIE601.cab O16 - DPF: {77829F14-D911-40FF-A2F0-D11DB8D6D0BC} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\ArcaVir\Bin\NetMonSv.exe O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - C:\Program Files\ArcaVir\Bin\avmonsv.exe O23 - Service: ArcaScan - ArcaBit - C:\Program Files\ArcaVir\Bin\arcascan.exe O23 - Service: arcaserv - ArcaBit Sp. z o. o. - C:\Program Files\ArcaVir\bin\arcaserv.exe O23 - Service: Us3uga inteligentnego transferu w tle BITSSCardSvr (BITSSCardSvr) - Unknown owner - C:\WINDOWS\System32\adsndsz.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
oraz z silent runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “mssadv.exe” = “(empty string)” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [file not found] “ABmenu” = “C:\Program Files\ArcaVir\Bin\ABmenu.exe” [“ArcaBit”] “ABREGMON” = “C:\Program Files\ArcaVir\Bin\ABregmon.exe” [“ArcaBit”] “mssadv.exe” = “*d” (unwritable string) [file not found] “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “Microsoft security adviser” = “C:\Program Files\Microsoft Security Adviser\mssadv.exe” [“home”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}(Default) = (no title provided) -> {HKLM…CLSID} = “bho2gr Class” \InProcServer32(Default) = “E:\Programy\GetRight\xx2gr.dll” [“Headlight Software, Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{9C0ADB68-353A-61DD-ED09-1D8003A61111}” = “*” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\kb1111p.dll” [null data] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ “load” = (value not set) “run” = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “cslri.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Spider_MK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Spider_MK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Leon1
(Leon$)
19 Grudzień 2007 18:09
#2
Pobierz Combofix http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642
Otwórz notatnik i wklej
Folder::
C:\Program Files\Microsoft Security Adviser
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msctrl.exe"=-
"msavsc.exe"=-
"msscan.exe"=-
"msiemon.exe"=-
"msfw.exe"=-
"mssadv.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mssadv.exe"=-
"msctrl.exe"=-
"msavsc.exe"=-
"msscan.exe"=-
"msiemon.exe"=-
"msfw.exe"=-
"Microsoft security adviser"=-
zapisz jako CFScript (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
na pytanie “1 or 2” - to wpisz 1 i naciśnij ENTER
Powinno rozpocząć się usuwanie
Daj log na forum
Potem usuń ręcznie folder C: \Qoobox
Daj również nowy log HijackThis
Maciej13
(Maciej13 13)
19 Grudzień 2007 18:53
#3
Leon$ , to nie wszystko. Mamy również fałszywe adresy DNS (Ukraina):
O17 - HKLM\System\CCS\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
Do użycia FixWareOut w Trybie Awaryjnym . Po pracy log do pokazania (lokalizacja: C:\fixwareout\ report.txt ). Wymienione wyżej wpisy fixujesz w Hjt .
Gutek
(Gutek)
19 Grudzień 2007 20:53
#5
porzede wszystkim gubisz wpisy:
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Pobierz program SDFix