CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo Log Hijack, find it i co zrobić z tym spyware?

Log Hijack, find it i co zrobić z tym spyware?

Witam, prosze o nie wyrzucanie mojego tematu gdyź naprawde mam problem, wszystko napisane w faq i w poradniku o spyware zawodzi, ratuuunku!
Oto log hijack`a:

Logfile of HijackThis v1.99.0
Scan saved at 15:07:04, on 2005–01–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesGetRightGETRIGHT.EXE
C:Program FilesGetRightGETRIGHT.EXE
C:WINDOWSsystem32apprs.exe
C:WINDOWSsdkfj32.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32NOTEPAD.EXE
D:ProgramyprogsfinditHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSafvhr.dll/sp.html#12345
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://onet.pl/
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0 CEReaderActiveXAcroIEHelper.dll
O2 – BHO: (no name) – {624D0ED6–FBD6–D488–B435–B1E924C175C0} – C:WINDOWSsystem32appon.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [sdkfj32.exe] C:WINDOWSsdkfj32.exe
O4 – HKLM..RunOnce: [mfchf32.exe] C:WINDOWSmfchf32.exe
O4 – HKLM..RunOnce: [winsh32.exe] C:WINDOWSwinsh32.exe
O4 – HKLM..RunOnce: [winfo32.exe] C:WINDOWSwinfo32.exe
O4 – HKLM..RunOnce: [crxb32.exe] C:WINDOWScrxb32.exe
O4 – HKLM..RunOnce: [apiau.exe] C:WINDOWSapiau.exe
O4 – HKLM..RunOnce: [sysct32.exe] C:WINDOWSsystem32sysct32.exe
O4 – HKLM..RunOnce: [apprs.exe] C:WINDOWSsystem32apprs.exe
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavaj2re1.4.2_06in pjpi142_06.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavaj2re1.4.2_06in pjpi142_06.dll
O15 – Trusted Zone: *.frame.crazywinnings.com
O15 – Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: (HKLM)
O16 – DPF: {14A3221B–1678–1982–A355–7263B1281987} – ms–its:mhtml:file://C:foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/08063fab7e1cb1bc3306/netzip/RdxIE601.cab
O16 – DPF: {74D05D43–3236–11D4–BDCD–00C04F9A3B61} (HouseCall Control) – http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 – DPF: {B4F32846–56DD–4CF5–94FD–17DE1A12E9EB} (CounterX Class) – http://t058.com/cabtest/counter.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLMSystemCCSServicesTcpip..{830A41BA–DDBD–404B–9159–97B58BE42061}: NameServer = 192.168.1.1
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: iPod Service – Apple Computer, Inc. – C:Program FilesiPodiniPodService.exe
O23 – Service: Network Security Service (NSS) – Unknown – C:WINDOWSapicl32.exe (file missing)

A tu z findit:

Katalog: C:WINDOWSSystem32

2001–10–26 16:45 2596 CONFIG.TMP
1 plik(w) 2596 bajtw
0 katalog(w) 2829533184 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]

–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyAtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

–––––––––––––––– Xfind Locked Files –––––––––––––––––

–––––––––––––– XFind Qoologic Results ––––––––––––––

Invalid search path

–––––––––––––– XFind Aspack Results –––––––––––––––

Invalid search path

–––––––––––––– Locate.com Results –––––––––––––––

C:WINDOWSSYSTEM32\r apiaj32.exe Fri 2004–12–31 6:26:24 A.SH. 9 728 9,50 K
apilg.exe Thu 2004–12–23 20:57:24 A.SH. 9 728 9,50 K
appon.dll Fri 2005–01–14 16:39:26 A.SH. 95 744 93,50 K
cdplay~1.man Fri 2004–11–12 13:21:04 A..HR 749 0,73 K
d3dp.exe Wed 2004–12–22 7:38:02 A.SH. 10 546 10,30 K
iexs.exe Fri 2004–12–31 3:04:34 A.SH. 9 728 9,50 K
javazv.dll Sat 2005–01–15 12:25:08 A.SH. 0 0,00 K
logonu~1.man Fri 2004–11–12 13:21:10 A..HR 488 0,48 K
ncpacp~1.man Fri 2004–11–12 13:21:04 A..HR 749 0,73 K
ntwi.exe Mon 2005–01–10 6:30:42 A.SH. 9 728 9,50 K
nwccpl~1.man Fri 2004–11–12 13:21:04 A..HR 749 0,73 K
sapicp~1.man Fri 2004–11–12 13:21:04 A..HR 749 0,73 K
sdkno.exe Sat 2005–01–01 20:08:56 A.SH. 9 728 9,50 K
window~1.man Fri 2004–11–12 13:21:10 A..HR 488 0,48 K
wuaucp~1.man Fri 2004–11–12 13:21:04 A..HR 749 0,73 K
yccle.dll Tue 2005–01–04 1:13:46 A.SH. 70 144 68,50 K

16 items found: 16 files, 0 directories.
Total of file sizes: 229 795 bytes 224,41 K
Prosze o jakąkolwiek pomoc będe wdzięczny

Odpowiedzi: 1

Pozbywasz sie tych pozycji

C:WINDOWSsystem32apprs.exe
C:WINDOWSsdkfj32.exe
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSafvhr.dll/sp.html#12345
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSafvhr.dll/sp.html#12345
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://onet.pl/
R3 – Default URLSearchHook is missing
O2 – BHO: (no name) – {624D0ED6–FBD6–D488–B435–B1E924C175C0} – C:WINDOWSsystem32appon.dll
O4 – HKLM..Run: [sdkfj32.exe] C:WINDOWSsdkfj32.exe
O4 – HKLM..RunOnce: [mfchf32.exe] C:WINDOWSmfchf32.exe
O4 – HKLM..RunOnce: [winsh32.exe] C:WINDOWSwinsh32.exe
O4 – HKLM..RunOnce: [winfo32.exe] C:WINDOWSwinfo32.exe
O4 – HKLM..RunOnce: [crxb32.exe] C:WINDOWScrxb32.exe
O4 – HKLM..RunOnce: [apiau.exe] C:WINDOWSapiau.exe
O4 – HKLM..RunOnce: [sysct32.exe] C:WINDOWSsystem32sysct32.exe
O4 – HKLM..RunOnce: [apprs.exe] C:WINDOWSsystem32apprs.exe
O15 – Trusted Zone: *.frame.crazywinnings.com
O15 – Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: (HKLM)
O16 – DPF: {14A3221B–1678–1982–A355–7263B1281987} – ms–its;mhtml;file;//C:foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O23 – Service: Network Security Service (NSS) – Unknown – C:WINDOWSapicl32.exe (file missing)

Dokladniejsza instrukcja postepowania jest opisana w poscie pt. wirusy

wins

Dodano: 15.01.2005 20:44:24

barman32

Dodano:: 15.01.2005 16:16:26
Komentarzy:: 1

Strona 1 / 1