CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo Ms–Search

Ms–Search

Zastosowalem sie do tematu wyzej ale bez rezultatu.

Chodzi o strone startową.

CWShredder nic nie wykrywa.
Ad–aware 6.0 ––––––||––––––––––.
Spybot – Search & Destroy tez nic. itp programy.


Dodam loga z HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 17:17:59, on 2004–07–09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesKerioPersonal Firewallpersfw.exe
C:WINDOWSSystem32dllhost.exe
C:Program FIlesTraySaverTraySaver.exe
C:WINDOWSexplorer.exe
C:Program FilesJavaj2re1.4.2_04injusched.exe
C:PROGRA~1BILLPS~1WINPAT~1WinPatrol.exe
C:WINDOWSSystem32devldr32.exe
C:WINDOWSSystem32lsas32.exe
C:Program FilesTibiaTibia.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesOpera75opera.exe
C:Documents and SettingsAdminPulpitHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 – URLSearchHook: MailTo Class – {FDE3577A–6254–181C–4E11–339E4F746BD3} – C:WINDOWSSystem32wins32t.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:Program FilesSpybot – Search & DestroySDHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04injusched.exe
O4 – HKLM..Run: [WinPatrol] "C:PROGRA~1BILLPS~1WINPAT~1WinPatrol.exe"
O4 – HKLM..Run: [Ad–aware] "C:PROGRA~1LavasoftAD–AWA~1Ad–aware.exe" +c
O4 – HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [Resume copy] copyfstq.exe /startup
O4 – HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 – HKLM..RunServices: [Norton Updater] lsas32.exe
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 – DPF: {166B1BCA–3F9C–11CF–8075–444553540000} (Shockwave ActiveX Control) – http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 – DPF: {AFD8ED36–EA54–11D6–AC3F–00105ADCF632} (Ntw4 Control) – https://www.supermakler.pkobp.pl/res/ntw4.cab
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab



Do tego tez sie stosowalem http://forums.techguy.org/t244814.html

01–Jul–2004, 07:41 AM
flrman1
Moderator Join Date: Jul 2002
Location: Thomasville NC
Posts: 19,212
Experience: 100% Geek

You still have HJT in a temp foler:

C:Documents and SettingsUserLocal SettingsTempHijackThis.exe

This is a bad idea because it cannot create and restore backups from there. You need to create a new folder in My Documents and name it Hijack This. Move the hijackthis.exe from the temp folder to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.

Next please do this:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now navigate to the C:Windowssystem32 folder and locate the tss.exe file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.



Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://msaps.dll/index.html

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://msaps.dll/search.html

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html

R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = res://msaps.dll/index.html

R3 – URLSearchHook: (no name) – {FDE3577A–6254–181C–4E11–339E4F746BD3} – (no file)

O4 – HKLM..Run: [tapisys] C:WINDOWSSystem32 ss.exe

O4 – HKCU..Run: [tapisys] C:WINDOWSSystem32 ss.exe

Restart to safe mode.

How to start your computer in safe mode

In safe mode delete the C:WINDOWSSystem32 ss.exe file

Dodam ze wpisy z rejestru po usunieciu ich wracaja po 10 sekundach ;/.

Odpowiedzi: 7

wyrzucone, wszystko jak narazie ok. Dzieki!!
unknown
Dodano
12.07.2004 01:38:03
Fix :

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://iqvpl.dll/index.html#96676

R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://iqvpl.dll/index.html#96676

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://iqvpl.dll/index.html#96676

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676

O2 – BHO: (no name) – {AC50F23D–F99D–EE5A–71F2–ABCB913DE13A} – C:WINDOWSsdkiv32.dll

O4 – HKLM..Run: [javapw.exe] C:WINDOWSsystem32javapw.exe

O4 – HKLM..RunServices: [Microsoft DirectX] wuamgrd.exe


C:WINDOWSipfr.exe – zakonczyć proces, wyszukać usunąć,

C:WINDOWSsystem32javapw.exe – zakonczyć proces, wyszukać usunąć,

wuamgrd.exe – zakonczyć proces, wyszukać usunąć,
Dodatkowo cała procedura opisana tutaj.

iqvpl.dll – wyszukać usunąć,

sdkiv32.dll – wyszukać usunąć.
McScr@by
Dodano
11.07.2004 01:40:56
EL NINO:
Przed szukaniem tej biblioteki kazales systemowi pokazac pliki i foldery ukryte ? A ze sie laduje to nic dziwnego. Cos ja uruchamia. Albo jakis exec albo wpis do rejestru.

Tak, ukryte i systemowe są widoczne, równieź tak jest ustawione w opcjach wyszukiwania. Wpis do rejestru uruchamiający tą bibliotekę jest "systematycznie" kasowany przez HijackThis, ale wraca...Podobnie jest z procesem IPFR.exe, nie znalazłem go na źadnych listach, a niepokoi mnie (chociaź według rejestru jest to "Network Security Service)

EL NINO:
Pokaz wiec log. Ktos zawsze pomoze.



Logfile of HijackThis v1.97.7
Scan saved at 22:49:01, on 2004–07–10
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32CTSvcCDA.exe
C:Program FilesKerioPersonal Firewall 4kpf4ss.exe
C:Program FilesNorton AntiVirus avapsvc.exe
C:Program FilesKerioPersonal Firewall 4kpf4gui.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSipfr.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesKerioPersonal Firewall 4kpf4gui.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:PROGRA~1A4TechMouseAmoumain.exe
C:WINDOWSSystem32spoolDRIVERSW32X863E_S10IC2.EXE
C:PROGRA~1NORTON~1 avapw32.exe
C:Program FilesJavaj2re1.4.2_04injusched.exe
C:Program FilesLogitechVideoLogiTray.exe
C:WINDOWSsystem32javapw.exe
C:Program FilesRestore DesktopRestoreDesktop.exe
C:Program FilesSAGEMSAGEM F@st 800–840dslmon.exe
C:WINDOWSSystem32LVComS.exe
C:Program FilesGadu–Gadugg.exe
C:Documents and SettingsMichał KosowskiPulpithijackthisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://iqvpl.dll/index.html#96676
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://iqvpl.dll/index.html#96676
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://iqvpl.dll/index.html#96676
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://C:WINDOWSsystem32iqvpl.dll/sp.html#96676
R1 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = w3cache.tpnet.pl:8080
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 – BHO: (no name) – {AC50F23D–F99D–EE5A–71F2–ABCB913DE13A} – C:WINDOWSsdkiv32.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [WheelMouse] C:PROGRA~1A4TechMouseAmoumain.exe
O4 – HKLM..Run: [EPSON Stylus C64 Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 – HKLM..Run: [NAV Agent] C:PROGRA~1NORTON~1 avapw32.exe
O4 – HKLM..Run: [Speed racer] C:Program FilesCreativeSBLive2kPlayCenterCTSRReg.exe
O4 – HKLM..Run: [Jet Detection] "C:Program FilesCreativeSBLivePROGRAMADGJDet.exe"
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04injusched.exe
O4 – HKLM..Run: [LogitechVideoRepair] C:Program FilesLogitechVideoISStart.exe
O4 – HKLM..Run: [LogitechVideoTray] C:Program FilesLogitechVideoLogiTray.exe
O4 – HKLM..Run: [javapw.exe] C:WINDOWSsystem32javapw.exe
O4 – HKLM..RunServices: [Microsoft DirectX] wuamgrd.exe
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [RestoreDesktop] C:Program FilesRestore DesktopRestoreDesktop.exe
O4 – Startup: Skrót do Neo.lnk = ?
O4 – Global Startup: DSLMON.lnk = C:Program FilesSAGEMSAGEM F@st 800–840dslmon.exe
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 – Extra button: ICQ Lite (HKLM)
O9 – Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 – HKLMSystemCCSServicesTcpip..{A38C375B–0DAB–40E4–AFAC–EFE9F3765D04}: NameServer = 194.204.152.34 217.98.63.164

unknown
Dodano
11.07.2004 00:55:14
unknown:
dodatkowo ciągle ładuje się biblioteka skdiv32.dll, co ciekawe, nigdzie jej nie moźna znaleźć.
Przed szukaniem tej biblioteki kazales systemowi pokazac pliki i foldery ukryte ? A ze sie laduje to nic dziwnego. Cos ja uruchamia. Albo jakis exec albo wpis do rejestru.
unknown:
u mnie to samo
Pokaz wiec log. Ktos zawsze pomoze.
EL NINO
Dodano
11.07.2004 00:35:36
u mnie to samo (chociaź bez lsas32.exe i wins32t.dll) ...i ciagle wraca, mimo wyłączenia Przywracania Systemu podczas usuwania w HijackThis.

dodatkowo ciągle ładuje się biblioteka skdiv32.dll, co ciekawe, nigdzie jej nie moźna znaleźć. Po zamianie strony startowej siada GG, wyskakuje błąd 7. Zeby tego było mało, biblioteki "legalnie" instalowane w /system32 są prawie natychmiast usuwane...

system skanowany Norton AntiVirusem z aktualnymi bazami, oraz jak u poprzednika Ad–aware, Spybot (nawet protekcja tego ostatniego przed zmianą strony głównej nic nie daje...)itp...
unknown
Dodano
11.07.2004 00:01:21
Dzieńks. Wcześniej nie moglem odnalesc lsas32.exe bo pomylilem I z l.
^ LiSeK ^
Dodano
10.07.2004 23:58:38
C:WINDOWSSystem32lsas32.exe
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R3 – URLSearchHook: MailTo Class – {FDE3577A–6254–181C–4E11–339E4F746BD3} – C:WINDOWSSystem32wins32t.dll
O4 – HKLM..RunServices: [Norton Updater] lsas32.exe

Oczywiscie o usunieciu z dysku lsas32.exe i wins32t.dll nie wspomne nawet.
EL NINO
Dodano
10.07.2004 01:27:48
^ LiSeK ^
Dodano:
09.07.2004 20:18:43
Komentarzy:
7
Strona 1 / 1