CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo trojan nie do usuniecia

trojan nie do usuniecia

Prosze pomozcie mi syfiasty trojan usunac bo siedze 5 godzin i nic. Uzylem programow hijack, spysubstrackt, shreder i kilka innych. Usunalem pliki i katalogi w systemie awaryjnym windowsa. Wyczyscilem rega(nawet chyba za duzo). Co jakis czas otwieraja mi sie 3 stronki. znalazlem ich numerki w hiujacku ale jak je kasuje to za 5 sekund wracaja. Autostart jest czysty. To screen hijacka:


Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32 undll32.exe
C:WINDOWSExplorer.EXE
C:Program FilesJavaj2re1.4.2_04injusched.exe
D:ProgramyInnePandaAPVXDWIN.EXE
D:ProgramyInneDesktop Architectdatray.exe
C:Program FilesInterMuteSpySubtractSpySub.exe
D:ProgramyUsprawniająceMemTurbomemturbo.exe
C:WINDOWSSystem32 vsvc32.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
D:ProgramyInnePandapavsrv51.exe
D:ProgramyInnePandaAVENGINE.EXE
D:ProgramyInnePandaWebProxy.exe
D:ProgramyInneAvant Browseriexplore.exe
C:Documents and SettingsMuad'DibPulpithijackthisHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.wp.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://msaps.dll/index.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://msaps.dll/search.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = res://msaps.dll/index.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://www.wp.pl/
R1 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = proxy.fantex.pl:8080
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – (no file)
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearchO4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04injusched.exe
O4 – HKLM..Run: [APVXDWIN] "D:ProgramyInnePandaAPVXDWIN.EXE" /s
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKCU..Run: [Komunikator] D:ProgramyCzatoweTlen len.exe
O4 – HKCU..Run: [Desktop Architect] "D:ProgramyInneDesktop Architectdatray.exe" –S
O4 – HKCU..Run: [IncrediMail] D:ProgramyPocztoweINCRED~1inIncMail.exe /c
O4 – Startup: MemTurbo.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:ProgramyBiuroweWordOffice10OSA.EXE
O4 – Global Startup: SpySubtract.lnk = C:Program FilesInterMuteSpySubtractSpySub.exe
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – D:ProgramyPocztoweINCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: Blokuj wszystkie obrazy z tego serwera – D:ProgramyInneAvant BrowserAddAllToADBlackList.htm
O8 – Extra context menu item: Dodaj do listy blokowanych reklam – D:ProgramyInneAvant BrowserAddToADBlackList.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:ProgramyBiuroweWordOffice10EXCEL.EXE/3000
O8 – Extra context menu item: Otwórz wszystkie adresy z tej strony... – D:ProgramyInneAvant BrowserOpenAllLinks.htm
O8 – Extra context menu item: Podświetl – D:ProgramyInneAvant BrowserHighlight.htm
O8 – Extra context menu item: Szukaj – D:ProgramyInneAvant BrowserSearch.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O10 – Hijacked Internet access by New.Net
O16 – DPF: v3cab – http://searchmiracle.com/cab/v3cab.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/bridge–c2.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 – DPF: {771A1334–6B08–4A6B–AEDC–CF994BA2CEBE} (Installer Class) – http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
O16 – DPF: {F00F4763–7355–4725–82F7–0DA94A256D46} (IncrediMail) – http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

To co jest pogrubione to wlasnie adresy tych stronek: prosze o pomoc jak najszybciej bo nic nei moge zrobic z programow i gier mnei wywala przez te strony

[/b]

Odpowiedzi: 6

muadib83, zwroc uwage na drugi i trzeci post –> http://www.iamnotageek.com/t–78554.html
EL NINO
Dodano
07.12.2004 19:28:34
Po kiego proxy usuwac ??

Z kontolek to zostam sobie tylko:
O16 – DPF: {F00F4763–7355–4725–82F7–0DA94A256D46} (IncrediMail) – http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

Link do uninstallatora New.Net'a w archwalnych postach
Bobi
Dodano
07.12.2004 16:03:20
postaraj sie przeskanowac tu
http://pl.trendmicro–europe.com/consumer/products/housecall_launch.php
i wywal jeszcze raz to dziadostwo

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://msaps.dll/index.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://msaps.dll/search.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = res://msaps.dll/index.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://www.wp.pl/
R1 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = proxy.fantex.pl:8080
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – (no file)
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O4 – Startup: MemTurbo.lnk = ?
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O10 – Hijacked Internet access by New.Net
O16 – DPF: v3cab – http://searchmiracle.com/cab/v3cab.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/bridge–c2.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 – DPF: {771A1334–6B08–4A6B–AEDC–CF994BA2CEBE} (Installer Class) – http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
O16 – DPF: {F00F4763–7355–4725–82F7–0DA94A256D46} (IncrediMail) – http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
gery3
Dodano
07.12.2004 09:52:49
Dzieki za pomoc ale to nie pomoglo. Katalog new net skasowalem obecnosci trojana nigdzie nie widac oprocz hijacka. Nadal pozostaly te trzy wpisy i otwieraja sie stronki wywalajac mneij z gier. Oto log hicjacka w regach katalogach startupie jest ok wiec co musze jeszcze zrobic. Gdy kasuje te 3 podswietlone wpisy one zaraz wracaja. Prefetch wyczyscilem wylaczylem przywracanie co jeszcze?

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32 undll32.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32 vsvc32.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
D:ProgramyInnePandapavsrv51.exe
C:Program FilesJavaj2re1.4.2_04injusched.exe
D:ProgramyInnePandaAPVXDWIN.EXE
D:ProgramyInneDesktop Architectdatray.exe
D:ProgramyInnePandaAVENGINE.EXE
D:ProgramyUsprawniająceMemTurbomemturbo.exe
D:ProgramyInnePandaWebProxy.exe
D:ProgramyInneAvant Browseriexplore.exe
D:ProgramyKazaa Lite Resurrectionkazaalite.kpp
C:Documents and SettingsMuad'DibPulpithijackthisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.wp.pl/
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://searchmiracle.com/sp.php
R1 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = proxy.fantex.pl:8080
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04injusched.exe
O4 – HKLM..Run: [APVXDWIN] "D:ProgramyInnePandaAPVXDWIN.EXE" /s
O4 – HKCU..Run: [Komunikator] D:ProgramyCzatoweTlen len.exe
O4 – HKCU..Run: [Desktop Architect] "D:ProgramyInneDesktop Architectdatray.exe" –S
O4 – HKCU..Run: [IncrediMail] D:ProgramyPocztoweINCRED~1inIncMail.exe /c
O4 – Startup: MemTurbo.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:ProgramyBiuroweWordOffice10OSA.EXE
O4 – Global Startup: SpySubtract.lnk = ?
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – D:ProgramyPocztoweINCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: Blokuj wszystkie obrazy z tego serwera – D:ProgramyInneAvant BrowserAddAllToADBlackList.htm
O8 – Extra context menu item: Dodaj do listy blokowanych reklam – D:ProgramyInneAvant BrowserAddToADBlackList.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:ProgramyBiuroweWordOffice10EXCEL.EXE/3000
O8 – Extra context menu item: Otwórz wszystkie adresy z tej strony... – D:ProgramyInneAvant BrowserOpenAllLinks.htm
O8 – Extra context menu item: Podświetl – D:ProgramyInneAvant BrowserHighlight.htm
O8 – Extra context menu item: Szukaj – D:ProgramyInneAvant BrowserSearch.htm
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/bridge–c2.cab
O16 – DPF: {B9191F79–5613–4C76–AA2A–398534BB8999} (YAddBook Class) – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 – DPF: {F00F4763–7355–4725–82F7–0DA94A256D46} (IncrediMail) – http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
muadib83
Dodano
07.12.2004 04:42:27
Zamknij wszystkie okna Internet Explorer i usuń wpisy:
muadib83:

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://msaps.dll/index.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://msaps.dll/search.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = res://msaps.dll/index.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://www.wp.pl/
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – (no file)
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O10 – Hijacked Internet access by New.Net
O16 – DPF: v3cab – http://searchmiracle.com/cab/v3cab.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/bridge–c2.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 – DPF: {771A1334–6B08–4A6B–AEDC–CF994BA2CEBE} (Installer Class) – http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx



Potem w Dodaj/Usuń programy odinstaluj New.Net
pwl
Dodano
07.12.2004 02:00:55
wylacz przywracanie systemu i wywal :

R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://msaps.dll/index.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = res://msaps.dll/search.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://msaps.dll/search.html
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = res://msaps.dll/index.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = res://msaps.dll/index.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://www.wp.pl/
3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – (no file)
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O16 – DPF: v3cab – http://searchmiracle.com/cab/v3cab.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 – DPF: {771A1334–6B08–4A6B–AEDC–CF994BA2CEBE} (Installer Class) – http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
gery3
Dodano
07.12.2004 02:00:09
muadib83
Dodano:
07.12.2004 01:30:23
Komentarzy:
6
Strona 1 / 1