Trojan strony startowej w IE proszę o pomoc
Mam problem ze stroną stratową w IE cały czas ustawiam stornę jak pustą (about:blank) a po kaźdym następnym wejściu do przedlądarki moją stroną sratową jest coś takiego "http://www.clicksearchclick.com/index.php?aff=9" Robiłem juź scan disk taki programami jak: Norton Internet Security 2005, Spy Sweeper,Spyware Doctor i wszystie pokazują "Trojan.StartPage.M" i wiele innych ale źaden nie moźe go usunąc (dołączam screen z dziennika Norton AntiVirus). Posiadam taki program jak "Hijack This" ale za bardzo nie wiem jak nim się posługiwać. Umiem tylko zrobić scan i oto mój log:
Logfile of HijackThis v1.99.0
Scan saved at 18:38:56, on 2005–05–30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Konnekt\konnekt.exe
D:\hijackthis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{08C06D61–F1F3–4799–86F8–BE1A89362C85} – (no file)
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SVCHOST.EXE
O4 – HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SECURITY.EXE
O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 – HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe
O16 – DPF: {11311111–1111–1111–1111–111111111157} – file://C:\Recycled\Q330995.exe
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
Jeźeli ktoś moźe mi powiedzieć jak pozbyć się tego "syfu" albo jak posługiwać się "Hijack This" to będe bardzo wdzięczny.
Pozdrawiam
Paweł
Logfile of HijackThis v1.99.0
Scan saved at 18:38:56, on 2005–05–30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Konnekt\konnekt.exe
D:\hijackthis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{08C06D61–F1F3–4799–86F8–BE1A89362C85} – (no file)
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SVCHOST.EXE
O4 – HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SECURITY.EXE
O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 – HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe
O16 – DPF: {11311111–1111–1111–1111–111111111157} – file://C:\Recycled\Q330995.exe
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
Jeźeli ktoś moźe mi powiedzieć jak pozbyć się tego "syfu" albo jak posługiwać się "Hijack This" to będe bardzo wdzięczny.
Pozdrawiam
Paweł
Odpowiedzi: 13
Nic, bo nic nie trzeba robic. Zrozum w koncu ze po to program zostal stworzony, aby reagowac na niebezpieczenstwo. A niebezpieczenstwo widzi w ladowanym na dysk do tempa obrazie tych Twoich postow z ciagiem znakow.Pablo_18Kce:
Bobi masz racje, chyba juź nic nie da się z tym zrobic
Nie bedzie tego ciagu, nie zareaguje.
Zeby Cie przekonac usune z calego tego tematu to "zagrozenie" i Norton sie nie odezwie.
Update:
–teraz juz nie powinien nic zglaszac.
Nic, bo nic nie trzeba robic. Zrozum w koncu ze po to program zostal stworzony, aby reagowac na niebezpieczenstwo. A niebezpieczenstwo widzi w ladowanym na dysk do tempa obrazie tych Twoich postow z ciagiem znakow.Bobi masz racje, chyba juź nic nie da się z tym zrobic
Nie bedzie tego ciagu, nie zareaguje.
Zeby Cie przekonac usune z calego tego tematu to "zagrozenie" i Norton sie nie odezwie.
Update:
–teraz juz nie powinien nic zglaszac.
Bobi masz racje, chyba juź nic nie da się z tym zrobic, a skoro nie jest to szkodliwe to nie bede sie przymowal. Dzieki bardzo wszystkim za pomoc przy tych problemach, sam bym sobie napewno nie pogadził. Gdybym was znał napewno postawiłbym browara ;) za pomoc:) Jeszcze raz dzięki i pozdro:)[/list]
Zagróźenie Bloodhound.Exploit.6
"Źródło: C:\Documents and Settings\xxx\Ustawienia lokalne\Temporary Internet Files\Content.IE5\WRYH07WL\posting[1].htm
I taki alert bedzie się pojawiał za kaźdym razem jak otworzysz sobie ten temat.
Olej to, tym się juz nie przejmuj bo to pikuś.
Norton jak i inne antywirusy są wyczulone na taki ciąg znaków i wykrywają to jako exploit.
Dodaj sobie jeszcze tego fixa, chodz IMO juź on zbędny.
Przy zapisywaniu w notatniku zaznacz jako typ: wszystkie pliki i nazwe wprowadź razem z rozszewrzeniem *.reg
Syfu juź nie masz
i zapisac jaki search.log
Zapisz jako xxx.reg, a potem koniecznie odpal i scal.
Kurcze wywalilem wszytko to z tego folderu D:\hijackthis. Na poscie do ktorego dales mi link bylo tez cos takiego by wkleic tą zawartosc do notatnika i zapisac jaki search.log
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Do404Search"=hex:01,00,00,00
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00–17A6–11D0–99CB–00C04FD64497}"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
"provider"=""
" "="+"
"&"="%26"
"+"="%2B"
"#"="%23"
"?"="%3F"
"="="%3D"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
I tak, teź zrobiłem, uruchomiłem ponownie kompa i dy wszedłem ty napisac ten posta to znowu mi sie to pojawilo:(
Zagróźenie Bloodhound.Exploit.6
"Źródło: C:\Documents and Settings\xxx\Ustawienia lokalne\Temporary Internet Files\Content.IE5\WRYH07WL\posting[1].htm
To moj aktualny log:
Logfile of HijackThis v1.99.0
Scan saved at 13:22:15, on 2005–05–31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\hijackthis\HijackThis.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
EL NINO domyślam się, źe cierpliwość moźe Ci się juź po mału kończyć i, źe Cię strasznie męcze ale proszę doradz coś jeszcze, by pozbyc się tego syfu.
Pozdrawiam
Paweł
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Do404Search"=hex:01,00,00,00
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00–17A6–11D0–99CB–00C04FD64497}"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
"provider"=""
" "="+"
"&"="%26"
"+"="%2B"
"#"="%23"
"?"="%3F"
"="="%3D"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
I tak, teź zrobiłem, uruchomiłem ponownie kompa i dy wszedłem ty napisac ten posta to znowu mi sie to pojawilo:(
Zagróźenie Bloodhound.Exploit.6
"Źródło: C:\Documents and Settings\xxx\Ustawienia lokalne\Temporary Internet Files\Content.IE5\WRYH07WL\posting[1].htm
To moj aktualny log:
Logfile of HijackThis v1.99.0
Scan saved at 13:22:15, on 2005–05–31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\hijackthis\HijackThis.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
EL NINO domyślam się, źe cierpliwość moźe Ci się juź po mału kończyć i, źe Cię strasznie męcze ale proszę doradz coś jeszcze, by pozbyc się tego syfu.
Pozdrawiam
Paweł
Pablo, Norton wywala komunikat albo dlatego ze wchodzisz do tego tematu po czym ladowana jest do tempa internetowego ta strona, albo dlatego ze po usunieciu przez HiJacka tych felernych wpisow "widzi" powyzszy tekst w plikach backupu tworzonych przy usuwaniu. Wejdz do D:\hijackthis\HijackThis.exe i usun sobie wszystko oprocz samego HiJackThis.exe
URLSearchHook – http://forum.centrumxp.pl/viewtopic.php?p=204742#204742
URLSearchHook – http://forum.centrumxp.pl/viewtopic.php?p=204742#204742
Wywaliłem "R3 – Default URLSearchHook is missing".
W logu nie mam juz natomiast "O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe" a notron dalej wyświetla komunikat, źe ten syf dalej siedzi w kompie:( EL NINO jak moźesz to podaj linka do tego posta o którym napisałeś powyźej, lub podrzuć jeszcze jakiś pomysł bo ręce opadają. Z góry dzięki bardzo
Pozdrawiam:)
W logu nie mam juz natomiast "O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe" a notron dalej wyświetla komunikat, źe ten syf dalej siedzi w kompie:( EL NINO jak moźesz to podaj linka do tego posta o którym napisałeś powyźej, lub podrzuć jeszcze jakiś pomysł bo ręce opadają. Z góry dzięki bardzo
Pozdrawiam:)
W porządku, ale mozesz jeszcze dobić:
Gbyby cos to ostatnio EL NINO podawał fixa naprawiającego to miejsce w rejestrze.
Norton Bloodhound.Exploit.6 nazywa to:
Wystarczy ze wejdziesz na strone z tym tekstem i on to wyłapuje.
R3 – Default URLSearchHook is missing
Gbyby cos to ostatnio EL NINO podawał fixa naprawiającego to miejsce w rejestrze.
Norton Bloodhound.Exploit.6 nazywa to:
O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe
Wystarczy ze wejdziesz na strone z tym tekstem i on to wyłapuje.
Dzieki bardzo pomoglo:) moja stona startowa wreszcie chodzi tak jak powinna, zrobilem to tak ze uruchomilem system w trybie awaryjnym usunolem to co kazales a nastepnie wyrzucilem wszystko co Norton trzymal w kwarantannie. Tylko zostalo mi cos jeszcze, np. teraz gdy otwieralem stonke by napisac posta wyskoczylo mi z Nortona coś takiego:
Zagroźenie Bloodhound.Exploit.6
"C:\Documents and Settings\xxx\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LI8LX183\posting[2].htm
Aby uzyskać więcej informacji o tym zagroźeniu, kliknij: Bloodhound.Exploit.6"
Jak moge to usunąc?? z gory wielkie dzieki i tak mi juz duzo pomogles:) Ps. jesli bedzie potrzebny to to moj aktualny log:
Logfile of HijackThis v1.99.0
Scan saved at 22:16:46, on 2005–05–30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Konnekt\konnekt.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\hijackthis\HijackThis.exe
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
Zagroźenie Bloodhound.Exploit.6
"C:\Documents and Settings\xxx\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LI8LX183\posting[2].htm
Aby uzyskać więcej informacji o tym zagroźeniu, kliknij: Bloodhound.Exploit.6"
Jak moge to usunąc?? z gory wielkie dzieki i tak mi juz duzo pomogles:) Ps. jesli bedzie potrzebny to to moj aktualny log:
Logfile of HijackThis v1.99.0
Scan saved at 22:16:46, on 2005–05–30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Konnekt\konnekt.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\hijackthis\HijackThis.exe
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://www.poczta.wp.pl/3/mailcfg.ocx
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114940954968
O16 – DPF: {70BA88C8–DAE8–4CE9–92BB–979C4A75F53B} (GSDACtl Class) – https://www.gamespyid.com/alaunch.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{A2C408D1–8039–485D–B8D3–96CA5C082E77}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Symantec Event Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: ISSvc – Symantec Corporation – C:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: Norton AntiVirus Auto–Protect Service – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
Zamykasz tylko tego uruchomionego przez usera, reszta to procesy systemowe i je zostawiasz.
Ok zrobie tak jak napisałeś ale jest jeden problem. Proces SVCHOST.EXE mam otwarty 4 razy jako: Uźytkownika, system, usługę sieciową i usługę lokalną. gdy zamknę uźytkownika, sieciową i lokalną to nic się nie dzieje ale gdy daje by zamkną systemu to wyskakuje mi okienko w którym system odlicza jedną minutę a potem zamyka komputer. co mam zrobic?? czy z tym wszystkim mam sie zmieścić w tej minucie??
Wyłącz przywracanie
Zakoncz proces:
SVCHOST.EXE (bedzie uruchomiony nie przez system, a przez uźytkownika)
Usun wybolowane pliki/katalog z HDD oraz wyhacz w HJT wpisy i fix checked:
Oproznij kosz, a w zasadzie pliki chronione w nim przez Nortona
Usun ten ciąg z klucza HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
Radziłbym odinstalowac Spyware Doctora i usunac:
Zainstaluj cos o lepszej reputacji: Ad–awere, Spybota Search & Destroy... etc
Zakoncz proces:
SVCHOST.EXE (bedzie uruchomiony nie przez system, a przez uźytkownika)
Usun wybolowane pliki/katalog z HDD oraz wyhacz w HJT wpisy i fix checked:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 – REG:system.ini: Shell=explorer.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SVCHOST.EXE
O4 – HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{F5951712–B815–414B–A3FE–913D876824BD}\SECURITY.EXE
O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 – HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O16 – DPF: {10003000–1000–0000–1000–000000000000} – xxxxxxxxxxxxxxxxxxxxxxxxxxxhttp://dl.ad–ware.cc/7KNyuNbkVEztCHtrMHFN.chm::/on–line.exe
O16 – DPF: {11311111–1111–1111–1111–111111111157} – file://C:\Recycled\Q330995.exe
Oproznij kosz, a w zasadzie pliki chronione w nim przez Nortona
R3 – URLSearchHook: (no name) – _{08C06D61–F1F3–4799–86F8–BE1A89362C85} – (no file)
Usun ten ciąg z klucza HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
Radziłbym odinstalowac Spyware Doctora i usunac:
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Zainstaluj cos o lepszej reputacji: Ad–awere, Spybota Search & Destroy... etc
Strona 1 / 1