DIALER do strony http://adsl1.revenue.net
dardar - 22 Cze 2005 13:31
Proszę o pomoc w usunięciu DIALER do strony http://adsl1.revenue.net
log
Logfile of HijackThis v1.99.1
Scan saved at 12:26:22, on 2005-06-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\anty\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteetr32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Dodano po 11 [minuty]:
dodatkowo problem z odnawiającym się plikiem temp535
Kolobos - 22 Cze 2005 13:45
Uruchom windows w trybie awaryjnym, usun w hijackthis:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteetr32.exe
Plik C:\windows\system32\eliteetr32.exe dodaj do killbox'a:
http://www.downloads.subratam.org/KillBox.zip
z zaznaczona opcja delete on reboot.
Po resecie przeskanuj tym:
http://download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
I wklej nowy log.
dardar - 22 Cze 2005 14:18
Spyware Scan Details
Start Date: 2005-06-22 13:24:35
End Date: 2005-06-22 13:27:31
Total Time: 2 mins 56 secs
Detected Threats
Sasser.e Adware more information...
Details: This self-executing worm spread by exploiting a Microsoft Windows vulnerability. It is a very fast replicating worm, and achieved very high infection rates.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.
Infected files detected
c:\windows\lsasss.exe
SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\windows\elitetoolbar\elitelist
c:\windows\elitetoolbar\xml\images\dating.bmp
c:\windows\elitetoolbar\xml\images\drugs-ico.bmp
c:\windows\elitetoolbar\xml\images\drugs.bmp
c:\windows\elitetoolbar\xml\images\fav-ico.bmp
c:\windows\elitetoolbar\xml\images\fav.bmp
c:\windows\elitetoolbar\xml\images\porn-ico.bmp
c:\windows\elitetoolbar\xml\images\porn.bmp
c:\windows\elitetoolbar\xml\images\virus.bmp
c:\windows\elitetoolbar\xml\search.mnu
c:\windows\elitetoolbar\xml\adult.tbr
c:\windows\elitetoolbar\xml\categories\drugs.mnu
c:\windows\elitetoolbar\xml\categories\fav.mnu
c:\windows\elitetoolbar\xml\categories\porn.mnu
c:\windows\elitetoolbar\xml\default.tbr
c:\windows\elitetoolbar\xml\images\casino-ico.bmp
c:\windows\elitetoolbar\xml\images\casino.bmp
c:\windows\elitetoolbar\xml\images\dating-ico.bmp
Infected folders detected
c:\windows\elitetoolbar
c:\windows\elitetoolbar\xml
c:\windows\elitetoolbar\xml\categories
c:\windows\elitetoolbar\xml\images
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar UpdateDate 30090401
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar city Warsaw
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar state 67
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar country Poland
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar keywordlist C:\WINDOWS\EliteToolBar\elitelist
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar kwver 2
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar SearchIndex 0
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar AutoComplete 1
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar ac1 adult
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar adult.tbr 8
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar default.tbr 8
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar search.mnu 8
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar version 51
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar path C:\WINDOWS\EliteBar\
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 C:\ELITEB~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar guid 3c40294c-7095-4c1c-b511-e6cb0e0b573b
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar city Warsaw
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar state 67
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar country Poland
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar Activated 1
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar errorreport yes
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar friendbho {CF7AAF33-DB39-4EFA-B8A0-9FF32B0001D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 C:\ELITEB~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} &EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar uninstalled yes
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar SearchIndex 0
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar AutoComplete 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar ac1 adult
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar adult.tbr 9
HKEY_CLASSES_ROOT\clsid\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} &EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar popupblocker no
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar popups no
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar pthreshold 5
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar default.tbr 9
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar search.mnu 9
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar version 60
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar path C:\WINDOWS\EliteToolBar\
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar UpdateDate 21040500
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar dnsc yes
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar purl http://yupsearch.com/link.php?k=
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar axparam &msbb=2&protector_tool=2
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar AccountNumber awds
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar Activated 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar UpdateAttempt 21040508
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar _show 1
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar guid 73b2e12e-b45d-462a-9d2d-9999f959eb0a
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar searchkeys |http://www.yupsearch.com/search.php
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar errorreport yes
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar AccountNumber awds
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar city Warsaw
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar state 67
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar country Poland
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar keywordlist C:\WINDOWS\EliteToolBar\elitelist
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteToolBar kwver 2
HKEY_LOCAL_MACHINE\Software\Elitum
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar UpdateDate 07060501
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar version 08
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar path C:\WINDOWS\EliteSideBar\
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar axparam &msbb=2&protector=1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar UpdateAttempt 07060512
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar excluded google.com,yahoo.com,searchmiracle.com
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar url http://yupsearch.com/sb.php?qq=
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar maxshow 6
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar
HKEY_LOCAL_MACHINE\Software\Elitum\EliteSideBar Activated 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar uninstalled yes
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar FirstTimeStarted 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar SearchIndex 0
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar AutoComplete 1
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar uninstalled no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar ac1 adult
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar adult.tbr 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar popupblocker no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar popups no
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar pthreshold 5
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar default.tbr 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar search.mnu 9
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar version 60
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar path C:\WINDOWS\EliteToolBar\
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar UpdateDate 21040500
HKEY_LOCAL_MACHINE\SOFTWARE\backup\EliteBar _show 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar dnsc yes
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar purl http://yupsearch.com/link.php?k=
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar axparam &msbb=2&protector_tool=2
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar AccountNumber awds
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar Activated 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar UpdateAttempt 21040508
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar _show 1
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar guid 73b2e12e-b45d-462a-9d2d-9999f959eb0a
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar searchkeys |http://www.yupsearch.com/search.php
HKEY_LOCAL_MACHINE\Software\Elitum\EliteToolBar errorreport yes
Detected Spyware Cookies
No spyware cookies were found during this scan.
Kolobos - 22 Cze 2005 15:16
dardar
Twoj super norton nie wykrywa tego sassera w
c:\windows\lsasss.exe
?
Odinstaluj nortona, zainstaluj Avast i przeskanuj caly dysk:
http://www.avast.com/eng/avast_4_home.html
Plik c:\windows\lsasss.exe
Uzyj tego:
http://www.simplytech.it/ETRemover/ETRemoverV120.zip
I usun caly katalog:
c:\windows\elitetoolbar\
Zresza miales usunac to co znajdzie skanowanie, a nie wklejac
Odinstaluj FlashGet'a i zobacz czy reklamy znikna.
dardar - 02 Lip 2005 09:15
Dzięki za wskazówki.Czekałem czy się jakiś nie ujawni ale nie.