Search Cc - Wir/spyware W Ie

loco_pl · 17 Kwietnia 2005

Sys Win 2k

Mam to naprawic, w ie wgral sie jakis search-cc co przy odpalaniu przegladarki od razu sie laduje. Przejechalem 2 spyware-removerami i nic nie dalo, nie mozna tego tez odinstalowac w Dodaj/usun programy ani pod narzedziem do usuwania programow. Teraz jak polecicie jakis program to wezcie pod uwage ze nie moge go na tym kompie zaktualizowac przez net, jakies gotowe narzedzia. Wgralem jako plan b Firefoxa, ale wlascicielka bardzo chce znowu ie ;o

nrl · 17 Kwietnia 2005

http://www.merijn.org/files/hijackthis.zip

zassaj ten programik i zeskanuj kompa. podaj loga

**ULLISSES** · 19 Kwietnia 2005

Sprobuj AdAware w najnowszej wersji.

Przegladnij katalog c:\program files i c:\program files\internet explorer\plugins i wywal/przenies wszystko, co wyda Ci sie podejrzane.

Nastepnie przejedz po rejestrze programem RegCleaner.

Najlepiej zrobic to w trybie awaryjnym.

Tony Soprano · 19 Kwietnia 2005

Ja tez mam podobny problem a oto log:

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVFNSVR.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PSIMSVC.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVPROT9.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVKRE9X.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\D3WU32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\AVLTMAIN.EXE

C:\PROGRAM FILES\SKYPE\SKYPE.EXE

C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://goodfind4u.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\povia.dll/sp.html#69959

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://goodfind4u.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Class - {B550E5A0-848D-661C-60CC-759622570AF7} - C:\WINDOWS\IPSV32.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [irMon] IrMon.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"

O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe"

O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PSIMSVC.exe"

O4 - HKLM\..\RunServices: [PAVFIRES] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe"

O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavprot9.exe"

O4 - HKLM\..\RunServices: [Pavkre9X] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre9X.exe"

O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray

O4 - Startup: HiS.lnk = ?

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {9F7E7C40-9807-11D9-9D3E-444553540000} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9F7E7C40-9807-11D9-9D3E-444553540000} - (no file) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {F96D229F-129A-43B5-9B51-B7820E1BF2D3} (GameControl2 Control) - http://www.miastoplusa.pl/applets/GameControl104.cab

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/551/online.chm::/on-line.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) - http://67.15.101.3/g_bin/pl/boards_2_0_0_16.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/pl/billard8UK_2_0_0_21.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/b0ba34a.cab

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_58.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C3} (GameDesire Pool 14) - http://67.15.101.3/g_bin/pl/billard14_2_0_0_21.cab

O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_22.cab

O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab

O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/pl/slots70_2_0_0_21.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: komentator - http://sport.onet.pl/komentator.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_21.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_36.cab

O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_15.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/pl/billardt_2_0_0_21.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\MY0RDY2C\epl29[1].cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 127.0.0.1

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.150.19.4,195.150.19.227

O21 - SSODL: DDE Module - {303F44D5-5FEA-4509-ABDE-5E00C3F2125A} - C:\WINDOWS\SYSTEM\hun32.dll

Z gory dzieki!

**ULLISSES** · 19 Kwietnia 2005

Uwaga ogolna: Nie rozumiem dlaczego uzywacie 98 skoro nie umiecie go zabezpieczyc przed robactwem.

1. Wywal Pande - jakos sie nie sprawdza.

2. Zainstaluj FreeAV (www.free-av.com) oraz AdAware i/lub CWSShadder (lub jakos podobnie) no i ostatecznie jakiegos prostego firewalla - np BlackICE Defender itp.

3. Zainstaluj Firefox lub Opere (nie zapomnij o Java) i PRZESTAN uzywac IE.

Kolobos · 19 Kwietnia 2005

Tony Soprano, a gdzie poczatek log'a ?

Odinstaluj DAP'a i zacznij uzywac czegos innego do sciagania np. FlashGet itp.

Na poczatek przeskanuj tym:

http://www.malwarebytes.biz/AboutBuster.zip

http://cwshredder.net/bin/CWShredder.exe

(wczesniej zamknij przegladarke)

Uruchom hijackthis wybierz scan only i zaznacz te wpisy:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://goodfind4u.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\povia.dll/sp.html#69959

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\povia.dll/sp.html#69959

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://goodfind4u.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {B550E5A0-848D-661C-60CC-759622570AF7} - C:\WINDOWS\IPSV32.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/551/online.chm::/on-line.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\MY0RDY2C\epl29[1].cab

O21 - SSODL: DDE Module - {303F44D5-5FEA-4509-ABDE-5E00C3F2125A} - C:\WINDOWS\SYSTEM\hun32.dll

I Fix Checked, pozniej w hijackthis wybierz Open Misc Tools i Delete file on reboot i wklej sciezki do tych plikow i ok, ale nie resetuj po dodaniu:

C:\WINDOWS\povia.dll

C:\WINDOWS\SYSTEM\hun32.dll

A reszte dialerow usun recznie.

Reset i wklej nowy log.

nrl · 19 Kwietnia 2005

" Wylacz "przywracanie systemu" (instrukcja TUi uruchom tryb awaryny (instrukcja w linku).

Potem usun:

QUOTE