[terminator]

OS: XP Professional

Kuigi olen kõigi uusimate versioonidega järgnevatest programmidest:

Spybot 1.4 beta2
Antivir
Ad-Aware SE Personal
CWShredder v2.13
Spy Sweeper
Spyware Doctor

seni üle käinud, kuni nad enam midagi kahtlast ei tuvasta, näitab Bazooka ikka järgmist paharetti:

http://www.kephyr.com/spywarescanner/library/coolwebsearch.loadnew/index.phtml?source=app

mille vastu peaks siis aitama järgmised sammud:

1) Go to windowsupdate.com and install all service packs and critical updates. Service Pack 2 pole, kuna selle installimisel tekkis probleem, muu peaks korras olema

2)Start your computer in safe mode. tegin

3) Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.) Tegin

4) Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run' Tegin

5) In the right pane, delete values named 'SysTime', 'Service Host', 'process.exe' and 'System Service'. Run'i all polnud neist ühtegi

6) Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run' Tegin

7) In the right pane, delete values named 'SysTime', 'Service Host', 'process.exe' and 'System Service'. Jällegi polnud Run'i all nendest ühtegi

8) Exit the registry editor. Tegin

9) Start Windows Explorer and delete:

C:\Windows\loadnew.exe ei leidnud
C:\Windows\questmod.dll ei leidnud
C:\Windows\mstask1.exe ei leidnud
C:\Windows\mstask2.exe ei leidnud
C:\Windows\mstask3.exe ei leidnud
C:\Windows\toolbar.exe 2tk leidsin ja kustutasin ära
C:\Windows\process.exe ei leidnud
C:\Windows\System32\msrexe.exe ei leidnud
C:\Windows\System32\systime.exe kustutasin
C:\Windows\System32\dktibs.exe ei leidnud
C:\Windows\System32\child.dll ei leidnud
C:\Windows\System32\chup.dll ei leidnud
C:\Windows\System32\chup32.dll ei leidnud

10) Restart your computer.

Safe mode'i ajal töötasid Taskmanageris järgmised asjad:

taskmgr.exe
Explorer.EXE
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process SYSTEM

Kuidas CoolWebSearch.loadnew-st jagu saaks?

[HacaX]

HijackThisil on selline vidin nagu "Delete file at boot". Sellega otsi see EXE välja ja tee alglaadimine (asi kustutatakse siis OSi ülestulekul enne kui ta mällu laetakse).

Samas: ikka tõesti viimane CWShredderi versioon (IMO oli viimane 2.1.xxx, tiri tootja kodukalt mitte mingist failiarhiivist). Bazooka võib vabalt ka kalada (s.t. kuulutada et pahalane on masinas ka siis kui sellele viitab ainult mingi registrisissekanne). SpyBotis lülita beetade tirimine sisse, siis saad viimase versiooni (1.4b2 IIRC).

Aga kasuks võib tulla ka HijackThisiga logifaili genereerimine ja siiapostitamine.

EDIT: kas mälus istus tõesti SVCAT.EXE või oli see sinupoolne näpukas? Aus process on SVCHOST.EXE

[Motiv8]

Kunagi jamasin selle maha võtmisega, aga lõpuks tõstsin käed üles ja tegin format c:

[terminator]

[terminator]

Kas siis tuleb tõesti format C teha?

Sain sellisesse seisukorda, kus isegi Bazooka enam midagi ei näita, kuid samas probleemid endiselt samad-ei kuva õieti lehti lahti enne kui mitu korda refreshi teed, jube aeglane, netisaitidel eraldi lehel pilti lahti tehes kuvab kõigepealt koodi, alles peale refreshi pilti ennast, ei lase tavaviisil nuppu vajutades asju alla laadida, vaid peab Save Target As'i kasutama, avab ise suvalisi otsingulehekülgi, sulgeb ise suvaliselt programme (nt Ad-Aware jne), hangub jne

Närvid täiesti läbi juba, enda arust kõike proovinud juba mitu päeva

[HacaX]

Tee viimase HijackThisiga logifail ja postita tolle sisu siia.

[terminator]

Logfile of HijackThis v1.99.1
Scan saved at 17:09:01, on 21.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spools.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spools.exe
C:\DOCUME~1\MADMIK~1\LOCALS~1\Temp\Rar$EX00.765\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\msiexec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/5595/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.elion.ee:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [Shellspl] spools.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {DDF44FD9-749F-4761-89BB-E8A59339E459} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_9_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C618D8A-F6C7-482E-8B36-4CF4FF349ECC}: NameServer = 194.126.115.18 194.126.101.34
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\hlpn.dll
O21 - SSODL: eplrr9 - {99CB2054-1CA1-4137-A69A-524E62927567} - C:\WINDOWS\System32\mspdnx.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

[terminator]

Keegi tõesti ei oska aidata? Mul närvid täiesti läbi juba Ad-Aware paneb ka ise suvaliselt skännimise ajal kinni.

[DoS]

Masin on sul küll igasugu jura täis alustades paljude "spyware-eemaldajatega", mis oleks soovitav kõik maha lasta ja lõpetades igasugu muude kahtlaste asjadega näiteks "O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe " ja "C:\WINDOWS\System32\spools.exe"

[terminator]

[HacaX]

Esmalt võta ette käik WinblowsUpdate'i saidile, su IE on ju lausa eelajalooline. Teiseks buudi safe mode'is üles ja paki HijackThis lahti, mitte ära jooksuta otse arhiivist (backupid lähevad sedasi tehes kaotsi). Käi veel kord masinast CWShredderiga üle. IE'd ära kohe kindlasti käivita ja siis eemalda need read (kui nad veel alles on):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/5595/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll (file missing)
O4 - HKLM\..\Run: [Shellspl] spools.exe
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {DDF44FD9-749F-4761-89BB-E8A59339E459} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_9_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\hlpn.dll
O21 - SSODL: eplrr9 - {99CB2054-1CA1-4137-A69A-524E62927567} - C:\WINDOWS\System32\mspdnx.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program.exe (file missing)


Lisaks juba DoSi poolt ära märgitud tõsiasi, et spywarekilleritega oled sa küll ikka *radikaalselt* üle pingutanud. Ei imestaks sugugi kui neti kalamise taga poleks mitte masinas istuv pahalane vaid see, et veebileht veel nõnda paljude progede sõelast peab läbi käima. Kes teab, äkki tekib nende vahel veel ka mingi konflikt nii et kokkuvõttes tegelevad kõik mälu ja prose kulutamise, mitte aga kurjamite püüdmisega.

[Eisbär]

Svchost.exe on täiesti õige asi - nimelt kuulub ta Microsofti enda asja alla. Järjekordne Billi hull tegu

Info:

svchost - svchost.exe - Process Information
Process File: svchost or svchost.exe
Process Name: Microsoft Service Host Process

Description:
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This is a registered security risk and should be removed immediately. Please see additional details regarding this process

Info pärineb siit http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/

Eisbär

[DoS]

haa
seda arvad sina..
svchost.exe võib olla õige asi, kuid kindlasti ei ole õige selline svchost.exe, mis topib ennast hklm\...\runni ja asub c:\windows kaustas

[tahanteada]

Ärge püüdke kala seal kus kala pole , kala tuleb püüda seal kus ta olemas on 8) , ehk järjekordselt on unustatud peidetud Temp-failid ja kataloogid ära kustutada ja siis pole ime kui praht ennast mõne hetkega taastab kasvõi internetist allatirimise teel

[terminator]

huuh, paistab, et esialgu sain korda asja, suurimad tänud eriti Hacax'ile ja ka kõigile teistele