problem z pulpitem niebieski i tło czarne

[Gość: fazi]

Na komputerze pojawił sie trojan z napisem spyware infection, niewiemjak to
usunąć, prosze o pomoc w usunięciu trojana.

Log:

Logfile of HijackThis v1.99.1
Scan saved at 02:39:57, on 2005-12-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\nvraidservice.exe
D:\WINDOWS\system32\netbh.exe
D:\FreeRAM XP Pro\FreeRAM XP Pro 1.40.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\jan kos\Menu Start\Programy\Autostart\madotate.exe
D:\Documents and Settings\jan kos\Pulpit\programy
specjalistyczne\REJESTR\PCBoost.v3.2.21.2005.Incl.Keymaker.And.Serv.Auth.Patch
-EMBRACE\PcBoost.exe
D:\WINDOWS\netdj32.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe
D:\WINDOWS\system32\drivers\crauto.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\WINDOWS\system32\drivers\IMountSRV.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\FlashGet\flashget.exe
D:\Documents and Settings\jan kos\Pulpit\programy specjalistyczne\REJESTR\do
usówania spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 192.168.1.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} -
D:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: &RN_Object - {E6B48BC7-4EA9-4643-A4B3-BB7C4F69287A} - D:\Program
Files\RNmail\RN_IE_Add_On.dll
O2 - BHO: Class - {EB3F1F3A-312D-1F0B-BE12-33935E41A208} - D:\WINDOWS\system32
\atlla32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program
Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [netbh.exe] D:\WINDOWS\system32\netbh.exe
O4 - HKCU\..\Run: [FreeRAM XP] "D:\FreeRAM XP Pro\FreeRAM XP Pro 1.40.exe" -
win
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: madotate.exe
O4 - Startup: Skrót do PcBoost.exe.lnk = D:\Documents and Settings\jan
kos\Pulpit\programy
specjalistyczne\REJESTR\PCBoost.v3.2.21.2005.Incl.Keymaker.And.Serv.Auth.Patch
-EMBRACE\PcBoost.exe
O4 - Startup: USUXP.BAT
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Szukaj w NetSprint.pl - res://D:\Program
Files\NetSprint Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Atomica... - file:D:\PROGRA~1\Atomica\ATOMIC~1
\Html\griemenu.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://D:\Program
Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program
Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a -
D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-
51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-
479e-9411-51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-
0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program
Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - D:\Program
Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·şÄÖ`I) - Unknown
owner - D:\WINDOWS\netdj32.exe
O23 - Service: crauto - Unknown owner - D:\WINDOWS\system32\drivers\crauto.exe
O23 - Service: IMountSRV - Unknown owner - D:\WINDOWS\system32
\drivers\IMountSRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program
Files\Eset\nod32krn.exe
O23 - Service: PMounter - Unknown owner - D:\WINDOWS\system32\PMounter.exe

[Gość: k]

Uzyj:
download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po
przeskanowaniu odinstaluj.
cwshredder.net/bin/CWShredder.exe
downloads.subratam.org/AboutBuster.zip

Poczytaj:
www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=45&#entry87957
Zakoncz w menadzerze zadan:
D:\WINDOWS\system32\netbh.exe
Usun plik z dysku.

W hijackthis usun:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://D:\WINDOWS\system32\ytdjq.dll/sp.html#17702%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EB3F1F3A-312D-1F0B-BE12-33935E41A208} - D:\WINDOWS\system32
\atlla32.dll <- usun plik
O4 - HKLM\..\Run: [netbh.exe] D:\WINDOWS\system32\netbh.exe
O4 - Startup: madotate.exe <- co to jest? jak tez nie wiesz to usun.
O4 - Startup: USUXP.BAT <- tak samo to.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·şÄÖ`I) - Unknown
owner - D:\WINDOWS\netdj32.exe <- uruchom services.msc i zatrzymaj i wylacz ta
usluge, nastepnie usun plik i w hijackthis -> open misc tools -> delete nt
service wklej nazwe uslugi ktora masz w nawiasach te 11F...

Opis usuwania tapety masz tutaj:
www.searchengines.pl/phpbb203/index.php?showtopic=31936

Po wszystkim wklej nowy log.

[Gość: fazi]

Dziękuję za pomoc przy usunięciu trojana :)

Pozdrawiam

Logfile of HijackThis v1.99.1
Scan saved at 03:41:44, on 2005-12-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\nvraidservice.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\FreeRAM XP Pro\FreeRAM XP Pro 1.40.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Documents and Settings\jan kos\Menu Start\Programy\Autostart\madotate.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\Documents and Settings\jan kos\Pulpit\programy
specjalistyczne\REJESTR\PCBoost.v3.2.21.2005.Incl.Keymaker.And.Serv.Auth.Patch-
EMBRACE\PcBoost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\jan kos\Pulpit\programy specjalistyczne\REJESTR\do
usówania spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 192.168.1.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1
\FlashGet\jccatch.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Messenger\ycomp.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program
Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program
Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig]
D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "D:\FreeRAM XP Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: madotate.exe
O4 - Startup: nod32kui.exe.lnk = D:\Program Files\ESET\nod32kui.exe
O4 - Startup: Skrót do PcBoost.exe.lnk = D:\Documents and Settings\jan
kos\Pulpit\programy
specjalistyczne\REJESTR\PCBoost.v3.2.21.2005.Incl.Keymaker.And.Serv.Auth.Patch-
EMBRACE\PcBoost.exe
O4 - Startup: USUXP.BAT
O8 - Extra context menu item: &Szukaj w NetSprint.pl - res://D:\Program
Files\NetSprint Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Atomica... - file:D:\PROGRA~1\Atomica\ATOMIC~1
\Html\griemenu.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Personalizuj Menu - file://D:\Program Files\Siber
Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Pasek Narzędzi - file://D:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://D:\Program
Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Wypełnij Pola - file://D:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Zapisz Pola - file://D:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program
Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a -
D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-
51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-
9411-51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Wypełnij Pola - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Wypełnij Pola - {320AF880-6646-11D3-ABEE-
C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O9 - Extra button: Zapisz - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Zapisz Pola - {320AF880-6646-11D3-ABEE-
C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Pasek Narzędzi - {724d43aa-0d85-11d4-9908-
00400523e39a} - file://D:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-
0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program
Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program
Files\Eset\nod32krn.exe

[Gość: k]

O4 - Startup: madotate.exe <- co to za program? normalnie chyba nie powinien
byc plik exe a autostarcie.
O4 - Startup: USUXP.BAT <- tak samo ten bat, co w ni masz?

Reszta ok.