Problem z pulpitem


(Chees) #1

W czasie przebywania w necie chyba zlapalem jakiego wirusa. Norton wykryl mi trzy wirusy i je usunalem. SpyBoot kolejne 4 wiec je tez usunalem. Ale nadal mam jakis dziwny pulpit. Oto moj log

Logfile of HijackThis v1.98.2

Scan saved at 21:21:34, on 2004-12-19

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\LANChat Pro\LANChat.exe

C:\WINDOWS\wscmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\NORTON~1\navw32.exe

D:\Programy\Instalki programów\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.1:9202;gopher=192.168.0.1:9202;http=192.168.0.1:9202;https=192.168.0.1:9202;socks=192.168.0.1:808

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM..\Run: [LANChatPro] C:\Program Files\LANChat Pro\LANChat.exe /q

O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM..\Run: [Hidder] C:\PROGRA~1\GDATAS~1\SEKRET~1\Hidder.exe /start

O4 - HKLM..\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKLM..\Run: [VkzSrv32] C:\WINDOWS\vkzsrv.exe

O4 - HKLM..\Run: [WCSE Mgr] C:\WINDOWS\wscmgr.exe

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.windupdates.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... 69d4f437e7

O16 - DPF: {3A5C3E02-A93F-497B-F2A8-20790651C786} - http://213.159.117.150/1/rdgLU10.exe

O16 - DPF: {3E52D745-5235-0A5D-9611-694366689D32} - http://213.159.117.150/1/rdgLU10.exe

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/intern ... e_ver4.CAB

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{F831BE12-62E1-41C3-BB2D-97472A0696DC}: NameServer = 192.168.0.1


(Jablek 88) #2

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.windupdates.com

do kasacji

reszty nie chce mi sie szukać :smiley:


(Damian) #3

Znasz nie usuwaj,nie znasz, usuń:

C:\WINDOWS\wscmgr.exe

O4 - HKLM..\Run: [VkzSrv32] C:\WINDOWS\vkzsrv.exe

O4 - HKLM..\Run: [WCSE Mgr] C:\WINDOWS\wscmgr.exe


Do usunięcia:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php  	


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php


O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe


O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe


O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 


O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.windupdates.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=601ee6641a7474c4aef354aad9658a33468e7de6b23c69d4f437e7


O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx


O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab


O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB


O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

(Chees) #4

Ja jestem zielony w tych sprawach. Jak mam to usunać??? Nie mialem nigdy z tym doczynienia!


(Duch) #5

w HiJacku...

tylko wpierw wyłącz Przywracanie Systemu i najlepiej usuwaj w Trybie Awaryjnym... możesz również niektórych poszukać na HDD i usunąć ręcznie.. potem restart i skanery on-line...


(boczi) #6

Zaznaczasz - usuwasz


(Chees) #7

A jesli nie wlaczylem trybu awaryjnego i nie wylaczylem przywracania systemu ale usunalem to zle? Teraz moj log wyglada tak

Logfile of HijackThis v1.98.2

Scan saved at 23:02:14, on 2004-12-19

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\LANChat Pro\LANChat.exe

C:\WINDOWS\wscmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Opera\opera.exe

D:\Programy\Instalki programów\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.1:9202;gopher=192.168.0.1:9202;http=192.168.0.1:9202;https=192.168.0.1:9202;socks=192.168.0.1:808

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM..\Run: [LANChatPro] C:\Program Files\LANChat Pro\LANChat.exe /q

O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM..\Run: [Hidder] C:\PROGRA~1\GDATAS~1\SEKRET~1\Hidder.exe /start

O4 - HKLM..\Run: [VkzSrv32] C:\WINDOWS\vkzsrv.exe

O4 - HKLM..\Run: [WCSE Mgr] C:\WINDOWS\wscmgr.exe

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O16 - DPF: {3A5C3E02-A93F-497B-F2A8-20790651C786} - http://213.159.117.150/1/rdgLU10.exe

O16 - DPF: {3E52D745-5235-0A5D-9611-694366689D32} - http://213.159.117.150/1/rdgLU10.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip..{F831BE12-62E1-41C3-BB2D-97472A0696DC}: NameServer = 192.168.0.1

A pulpit tak http://img78.exs.cx/my.php?loc=img78ℑ=wirus7up.jpg co to moze byc?

Usunalem te wpisy i nadal nic :?


(Damian) #8

Usuwałeś to czy samo wróciło ??

C:\WINDOWS\wscmgr.exe 


O4 - HKLM\..\Run: [VkzSrv32] C:\WINDOWS\vkzsrv.exe


O4 - HKLM\..\Run: [WCSE Mgr] C:\WINDOWS\wscmgr.exe 


O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Jeśli nie przywrócisz systemu z kopii to nic sie nie stanie.


(Chees) #9

Zapomnialem zrobic to poprzednio.C:\WINDOWS\wscmgr.exe usunalem recznie reszte przez hijackthis. Nadal to samo :? Gdy klikam na pulpit bo jest tam odnosnik to otwiera mi sie okno http://213.159.117.149/?affid=DNN-2


(Marsmo) #10

Kliknęłam na tego linka - badziewie, że hej :twisted: - na szczęście nic mi się nie osadziło...

Poczytaj tu: :slight_smile:

http://www.security-forums.com/forum/vi ... hp?t=23706

Zwróć szczególną uwagę na narzędzie LSP-Fix , no i całą resztę... :slight_smile:


(Damian) #11

W takim razie do kasacji również to:

O16 - DPF: {3A5C3E02-A93F-497B-F2A8-20790651C786} - http://213.159.117.150/1/rdgLU10.exe


O16 - DPF: {3E52D745-5235-0A5D-9611-694366689D32} - http://213.159.117.150/1/rdgLU10.exe

Proponuje również skan programami:

:arrow: CWShredder 2.1

:arrow: Spybot Search & Destroy 1.3

:arrow: Ad-aware SE Personal 1.05


(Adarek) #12

Kliknij na pulpit >>>wlasciwosci>>> pulpit-> dostosuj pulpit-> siec web

i usuń wszystkie wpisy stron jak tam jakieś są.

Restartuj kompa.

Użyj jeszcze:

Pestpatrol

instrukcja

Ewido Free Security Suite

ETD Security Scanner 3.0

http://www.download.com/ETD-Security-Sc ... 29424.html


(Chees) #13

Pomogła ta porada. Poszło nawet bez restartu. Najdziwniejsze bylo to ze w procesach byl otwarty proces IE ponad 7 razy. Logo które wskazał Damian również usunałem bo ten proces rdgLU10.exe był równiez otwarty i to ponad 2 razy. Dzieki wszystkim :!: :wink:


(Adarek) #14

Spawdz jeszcze na wszelki wypadek plik HOSTS.

Jeszcze raz uruchom HijackThis. Klikasz Config... ->>>> Misc Tools ->>>> Open hosts file manager ->>>> Open in Notepad

Zostanie otwarty notatnik . Usuń stamtąd wszystkie wpisy stron , zostaw tylko wpis 127.0.0.1 localhost