Your computer is infected! o co w tym chodzi?

Dla specjalistów Bezpieczeństwo
#1

Od paru dni wyswietla mi sie na pasku koło zegara czerwone kółeczko w srodku biały krzyżyk i wyswietla sie co chwile napis ,Windows has detected spyware infection!

It is recommended to use special antispyware tools to prevent

data loss. Windows will now download and install the most

up-to-date antispyware for you.

Click here to protect your computer from spyware!" I gdy właczam przeglądarke Internet Explorer to zamiast strony startowej którą mam ustawioną włącza sie takie inne coś na niebieskim tle z takim nagłowkiem << Detected SPYware! System error #384 >> POMÓZCIE MI BO NIE WIEM CO ROBIĆ

](*,)

#2

Daj log z HijackThis – tu masz opis.

Daj log z Silent Runners – tu masz opis.

#3

tu jest moj log

Logfile of HijackThis v1.99.1

Scan saved at 18:08:33, on 2006-08-12

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\njrpbc.exe

C:\windows\system32\updwebmin.exe

C:\WINDOWS\System32\rpcc.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\jxbvrtbf.exe

C:\WINDOWS\system32\RaConfig.exe

D:\programy\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll

O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033

O4 - HKLM…\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C43 Series” /O6 “USB001” /M “Stylus C43”

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM…\Run: [sysTray] C:\Program Files\njrpbc.exe

O4 - HKLM…\Run: [updwebmin] c:\windows\system32\updwebmin.exe

O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM…\Run: [tutcdchk2] c:\windows\system32\tutcdchk2.exe

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM…\RunServices: [updwebmin] c:\windows\system32\updwebmin.exe

O4 - HKLM…\RunServices: [tutcdchk2] c:\windows\system32\tutcdchk2.exe

O4 - HKCU…\Run: [Gadu-Gadu] “D:\programy\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [AQQ] D:\AQQKOM~1\AQQ\AQQ.exe

O4 - HKCU…\Run: [pro] c:\jxbvrtbf.exe

O4 - HKCU…\Run: [updwebmin] c:\windows\system32\updwebmin.exe

O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU…\Run: [Windows installer] C:\winstall.exe

O4 - HKCU…\Run: [tutcdchk2] c:\windows\system32\tutcdchk2.exe

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … xdm485YYPL

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_24.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab

O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\plpfenim.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

[color=darkblue][size=75]Złączono Posta: 12.08.2006 (Sob) 17:27[/size][/color]

log z tego drugiego

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““D:\programy\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

“AQQ” = “D:\AQQKOM~1\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”]

“pro” = “c:\jxbvrtbf.exe” [null data]

“updwebmin” = “c:\windows\system32\updwebmin.exe” [null data]

“MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe” [“MyWebSearch.com”]

“Windows installer” = “C:\winstall.exe” [null data]

“tutcdchk2” = “c:\windows\system32\tutcdchk2.exe” [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”]

“EPSON Stylus C43 Series” = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C43 Series” /O6 “USB001” /M “Stylus C43"” [“SEIKO EPSON CORPORATION”]

“SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [null data]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”]

“SysTray” = “C:\Program Files\njrpbc.exe” [MS]

“updwebmin” = “c:\windows\system32\updwebmin.exe” [null data]

“My Web Search Bar” = “rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S” [MS]

“MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe” [“MyWebSearch.com”]

“tutcdchk2” = “c:\windows\system32\tutcdchk2.exe” [null data]

“MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS]

“(Default)” = “”" = (data in unrecognized format!)" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

“Flag” = 2

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

{6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided)

-> {HKLM…CLSID} = “BitComet Toolbar Helper”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“SysTray.Exbr” = “{6368D1FC-6F5C-4f1b-B164-E67214F678E9}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\plpfenim.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Didulek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “Didulek” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“RaConfig” -> shortcut to: “C:\WINDOWS\system32\RaConfig.exe” [“Ralink Technology, Corp.”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{2E608F70-C430-4BC5-96F6-608E02EBA5B2}”

-> {HKLM…CLSID} = “BitComet Toolbar”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” = “BitComet Toolbar”

-> {HKLM…CLSID} = “BitComet Toolbar”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

“ButtonText” = “Badanie”

Running Services (Display Name, Service Name, Path {Service DLL}):

EPSON Printer Status Agent2, EPSONStatusAgent2, “C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe” [“SEIKO EPSON CORPORATION”]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = “EBPMON2.DLL” [“SEIKO EPSON CORPORATION”]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 9 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 22 seconds.

---------- (total run time: 68 seconds)

[code]

#4

  1. Startujesz do trybu awaryjnego i wyłączasz przywracanie systemu.

  2. Pliki/foldery na czerwono skasuj z dysku.

  3. Wpisy skasuj Hijackiem.

4.Daj log z Silent Runners – tu masz opis.

#5

ale to co jest na koncu linijki na czerwono to wtedy mam całą linijkie wykacowac??

Złączono Posta : 12.08.2006 (Sob) 17:34

co do 2 punktu wytłumacz moze bardziej

#6

Pliki, które zanzaczyłem na czerwono odszukujesz na dysku i kasujesz.

A te wpisy kasujesz w HijackThis. Włączas --> Do a system scan only --> odszukujesz --> zaznaczas --> Fix Checked.

#7

no wykasowałem je i co teraz mam wejsc w tryb awaryjny ( punkt 1) ? czy co teraz??

#8

widze ze ten sam wirusik ktorego usuwalem wczoraj z kompa mojej siostry :slight_smile: jeszcze cieszy sie popularnoscia… a wlasciwie nie chcialo mi sie go usuwac to zrobilem jej formata :smiley: a i pod zadnym pozorem nie wlaczaj tego falszywego programu anty-spyware ktory ma skrot na pulpicie :slight_smile:

#9

dzęki myszak wszystko działa jak nalezy moze troche zamula ale jest oki! thx wielkie :stuck_out_tongue:

Złączono Posta : 12.08.2006 (Sob) 18:53

Myszak thx

Złączono Posta : 12.08.2006 (Sob) 18:55

didulek00000 thx

#10

Miałeś sporo syfu. Możliwe, że nie wszystko usunąłeś a tylko te najbardziej co szkodziły dlatego chociaż dla pewności, że nic nie ma zrób to co:

dodatkowo możesz dać log z HijackThis.

A jeżeli podczas silenta będzie wyskakiwał jakiś błąd to proszę podać jego dokładną treść na forum lub zrobić screna…