co sie dzieje

[Gość: aga]

taka mam strone startowa o co chodzi ?


Detected SPYware! System error #384
__________________________________________________________________________

Your IP address is 83.18.7.26. Using this address a remote computer has
gained anaccess to your computer and probably is collecting the information
about the sites you've visited and the files contained in the folder
Temporary Internet Files. Attention! Ask for help or install the software for
deleting secret information about the sites you visited.

__________________________________________________________________________

Your computer is full of evidences!


ISP of transmission: TPNET
Your IP address: 83.18.7.26
They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Your computer is: Windows XP
Risk status for further investigation: VERY HIGH RISK




To protect from the Spyware - click here
To prevent information transmission - click here
To delete the history of your activity, click here

[Gość: k]

Wklej log z hijackthis.

[Gość: aga]

Logfile of HijackThis v1.99.1
Scan saved at 17:07:52, on 2006-01-01
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\sywsvcs.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\Kalendarz XP\Kalendarz.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Gadu-Gadu\gg.exe
E:\wszystko\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2112] "C:\DOCUME~1\AGNIES~1\USTAWI~1
\Temp\5.tmp" -nag
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - Startup: Eurobarre.lnk = ?
O4 - Global Startup: Kalendarz XP.lnk = E:\Kalendarz XP\Kalendarz.exe
O4 - Global Startup: KVG.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
software-dl.real.com/067613f421309a35f721/netzip/RdxIE601.cab
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32
\drivers\CDAC11BA.EXE

[Gość: k]

W menadzerze zadan zakoncz:
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\sywsvcs.exe

W hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html <- usun plik
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2112] "C:\DOCUME~1\AGNIES~1\USTAWI~1
\Temp\5.tmp" -nag
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe <- usun plik
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe <- usun plik
O4 - Global Startup: KVG.exe <- usun plik
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll <- usun plik

Zrob skan tym:
www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02&WRSID=fa418c3f36c473de8c7d2176ac7ada66 <- zrob update przed skanowaniem, po przeskanowaniu odinstaluj.
download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po przeskanowaniu odinstaluj.
Zamknij porty w wwdc:
www.firewallleaktester.com/tools/wwdc.exe
Sprawdz tez plik: C:\WINDOWS\System32\userinit.exe tym skanerem:
virusscan.jotti.org/ i napisz czy cos znalazl, ale pliku nie ruszaj narazie.

[Gość: aga]

Scanner results
AntiVir Found Backdoor-Server/Agent.QA.3 backdoor
ArcaVir Found Trojan.Agent.Qa
Avast Found nothing
AVG Antivirus Found BackDoor.Agent.SB
BitDefender Found Backdoor.Agent.QA
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/Agent.QA!bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Agent.qa
NOD32 Found Win32/Spy.Agent.HS
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Backdoor.Win32.Agent.qa



i log :
Logfile of HijackThis v1.99.1
Scan saved at 18:11:48, on 2006-01-01
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\Kalendarz XP\Kalendarz.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Gadu-Gadu\gg.exe
E:\wszystko\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Eurobarre.lnk = ?
O4 - Global Startup: Kalendarz XP.lnk = E:\Kalendarz XP\Kalendarz.exe
O4 - Global Startup: KVG.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
software-dl.real.com/067613f421309a35f721/netzip/RdxIE601.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32
\drivers\CDAC11BA.EXE

[Gość: k]

Bedzie trzeba uruchomic konsole odzyskiwania z plyty instalacyjnej xp i podmienic plik winlogon.exe
Tutaj masz opis jak wlaczyc:
www.searchengines.pl/phpbb203/index.php?showtopic=14270
wypakowujesz plik przy pomocy expand, uzycie tez jest opisane na stronie i wypakowujesz plik winlogon.ex_ do C:\WINDOWS\System32\userinit.exe tylko najpierw usuwasz ten zainfekowany:
del C:\WINDOWS\System32\userinit.exe
nastepnie:
expand X:\i386\winlogon.ex_ C:\WINDOWS\System32\userinit.exe
Oczywiscie za X wstawiasz swoja literke cdromu.

[Gość: aga]

dziekuje bardzo