Detected SPYware! System error #384 ->Co to jest?!

IP: *.neoplus.adsl.tpnet.pl 02.01.06, 15:25
Hej! Ostatnio przy włączeniu przeglądarki (Internet Explorer) pojawił mi się
komunikat na niebieskim tle o nagłówku: 'Detected SPYware! System error
#384'. W adresie strony jest: 'C:\secure32.html'. Za bardzo nie wiem, co z tm
zrobić... HELP!! Z góry dzięki ;)
    • barracuda7110 Re: Detected SPYware! System error #384 ->Co 02.01.06, 15:43
      Wrzuć na forum loga z hijackthis
      • Gość: Anula Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 02.01.06, 15:47
        No ale ja z tymi logami to jestem kompletnie zielona... powiem krótko: jak to
        się robi? Znaczy skąd tego loga wziąć? ;D
        • Gość: k Re: Detected SPYware! System error #384 ->Co IP: *.warszawa.sdi.tpnet.pl 02.01.06, 16:06
          www.mgregor.republika.pl/
    • Gość: Anula Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 02.01.06, 17:49
      Logfile of HijackThis v1.99.1
      Scan saved at 17:46:19, on 2006-01-02
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      C:\Program Files\Alwil Software\Avast4\ashServ.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\WINDOWS\explorer.exe
      C:\Documents and Settings\zdzichu\Ustawienia
      lokalne\Temp\RivaTuner\RivaTuner.exe
      C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
      C:\PROGRA~1\NEOSTR~1\CnxMon.exe
      C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
      C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
      C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
      C:\WINDOWS\System32\paytime.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\WINDOWS\System32\paytime.exe
      C:\WINDOWS\System32\sywsvcs.exe
      C:\Program Files\Neostrada TP\NeostradaTP.exe
      C:\Program Files\Neostrada TP\ComComp.exe
      C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
      C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
      C:\Program Files\Neostrada TP\Watch.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Documents and Settings\zdzichu\Pulpit\HijackThis\hijackthis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      c:\secure32.html
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      c:\secure32.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      c:\secure32.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      c:\secure32.html
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      c:\secure32.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      c:\secure32.html
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
      C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
      F2 - REG:system.ini:
      Shell=explorer.exe
      "C:\Program Files\Common Files\Microsoft
      Shared\Web Folders\ibm00001.exe"
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
      C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\System32\msdxm.ocx
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
      \NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Documents and
      Settings\zdzichu\Ustawienia lokalne\Temp\RivaTuner\RivaTuner.exe" /S
      O4 - HKLM\..\Run: [RivaTuner] "c:\Documents and Settings\zdzichu\Ustawienia
      lokalne\Temp\RivaTuner\RivaTuner.exe" /T
      O4 - HKLM\..\Run: [CloneCDTray] "C:\Program
      Files\SlySoft\CloneCD\CloneCDTray.exe" /s
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
      O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
      Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
      O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
      O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
      O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web
      Folders\ibm00001.exe"
      O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
      Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
      Office\Office\OSA9.EXE
      O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
      res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
      C:\WINDOWS\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
      00aa003c157a} - C:\WINDOWS\web\related.htm
      O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
      O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
      O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
      AutoUpdate) - creative.com/su/ocx/15015/CTSUEng.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
      update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132315227842
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
      update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132325351169
      O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate
      Support Package) - creative.com/su/ocx/15016/CTPID.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{72523EA7-4AA8-4EA8-B115-E6B348976C65}:
      NameServer = 194.204.152.34 217.98.63.164
      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashServ.exe
      O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashMaiSv.exe" /service (file missing)
      O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashWebSv.exe" /service (file missing)
      O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
      C:\WINDOWS\System32\nvsvc32.exe

      • Gość: k Re: Detected SPYware! System error #384 ->Co IP: *.warszawa.sdi.tpnet.pl 02.01.06, 18:26
        W menadzerze zadan zakoncz:
        C:\WINDOWS\System32\paytime.exe
        C:\WINDOWS\System32\paytime.exe
        C:\WINDOWS\System32\sywsvcs.exe

        W hijackthis usun:
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        c:\secure32.html
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        c:\secure32.html
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        c:\secure32.html
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        c:\secure32.html
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        c:\secure32.html
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        c:\secure32.html <- usun plik
        F2 - REG:system.ini:
        Shell=explorer.exe
        "C:\Program Files\Common Files\Microsoft
        Shared\Web Folders\ibm00001.exe"
        O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web
        Folders\ibm00001.exe" <- usun plik
        O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe <- usun plik
        O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe <- usun plik z dysku
        O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
        C:\WINDOWS\web\related.htm
        O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
        00aa003c157a} - C:\WINDOWS\web\related.htm

        Do tego skan:
        www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02&WRSID=fa418c3f36c473de8c7d2176ac7ada66 <- zrob update przed skanowaniem, po przeskanowaniu odinstaluj.
        download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po przeskanowaniu odinstaluj.
        Zamknij porty w wwdc:
        www.firewallleaktester.com/tools/wwdc.exe
        Zmien przegladarke na Opere lub firefox i nie uzywaj IE.
      • Gość: k Re: Detected SPYware! System error #384 ->Co IP: *.warszawa.sdi.tpnet.pl 02.01.06, 18:26
        Jeszcze wywal aplikacje od Neostrady:
        forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=15680440
        • Gość: Anula Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 02.01.06, 22:51
          Na razie wszystko szlo ok, dzieki! Ale pojawil sie problem przy zamykaniu
          portow. Zainstalowalam i otworzylam 'wwdc', ale nie wiem co dalej zrobic, tzn.
          ktore porty zamknac... prosze jeszcze raz o pomoc :)
          • Gość: k Re: Detected SPYware! System error #384 ->Co IP: *.warszawa.sdi.tpnet.pl 02.01.06, 23:42
            Te przy ktorych nie masz zielonej ikonki :>
    • Gość: Anula Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 03.01.06, 18:02
      Wszystko zrobione :) wklejam loga do końcowego sprawdzenia.

      Logfile of HijackThis v1.99.1
      Scan saved at 17:57:41, on 2006-01-03
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      C:\Program Files\Alwil Software\Avast4\ashServ.exe
      C:\Program Files\ewido anti-malware\ewidoctrl.exe
      C:\Program Files\ewido anti-malware\ewidoguard.exe
      C:\Documents and Settings\zdzichu\Ustawienia
      lokalne\Temp\RivaTuner\RivaTuner.exe
      C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
      C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
      C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
      C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
      C:\Documents and Settings\zdzichu\Pulpit\HijackThis\hijackthis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
      C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
      C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\System32\msdxm.ocx
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
      \NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Documents and
      Settings\zdzichu\Ustawienia lokalne\Temp\RivaTuner\RivaTuner.exe" /S
      O4 - HKLM\..\Run: [RivaTuner] "c:\Documents and Settings\zdzichu\Ustawienia
      lokalne\Temp\RivaTuner\RivaTuner.exe" /T
      O4 - HKLM\..\Run: [CloneCDTray] "C:\Program
      Files\SlySoft\CloneCD\CloneCDTray.exe" /s
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
      Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
      O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
      Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
      Office\Office\OSA9.EXE
      O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
      res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
      O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
      O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
      AutoUpdate) - creative.com/su/ocx/15015/CTSUEng.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
      update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132315227842
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
      update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132325351169
      O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate
      Support Package) - creative.com/su/ocx/15016/CTPID.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{72523EA7-4AA8-4EA8-B115-E6B348976C65}:
      NameServer = 194.204.152.34 217.98.63.164
      O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashServ.exe
      O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashMaiSv.exe" /service (file missing)
      O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
      Software\Avast4\ashWebSv.exe" /service (file missing)
      O23 - Service: ewido security suite control - ewido networks - C:\Program
      Files\ewido anti-malware\ewidoctrl.exe
      O23 - Service: ewido security suite guard - ewido networks - C:\Program
      Files\ewido anti-malware\ewidoguard.exe
      O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
      C:\WINDOWS\System32\nvsvc32.exe

      • Gość: k Re: Detected SPYware! System error #384 ->Co IP: *.warszawa.sdi.tpnet.pl 03.01.06, 19:28
        Usun jeszcze:
        R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
        C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
        O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
        Nowego log'a nie wklejaj.

        • Gość: Anula Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 03.01.06, 19:31
          Wszystko zrobione, bardzo dziękuję! :)
          • Gość: gromek Re: Detected SPYware! System error #384 ->Co IP: *.neoplus.adsl.tpnet.pl 23.01.06, 16:18
            a zrobic zeby uchronic sie przed tym jak np. zrobie formata? prosze o odpowiedz
            na grom36@o2.pl :)
            • neder Re: Detected SPYware! System error #384 ->Co 23.01.06, 16:44
              nikt Ci nie będzie pisal osobnych maili o tym o czym tysiąc razy bylo na forum i
              czego możesz poszukać sam (nie wspomne o ogólnych zasobach netu)...
              Dla przyjkladu:

              forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=19472430
              i ogólnie FAQ Forum Komputery:
              forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=15679891
              + coś z forum netseca (jeśli masz XP):
              forum.gazeta.pl/forum/72,2.html?f=23618&w=30757462
Pełna wersja