TrojanDropper.Win32.Delf.z

IP: *.neoplus.adsl.tpnet.pl 25.10.04, 21:18
Nie wiem o co chodzi co go ANTIVIRENKIT znajdzie i skasuje go to za jakiś
czas znów się pojawia w katalogu c:/temp, jeżeli mam go z jakiejś strony to
czy mógłby ktoś mi sprawdzić tą stronę www.hawryliszyn.republika.pl
    • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 25.10.04, 21:53
      może ktoś wie co on potrafi?
    • wwwandal1 Re: TrojanDropper.Win32.Delf.z 25.10.04, 21:57
      strona nic ukrytego nie kryje prócz popupy;) którego pokazał mi Avantbrowser:
      portal.republika.pl/popup/index3.asp
      • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 25.10.04, 22:03
        niestety nie wiem jak usuwa się z rejestrów :(
        • wwwandal1 Re: TrojanDropper.Win32.Delf.z 25.10.04, 22:14
          najpierw znajdź go w tej kolejności:
          1antyvirus
          2 na dysku
          3 w rejestrze
          jeśli usuniesz jego obecność pkt.1 i 2 to okej..ale nie zawsze się daje więc
          trzeba ręcznie.....
          ..wtedy :
          klikasz START,URUCHOM,tam wpisujesz REGEDIT i jesteś w rejestrze....
          następnie wchodzisz w klucze :
          HKEY LOCAL MACHINE,SOFTWARE,MICROSOFT,WINDOWS ,CURRENT VERSION, RUN - TUTAJ
          POWINNO SIEDZIEĆ Twoje świństwo,które należy usunąć:)...ostrzegam tylko,że
          jeżeli nie masz pewności to nie szalj bo wywalisz system i będzie "kaszanka"
          więc musisz najpier wiedzieć jakie wpisy tworzy twój virus i ...? -do
          dzieła:)
          pozdrawiam
    • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 25.10.04, 22:11
      Może to pomoże

      Logfile of HijackThis v1.98.2
      Scan saved at 22:10:29, on 2004-10-25
      Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
      MSIE: Unable to get Internet Explorer version!

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Ahead\InCD\InCDsrv.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\System32\Ati2evxx.exe
      C:\Program Files\AntiVirenKit\AVKService.exe
      C:\Program Files\AntiVirenKit\AVKWCtl.exe
      C:\PROGRA~1\Buhl\PCFIRE~1.0\sfw.exe
      C:\WINDOWS\system32\slserv.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
      C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      C:\Program Files\Ahead\InCD\InCD.exe
      C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
      C:\Program Files\Winamp\winampa.exe
      C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE
      C:\Program Files\Win Comm\WinComm.exe
      C:\temp\msbb.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Program Files\Win Comm\WinLock.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
      C:\Program Files\Web_Rebates\WebRebates1.exe
      C:\Program Files\Web_Rebates\WebRebates0.exe
      C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      D:\Krzysiek\Instalki\Hijack This\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      www.onet.pl/
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
      C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\System32\msdxm.ocx
      O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
      O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
      Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
      O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
      O4 - HKLM\..\Run: [RemoteControl] "C:\Program
      Files\CyberLink\PowerDVD\PDVDServ.exe"
      O4 - HKLM\..\Run: [Secuties Personal Firewall] C:\PROGRA~1\Buhl\PCFIRE~1.0
      \sfw.exe /waitservice
      O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
      O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Program Files\Common Files\G
      DATA\AVKMail\AVKPOP.EXE"
      O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
      O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
      O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
      O4 - HKLM\..\Run: [vav] C:\WINDOWS\vav.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
      O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
      \dslmon.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
      Office\Office\OSA9.EXE
      O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
      res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O8 - Extra context menu item: Web Rebates - file://C:\Program
      Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
      C:\WINDOWS\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
      00aa003c157a} - C:\WINDOWS\web\related.htm
      O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} -
      C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
      O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-
      88899F240200} - C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
      O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-
      its:mhtml:file://c:osuxyz.mht!http://213.158.119.18/auto/loudklite.chm::/bridge-
      c46.cab
      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
      a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
      O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} -
      esb.alcena.com/ESBAdultInstaller.ocx
      O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
      skaner.mks.com.pl/SkanerOnline.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
      NameServer = 194.204.152.34,194.204.159.1
      O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ABAE00-9E44-4A8D-A9F7-619A6488DFEB}:
      NameServer = 194.204.152.34 217.98.63.164
      O17 - HKLM\System\CCS\Services\Tcpip\..\{FAD30011-41A3-4EC1-86ED-A81453799064}:
      NameServer = 194.204.152.34,194.204.159.1
      O17 - HKLM\System\CS1\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
      NameServer = 194.204.152.34,194.204.159.1
      O17 - HKLM\System\CS2\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
      NameServer = 194.204.152.34,194.204.159.1

      • kalinowski11 Re: TrojanDropper.Win32.Delf.z 25.10.04, 22:26
        To sru ... :)

        O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
        O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
        O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
        O4 - HKLM\..\Run: [vav] C:\WINDOWS\vav.exe
        > O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-
        > its:mhtml:file://c:osuxyz.mht!
        213.158.119.18/auto/loudklite.chm::/bridge-
        > c46.cab

        Może Szanowni Koledzy znajdą coś jeszcze .
        • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 25.10.04, 22:35
          dobra poszło :), a co tak naprawdę skasowałem :)
    • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 26.10.04, 22:19
      kurcze teraz znów mi wyskoczył ten wir, pomocy
      • wwwandal1 Re: TrojanDropper.Win32.Delf.z 28.10.04, 00:09
        najwyraźniej nie usunąłeś wszystkiech wpisów na dysku lub w rejestrze.........
        to jak z chwastami-jak wszystkiego nie wyplewisz pole masz znów do
        przetrzewienia....
      • netsec Re: TrojanDropper.Win32.Delf.z jak usuwać 28.10.04, 08:43
        Wirusy, trojany etc usuwaj zawsze przy wyłączonym przywracaniu systemu i w
        trybie awaryjnym, zaktualizuj system o wszystkie krytyczne poprawki.
        Zainstaluj SUN Javę.
    • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 03.11.04, 21:42
      Kurcze dalej mam go i nie moge go skasowac, a w rejestrach nic nie widze bo sie
      nie znam :(
      może ktos pomoże?
      • netsec Re: TrojanDropper.Win32.Delf.z 04.11.04, 12:33
        Wklej aktualny log z HiJackThis.
        • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 05.11.04, 21:17
          oto on:
          Logfile of HijackThis v1.98.2
          Scan saved at 21:14:28, on 2004-11-05
          Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
          MSIE: Unable to get Internet Explorer version!

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Ahead\InCD\InCDsrv.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\System32\Ati2evxx.exe
          C:\Program Files\AntiVirenKit\AVKService.exe
          C:\Program Files\AntiVirenKit\AVKWCtl.exe
          C:\PROGRA~1\Buhl\PCFIRE~1.0\sfw.exe
          C:\WINDOWS\system32\slserv.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
          C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          C:\Program Files\Ahead\InCD\InCD.exe
          C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
          C:\Program Files\Winamp\winampa.exe
          C:\Program Files\Win Comm\WinComm.exe
          C:\Program Files\Web_Rebates\WebRebates0.exe
          C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE
          C:\Program Files\Messenger\msmsgs.exe
          C:\Program Files\Gadu-Gadu\gg.exe
          C:\Program Files\Win Comm\WinLock.exe
          C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
          C:\Program Files\eMule\emule.exe
          C:\Program Files\Web_Rebates\WebRebates1.exe
          C:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
          C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
          C:\Program Files\Internet Explorer\iexplore.exe
          C:\Program Files\Internet Explorer\iexplore.exe
          D:\Krzysiek\Instalki\Hijack This\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          www.onet.pl/
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
          C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
          O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
          O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
          Panel\atiptaxx.exe
          O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
          O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
          O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
          O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
          O4 - HKLM\..\Run: [RemoteControl] "C:\Program
          Files\CyberLink\PowerDVD\PDVDServ.exe"
          O4 - HKLM\..\Run: [Secuties Personal Firewall] C:\PROGRA~1\Buhl\PCFIRE~1.0
          \sfw.exe /waitservice
          O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
          O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
          O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
          O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Program Files\Common Files\G
          DATA\AVKMail\AVKPOP.EXE"
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
          O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
          \dslmon.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
          Office\Office\OSA9.EXE
          O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
          res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
          O8 - Extra context menu item: Web Rebates - file://C:\Program
          Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
          C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
          00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} -
          C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
          O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-
          88899F240200} - C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
          O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
          a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
          O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} -
          esb.alcena.com/ESBAdultInstaller.ocx
          O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
          skaner.mks.com.pl/SkanerOnline.cab
          O17 - HKLM\System\CCS\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
          NameServer = 194.204.152.34,194.204.159.1
          O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ABAE00-9E44-4A8D-A9F7-619A6488DFEB}:
          NameServer = 194.204.152.34 217.98.63.164
          O17 - HKLM\System\CCS\Services\Tcpip\..\{FAD30011-41A3-4EC1-86ED-A81453799064}:
          NameServer = 194.204.152.34,194.204.159.1
          O17 - HKLM\System\CS1\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
          NameServer = 194.204.152.34,194.204.159.1

    • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 05.11.04, 22:01
      Scanowałem porty na www.pcflank.com/scanner1.htm :

      Port: Status Service Description


      21 stealthed FTP File Transfer Protocol is used to transfer files
      between computers

      23 stealthed TELNET Telnet is used to remotely create a shell (dos
      prompt)

      80 stealthed HTTP HTTP web services publish web pages

      135 stealthed RPC Remote Procedure Call (RPC) is used in
      client/server
      applications based on MS Windows operating
      systems

      137 stealthed NETBIOS Name Service NetBios is used to share files
      through your Network Neighborhood

      138 stealthed NETBIOS Datagram Service NetBios is used to share files
      through your Network
      Neighborhood

      139 stealthed NETBIOS Session Service NetBios is used to share files
      through your Network Neighborhood

      1080 stealthed SOCKS PROXY Socks Proxy is an internet proxy service
      1243 stealthed SubSeven SubSeven is one of the most widespread
      trojans
      3128 stealthed Masters Paradise and RingZero Trojan horses
      12345 stealthed NetBus NetBus is one of the most widespread trojans
      12348 stealthed BioNet BioNet is one of the most widespread trojan
      27374 stealthed SubSeven SubSeven is one of the most widespread
      trojans
      31337 stealthed Back Orifice Back Orifice is one of the most
      widespread trojans

      • netsec Re: TrojanDropper.Win32.Delf.z 05.11.04, 22:41
        Czy coś kombinowałś z odinstalowaniem Internet Explorer'a.
        Czy masz włączoną zaporę w XP?
        • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 06.11.04, 15:17
          Raczej nic nie majstrowałem z Explorer'em a zapora jest włączona no i mam PC
          Firewall'a
          • netsec Re: TrojanDropper.Win32.Delf.z 06.11.04, 17:16
            Uruchom ponownie HiJackThis przejdź do Config później do Misc Tools i
            kliknij Generate StartupList log.
            Program zapyta czy wygenerować listę, potwierdź a zawartość listy wklej na forum.
            • Gość: WollY Re: TrojanDropper.Win32.Delf.z IP: *.neoplus.adsl.tpnet.pl 06.11.04, 17:28
              StartupList report, 2004-11-06, 17:27:18
              StartupList version: 1.52.2
              Started from : D:\Krzysiek\Instalki\Hijack This\HijackThis.EXE
              Detected: Windows XP Dodatek SP2 (WinNT 5.01.2600)
              Detected: Unable to get Internet Explorer version!
              * Using default options
              ==================================================

              Running processes:

              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Ahead\InCD\InCDsrv.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\System32\Ati2evxx.exe
              C:\Program Files\AntiVirenKit\AVKService.exe
              C:\Program Files\AntiVirenKit\AVKWCtl.exe
              C:\WINDOWS\Explorer.EXE
              C:\PROGRA~1\Buhl\PCFIRE~1.0\sfw.exe
              C:\WINDOWS\system32\slserv.exe
              C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
              C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
              C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
              C:\Program Files\Ahead\InCD\InCD.exe
              C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
              C:\Program Files\Winamp\winampa.exe
              C:\Program Files\Win Comm\WinComm.exe
              C:\Program Files\Web_Rebates\WebRebates0.exe
              C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE
              C:\Program Files\Messenger\msmsgs.exe
              C:\Program Files\Gadu-Gadu\gg.exe
              C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
              C:\Program Files\Win Comm\WinLock.exe
              C:\Program Files\Web_Rebates\WebRebates1.exe
              C:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
              C:\Program Files\eMule\emule.exe
              C:\Program Files\Winamp\winamp.exe
              C:\Program Files\Internet Explorer\iexplore.exe
              C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\setup_wm.exe
              C:\Program Files\Internet Explorer\iexplore.exe
              D:\Krzysiek\Instalki\Hijack This\HijackThis.exe

              --------------------------------------------------

              Listing of startup folders:

              Shell folders Common Startup:
              [C:\Documents and Settings\All Users\Menu Start\Programy\Autostart]
              DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
              Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

              --------------------------------------------------

              Checking Windows NT UserInit:

              [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
              UserInit = C:\WINDOWS\system32\userinit.exe,

              --------------------------------------------------

              Autorun entries from Registry:
              HKLM\Software\Microsoft\Windows\CurrentVersion\Run

              ATIModeChange = Ati2mdxx.exe
              ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
              SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
              SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
              NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
              InCD = C:\Program Files\Ahead\InCD\InCD.exe
              RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
              Secuties Personal Firewall = C:\PROGRA~1\Buhl\PCFIRE~1.0\sfw.exe /waitservice
              WinampAgent = C:\Program Files\Winamp\winampa.exe
              Win Comm = C:\Program Files\Win Comm\WinComm.exe
              WebRebates0 = "C:\Program Files\Web_Rebates\WebRebates0.exe"
              AVK Mail Checker = "C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE"

              --------------------------------------------------

              Autorun entries from Registry:
              HKCU\Software\Microsoft\Windows\CurrentVersion\Run

              MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
              Gadu-Gadu = "C:\Program Files\Gadu-Gadu\gg.exe" /tray

              --------------------------------------------------

              Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

              Shell=*INI section not found*
              SCRNSAVE.EXE=*INI section not found*
              drivers=*INI section not found*

              Shell & screensaver key from Registry:

              Shell=Explorer.exe
              SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
              drivers=*Registry value not found*

              Policies Shell key:

              HKCU\..\Policies: Shell=*Registry key not found*
              HKLM\..\Policies: Shell=*Registry value not found*

              --------------------------------------------------


              Enumerating Browser Helper Objects:

              (no name) - C:\Program Files\Adobe\Acrobat 5.0
              CE\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

              --------------------------------------------------

              Enumerating Download Program Files:

              [Microsoft Office Template and Media Control]
              InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
              CODEBASE = office.microsoft.com/templates/ieawsdc.cab

              [Office Update Installation Engine]
              InProcServer32 = C:\WINDOWS\opuc.dll
              CODEBASE = office.microsoft.com/officeupdate/content/opuc.cab

              [HouseCall Control]
              InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
              CODEBASE =
              a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

              [{8F24DE00-0D66-4F93-9405-3F21E97AEE99}]
              CODEBASE = esb.alcena.com/ESBAdultInstaller.ocx

              [{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
              CODEBASE = v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?
              38202.0427662037

              [Shockwave Flash Object]
              InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
              CODEBASE = download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

              [MainControl Class]
              InProcServer32 = C:\WINDOWS\System32\SkanerOnline.dll
              CODEBASE = skaner.mks.com.pl/SkanerOnline.cab

              --------------------------------------------------

              Enumerating ShellServiceObjectDelayLoad items:

              PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
              CDBurn: C:\WINDOWS\system32\SHELL32.dll
              WebCheck: C:\WINDOWS\system32\dllcache\webcheck.dll
              SysTray: C:\WINDOWS\System32\stobject.dll

              --------------------------------------------------
              End of report, 6 271 bytes
              Report generated in 0,312 seconds

              Command line options:
              /verbose - to add additional info on each section
              /complete - to include empty sections and unsuspicious data
              /full - to include several rarely-important sections
              /force9x - to include Win9x-only startups even if running on WinNT
              /forcent - to include WinNT-only startups even if running on Win9x
              /forceall - to include all Win9x and WinNT startups, regardless of platform
              /history - to list version history only
              • netsec Re: Startuplist 06.11.04, 18:13
                To jeszcze do kompletu aktualny log z HiJakc 1.98.2:
                W międzyczasie nic nie czyść, bo nie będę wiedział, jaki jest aktualny stan.
                • Gość: WollY Re: Startuplist IP: *.neoplus.adsl.tpnet.pl 06.11.04, 19:16
                  Logfile of HijackThis v1.98.2
                  Scan saved at 19:15:38, on 2004-11-06
                  Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
                  MSIE: Unable to get Internet Explorer version!

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\Ahead\InCD\InCDsrv.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\System32\Ati2evxx.exe
                  C:\Program Files\AntiVirenKit\AVKService.exe
                  C:\Program Files\AntiVirenKit\AVKWCtl.exe
                  C:\PROGRA~1\Buhl\PCFIRE~1.0\sfw.exe
                  C:\WINDOWS\system32\slserv.exe
                  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                  C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                  C:\Program Files\Ahead\InCD\InCD.exe
                  C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
                  C:\Program Files\Winamp\winampa.exe
                  C:\Program Files\Win Comm\WinComm.exe
                  C:\Program Files\Web_Rebates\WebRebates0.exe
                  C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP.EXE
                  C:\Program Files\Messenger\msmsgs.exe
                  C:\Program Files\Gadu-Gadu\gg.exe
                  C:\Program Files\Win Comm\WinLock.exe
                  C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
                  C:\Program Files\Web_Rebates\WebRebates1.exe
                  C:\Program Files\Winamp\winamp.exe
                  C:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
                  C:\Program Files\eMule\emule.exe
                  C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
                  C:\Program Files\Internet Explorer\iexplore.exe
                  C:\Program Files\Internet Explorer\iexplore.exe
                  D:\Krzysiek\Instalki\Hijack This\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                  www.onet.pl/
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                  C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
                  O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
                  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
                  Panel\atiptaxx.exe
                  O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                  O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                  O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                  O4 - HKLM\..\Run: [RemoteControl] "C:\Program
                  Files\CyberLink\PowerDVD\PDVDServ.exe"
                  O4 - HKLM\..\Run: [Secuties Personal Firewall] C:\PROGRA~1\Buhl\PCFIRE~1.0
                  \sfw.exe /waitservice
                  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
                  O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
                  O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
                  O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Program Files\Common Files\G
                  DATA\AVKMail\AVKPOP.EXE"
                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                  O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
                  O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
                  \dslmon.exe
                  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                  Office\Office\OSA9.EXE
                  O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
                  res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                  O8 - Extra context menu item: Web Rebates - file://C:\Program
                  Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                  C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
                  00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} -
                  C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
                  O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-
                  88899F240200} - C:\Program Files\Buhl\PC Firewall 2.0\TRASH.EXE (HKCU)
                  O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
                  a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                  O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} -
                  esb.alcena.com/ESBAdultInstaller.ocx
                  O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                  skaner.mks.com.pl/SkanerOnline.cab
                  O17 - HKLM\System\CCS\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
                  NameServer = 194.204.152.34,194.204.159.1
                  O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ABAE00-9E44-4A8D-A9F7-619A6488DFEB}:
                  NameServer = 194.204.152.34 217.98.63.164
                  O17 - HKLM\System\CCS\Services\Tcpip\..\{FAD30011-41A3-4EC1-86ED-A81453799064}:
                  NameServer = 194.204.152.34,194.204.159.1
                  O17 - HKLM\System\CS1\Services\Tcpip\..\{0A304889-77BB-4845-89F7-EFEA60A9B80D}:
                  NameServer = 194.204.152.34,194.204.159.1

Pełna wersja