Sprawdźcie mego loga z hijacka!!!!

[wima4]

Bardzo proszę o pomoc....Boję się,że usunę nie to, co trzeba. Dziękuję!
Logfile of HijackThis v1.97.5
Scan saved at 18:52:54, on 04-12-21
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\PROGRAM FILES\22M WLAN ADAPTER\WLANMON.EXE
C:\PROGRAM FILES\BEARPAW 1200CS\DRIVER\WATCH.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVSUIT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINDOWS\HPFTBX13.EXE
C:\WINDOWS\SYSTEM\HPFBKG13.EXE
C:\MOJE DOKUMENTY\NOWE M\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
69.50.191.52/2484/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS
SERVEAD\WINSERVAD.EXE
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: 22M WLAN Adapter.lnk = C:\Program Files\22M WLAN
Adapter\WLANMON.exe
O4 - Startup: Watch.lnk = C:\Program Files\BearPaw 1200CS\Driver\WATCH.exe
O4 - Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-000000000000} -
download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
www.live365.com/players/play365.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2523263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/MusicUnlimited/ie/bridge-c11.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) -
static.topconverting.com/activex/loader2.ocx
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) -
www.globalphon.com/dialer/russia.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
192.168.0.1,194.204.152.34,194.204.159.1

[Gość: piecyk gazowy]

Wklej loga wygenerowanego nowym HijacThis:
www.spywareinfo.com/~merijn/files/HijackThis.exe

[wima4]

Nowy log:
Logfile of HijackThis v1.99.0
Scan saved at 08:57:43, on 04-12-22
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\PROGRAM FILES\22M WLAN ADAPTER\WLANMON.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVSUIT.EXE
C:\PROGRAM FILES\BEARPAW 1200CS\DRIVER\WATCH.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MOJE DOKUMENTY\CIEKAWE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
69.50.191.52/2484/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS
SERVEAD\WINSERVAD.EXE
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: 22M WLAN Adapter.lnk = C:\Program Files\22M WLAN
Adapter\WLANMON.exe
O4 - Startup: Watch.lnk = C:\Program Files\BearPaw 1200CS\Driver\WATCH.exe
O4 - Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
www.live365.com/players/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/MusicUnlimited/ie/bridge-c11.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) -
static.topconverting.com/activex/loader2.ocx
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) -
www.globalphon.com/dialer/russia.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Gość: piecyk gazowy]

Do wyrzucenia:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
69.50.191.52/2484/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS
SERVEAD\WINSERVAD.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
www.live365.com/players/play365.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/MusicUnlimited/ie/bridge-c11.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) -
static.topconverting.com/activex/loader2.ocx
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) -
www.globalphon.com/dialer/russia.CAB

[wima4]

Po wyrzuceniu zaznaczonych pozycji - nowy log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS
SERVEAD\WINSERVAD.EXE
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: 22M WLAN Adapter.lnk = C:\Program Files\22M WLAN
Adapter\WLANMON.exe
O4 - Startup: Watch.lnk = C:\Program Files\BearPaw 1200CS\Driver\WATCH.exe
O4 - Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
www.live365.com/players/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Gość: piecyk gazowy]

Jeszcze to:

> O1 - Hosts: 69.20.16.183 auto.search.msn.com
> O1 - Hosts: 69.20.16.183 search.netscape.com
> O1 - Hosts: 69.20.16.183 ieautosearch

[wima4]

Problem! Usuwam te pozycje, a nadal są....nie do usunięcia, próbowałam kilka
razy.W systemie mam wirusa Adware.Look2me.R.Zaatakowanych plików nie mogę
usunąć.Są to pliki c:\WINDOWS\SYSTEM\ONESVR.DLL oraz
c:\WINDOWS\SYSTEM\wjdmps.dll

[Gość: piecyk gazowy]

A to wyrzucałaś?

O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS
SERVEAD\WINSERVAD.EXE

[wima4]

Tak - wyrzucone w trybie awaryjnym, lecz te 3 pozycje są nadal.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
> O1 - Hosts: 69.20.16.183 search.netscape.com
> O1 - Hosts: 69.20.16.183 ieautosearch

[Gość: piecyk gazowy]

Spróbuj uruchomić CWShreddera (przy zamkniętej przeglądarce):
cwshredder.net/bin/CWSInstall.exe

Jeśli nie poradzi, wybierz Start -> Uruchom:
notepad c:\windows\hosts
i ręcznie usuń linijki z adresami i zapisz zmiany.

Potem możesz jeszcze raz wkleić loga.

[wima4]

cwshredder znalazł:CWS.BootConf i CWS.Svchost32 i zawiesił sie komp, skasowałam
ręcznie przez Start>uruchom...
Ostatni log:
Logfile of HijackThis v1.99.0
Scan saved at 13:33:34, on 04-12-22
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\22M WLAN ADAPTER\WLANMON.EXE
C:\PROGRAM FILES\BEARPAW 1200CS\DRIVER\WATCH.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\MOJE DOKUMENTY\CIEKAWE\HIJACKTHIS2.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\RunServices: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: 22M WLAN Adapter.lnk = C:\Program Files\22M WLAN
Adapter\WLANMON.exe
O4 - Startup: Watch.lnk = C:\Program Files\BearPaw 1200CS\Driver\WATCH.exe
O4 - Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
www.live365.com/players/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Gość: piecyk gazowy]

Ale jak widać niewiele pomogło... Wpisy wróciły. Mam wrażenie, że HJT
wszystkiego nie pokazuje.

Spróbuj uruchomić Shreddera w trybie awaryjnym. Możesz tesz spróbować uruchomić
starszą wersję CWSreddera:
www.searchengines.pl/phpbb203/pliki/picasso/downloads/cwshredder.zip

[wima4]

W trybie awaryjnym - wsystko czyste. Po uruchomieniu starszej wersji Cwshredera
to samo:
Done!
Removed from your system:
- CWS.Bootconf
- Hosts file redirections
Log z hijacka bz.

[Gość: piecyk gazowy]

I jak kasujesz wpisy w pliku HOSTS to one wracają? Na pewno zapisywałaś zmiany?

[netsec]

80.53.91.142/netsec/tools/Silent_Runners.zip

[wima4]

Dzięki za cierpliwość - wszystko wyczyszczone w notatniku, zapisane, a za
chwilę od początku...otwierają się te same stronki i jest ten sam wpis.

[Gość: piecyk gazowy]

Cierpliwość nie zawsze wystarczy. ;-) Uruchom skrypt proponowany przez Netseca,
on wygeneruje plik tekstowy. Wklej jego zawartość na forum.

[netsec]

Ściągnij i wykonaj raport tym narzędziem, loga z niego wklej na forum.
80.53.91.142/netsec/tools/Silent Runners.zip

Poprawny link do Silent Runners

[netsec]

80.53.91.142/netsec/tools/Silent_Runners.zip

[wima4]

"Silent Runners.vbs", revision 27, launched at: 17:49
Operating System: Windows 98


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Gadu-Gadu" = ""C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray" ["sms-express.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"Atikey" = "Atitask.exe" ["ATI Technologies, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"mdac_runonce" = "C:\WINDOWS\SYSTEM\runonce.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default)
= "C:\WINDOWS\SYSTEM\WEBCHECK.DLL" [MS]


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "run=hpfsched" [file not found]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Menu Start\Programy\Autostart
"22M WLAN Adapter" -> shortcut to: "C:\Program Files\22M WLAN
Adapter\WLANMON.exe" ["0"]
"Watch" -> shortcut to: "C:\Program Files\BearPaw 1200CS\Driver\WATCH.exe"
["Common Group"]
"SpySubtract" -> shortcut to: "C:\Program
Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Enabled Scheduled Tasks:
------------------------

"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM
FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" [file not found]
"mks_vir - Zadanie 0" -> WARNING

[Gość: piecyk gazowy]

Tak, chodziło o to. "Najśmieszniejsze" jest to, że tutaj, podobnie jak w HTJ,
nic nie widać. Skanowałaś system Ad-aware'em i Spybotem? Jeśli nie, zrób to.

Ad-Aware
ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exeSpolszczenie
www.programosy.schron.pl/pl/adw10xpl.rar
Spybot - Search & Destroy
ftp://ftp.download.com/pub/win95/utilities/spybotsd13.exe

[Gość: piecyk gazowy]

Gość portalu: piecyk gazowy napisał(a):

> Ad-Aware
> ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exeSpolszczenie
> www.programosy.schron.pl/pl/adw10xpl.rar

Drugi linkt to spolszczenie do programu.

Linki się skleiły, jeszcze raz

[Gość: piecyk gazowy]

Ad-Aware
ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe
Spolszczenie
www.programosy.schron.pl/pl/adw10xpl.rar

ieautosearch

[Gość: piecyk gazowy]

www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry109496

[wima4]

Dzięki - to napewno jest skuteczny sposób na moje problemy.