Forum Komputery Wirusy, trojany, spyware
ZMIEŃ
    Dodaj do ulubionych

    Trojan

    IP: *.neoplus.adsl.tpnet.pl 13.05.05, 14:10
    Powoduje w explorerze uruchamianie strony 'about:blank' i swoich wlasnych
    komunikatow o zainfekowanym systemie, ponadto masa komunikatow o trojanie
    chyba z rozszerzeniem se.dll: przy uruchamianiu GG, otwieraniu pulpitow itp.
    Jak sie tego pozbyc? Ala-laik :(
    Obserwuj wątek
      • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 13.05.05, 14:42
        Uzyj tego:
        www.trojaner-info.de/files/SpSeHjfix112.exe
        Nastepnie przeskanuj tym i wklej wyniki skanowania na forum:
        www.spychecker.com/program/hijackthis.html
      • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 13.05.05, 15:28
        Wszystko zrobilam wg. wskazowek ale okazuje sie, że log nie moze byc otwarty przez WinFax, cokolwiek to znaczy. Mam wiec trudnosci z umieszczeniem tutaj tego 'logu' :(
        • Gość: Basia Re: Trojan IP: *.internetdsl.tpnet.pl 13.05.05, 15:47
          Moze przeskanuj tym skaner.mks.com.pl/
      • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 13.05.05, 15:47
        Oto log z innego programu:

        d-Aware SE Build 1.05
        Logfile Created on:13 maja 2005 15:38:09
        Created with Ad-Aware SE Personal, free for private use.
        Using definitions file:SE1R44 10.05.2005
        »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

        References detected during the scan:
        »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
        MRU List(TAC index:0):35 total references
        Tracking Cookie(TAC index:3):4 total references
        »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

        Ad-Aware SE Settings
        ===========================
        Set : Search for negligible risk entries
        Set : Safe mode (always request confirmation)
        Set : Scan active processes
        Set : Scan registry
        Set : Deep-scan registry
        Set : Scan my IE Favorites for banned URLs
        Set : Scan my Hosts file

        Extended Ad-Aware SE Settings
        ===========================
        Set : Unload recognized processes & modules during scan
        Set : Scan registry for all users instead of current user only
        Set : Always try to unload modules before deletion
        Set : Let Windows remove files in use at next reboot
        Set : Delete quarantined objects after restoring
        Set : Include basic Ad-Aware settings in log file
        Set : Include additional Ad-Aware settings in log file
        Set : Include reference summary in log file
        Set : Include alternate data stream details in log file
        Set : Play sound at scan completion if scan locates critical objects


        13-05-05 15:38:10 - Scan started. (Smart mode)

        Listing running processes
        »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

        #:1 [KERNEL32.DLL]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4293917443
        Threads : 4
        Priority : High
        FileVersion : 4.10.1998
        ProductVersion : 4.10.1998
        ProductName : System operacyjny Microsoft(R) Windows(R)
        CompanyName : Microsoft Corporation
        FileDescription : Składnik jądra Win32
        InternalName : KERNEL32
        LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998
        OriginalFilename : KERNEL32.DLL

        #:2 [MSGSRV32.EXE]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292882331
        Threads : 1
        Priority : Normal
        FileVersion : 4.10.1998
        ProductVersion : 4.10.1998
        ProductName : System operacyjny Microsoft(R) Windows(R)
        CompanyName : Microsoft Corporation
        FileDescription : 32-bitowy Serwer wiadomości VxD systemu Windows
        InternalName : MSGSRV32
        LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
        OriginalFilename : MSGSRV32.EXE

        #:3 [MPREXE.EXE]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292884587
        Threads : 2
        Priority : Normal
        FileVersion : 4.10.1998
        ProductVersion : 4.10.1998
        ProductName : Microsoft(R) Windows(R) Operating System
        CompanyName : Microsoft Corporation
        FileDescription : WIN32 Network Interface Service Process
        InternalName : MPREXE
        LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
        OriginalFilename : MPREXE.EXE

        #:4 [mmtask.tsk]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292871267
        Threads : 1
        Priority : Normal
        FileVersion : 4.03.1998
        ProductVersion : 4.03.1998
        ProductName : Microsoft Windows
        CompanyName : Microsoft Corporation
        FileDescription : Multimedia background task support module
        InternalName : mmtask.tsk
        LegalCopyright : Copyright © Microsoft Corp. 1991-1998
        OriginalFilename : mmtask.tsk

        #:5 [MSTASK.EXE]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292917539
        Threads : 3
        Priority : Normal
        FileVersion : 4.71.1769.1
        ProductVersion : 4.71.1769.1
        ProductName : Microsoft® Windows® - Harmonogram zadań
        CompanyName : Microsoft Corporation
        FileDescription : Aparat Harmonogramu zadań
        InternalName : TaskScheduler
        LegalCopyright : Copyright (C) Microsoft Corp. 1997
        OriginalFilename : mstask.exe

        #:6 [ATIUPDPL.EXE]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292905579
        Threads : 9
        Priority : Normal


        #:7 [EXPLORER.EXE]
        FilePath : C:\WINDOWS\
        ProcessID : 4292932923
        Threads : 5
        Priority : Normal
        FileVersion : 4.72.3110.1
        ProductVersion : 4.72.3110.1
        ProductName : System operacyjny Microsoft(R) Windows NT(R)
        CompanyName : Microsoft Corporation
        FileDescription : Windows Explorer
        InternalName : explorer
        LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
        OriginalFilename : EXPLORER.EXE

        #:8 [INTERNAT.EXE]
        FilePath : C:\WINDOWS\SYSTEM\
        ProcessID : 4292996667
        Threads : 1
        Priority : Normal
        FileVersion : 4.10.1998
        ProductVersion : 4.10.1998
        ProductName : System operacyjny Microsoft(R) Windows(R)
        CompanyName : Microsoft Corporation
        FileDescription : Aplikacja wskaźnika klawiatury
        InternalName : INTERNAT
        LegalCopyright : Copyright (C) Microsoft Corp. 1998
        OriginalFilename : INTERNAT.EXE

        #:9 [RUNDLL32.EXE]
        FilePath : C:\WINDOWS\
        ProcessID : 4292998739
        Threads : 1
        Priority : Normal
        FileVersion : 4.10.1998
        ProductVersion : 4.10.1998
        ProductName : System operacyjny Microsoft(R) Windows(R)
        CompanyName : Microsoft Corporation
        FileDescription : Uruchamia plik DLL jako aplikację
        InternalName : rundll
        LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998
        OriginalFilename : RUNDLL.EXE

        #:10 [CAGENT.EXE]
        FilePath : C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\
        ProcessID : 4292988291
        Threads : 1
        Priority : Normal
        FileVersion : 5.0.0.312
        ProductVersion : 5.0.0.312
        ProductName : FineReader
        CompanyName : ABBYY (BIT Software)
        FileDescription : ABBYY Community Agent
        InternalName : CommunityAgent
        LegalCopyright : Copyright © 1993-2001 ABBYY (BIT Software).
        LegalTrademarks : FineReader is the trademark of ABBYY (BIT Software)
        OriginalFilename : CAgent.exe

        #:11 [INCD.EXE]
        FilePath : C:\PROGRAM FILES\AHEAD\INCD\
        ProcessID : 4292991883
        Threads : 2
        Priority : Normal
        FileVersion : 3.5.24.0
        ProductVersion : 3.5.24.0
        ProductName : InCD
        CompanyName : Copyright (C) ahead software gmbh and its licensors
        FileDescription : InCD CD-RW UDF Tools
        InternalName : InCD
        LegalCopyright
        • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 13.05.05, 15:56
          Ech, ten log to nie wszystko jak sie okazuje :((( a jest tego sporo. Wszak mam wrazenie, ze to nie o to chodzi :(
          Po pierwszej odpowiedzi na moj post i wykonaniu pierwszego polecenia obecnie nie dziala u mnie Interner Explorer :( a ten skaner.mks.com.pl mozna uruchomic spod explorera a nie z Opery :(
          • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 13.05.05, 16:43
            Kliknij prawym przyciskiem na ikonce internet explorera i wybierz otworz to sie
            wlaczy, nastepnie przejdz do Narzedzia->Opcje Internetowe i wpisz sobie jakas
            strone startowa np. www.gazeta.pl i juz bedzie startowal normalnie.

            W hijackthis za to nacisnij Do A system scan and save a logfile otworzy Ci sie
            plik, ktorego zawartosc masz wkleic tutaj na forum.
            • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 13.05.05, 23:23
              Explorer działa - dziekuje! Niestety postepujac zgodnie z wskazowkami odnosnie loga nie potrafie sobie poradzic z przeniesieniem tutaj tego :(. Nie mozna skopiowac tych informacji (przez kilkniecie myszka) oraz pojawia sie komunikat: 'The header does not appear to be from a WinFax file' :(. Ala laik.
              • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 14.05.05, 00:49
                Wejdz w panel sterowania->Opcje Folderow->Typy plikow odszukaj tam LOG
                kliknij przy nim zmien i wybierz z listy notatnik i powinno sie juz ok otwierac.
                A WinFax odinstaluj bo pewnie i tak nie uzywasz?
                • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 14.05.05, 08:14
                  Prosze bardzo:

                  Logfile of HijackThis v1.99.1
                  Scan saved at 23:22:05, on 13-05-05
                  Platform: Windows 98 Gold (Win9x 4.10.1998)
                  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                  Running processes:
                  C:\WINDOWS\SYSTEM\KERNEL32.DLL
                  C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                  C:\WINDOWS\SYSTEM\MPREXE.EXE
                  C:\WINDOWS\SYSTEM\mmtask.tsk
                  C:\WINDOWS\SYSTEM\MSTASK.EXE
                  C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
                  C:\WINDOWS\EXPLORER.EXE
                  C:\WINDOWS\SYSTEM\INTERNAT.EXE
                  C:\WINDOWS\RUNDLL32.EXE
                  C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                  C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
                  C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE
                  C:\WINDOWS\TASKMON.EXE
                  C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                  C:\WINDOWS\TPPALDR.EXE
                  C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE
                  C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                  C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
                  C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
                  C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
                  C:\PROGRAM FILES\GADU-GAD\GG.EXE
                  C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
                  C:\WINDOWS\SYSTEM\SPOOL32.EXE
                  C:\WINDOWS\SYSTEM\RNAAPP.EXE
                  C:\WINDOWS\SYSTEM\TAPISRV.EXE
                  C:\WINDOWS\SYSTEM\DDHELP.EXE
                  C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE
                  C:\PROGRAM FILES\WANADOO\COMCOMP.EXE
                  C:\PROGRAM FILES\WANADOO\WATCH.EXE
                  C:\PROGRAM FILES\OPERA\OPERA.EXE
                  C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
                  C:\WINDOWS\TEMP\HIJACKTHIS.EXE
                  C:\PROGRAM FILES\SYMANTEC\WINFAX\WFVW32.EXE

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                  www.gazeta.pl/
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
                  www.allcybersearch.com/ie/
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
                  www.searchv.com/1/search.html
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
                  www.searchv.com/1/
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
                  www.searchv.com/1/search.html
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
                  www.searchv.com/1/
                  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
                  red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
                  Plus wita Cie w Internecie
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                  C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                  C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
                  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
                  c:\program files\google\googletoolbar2.dll (file missing)
                  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
                  files\google\googletoolbar2.dll (file missing)
                  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                  C:\WINDOWS\SYSTEM\MSDXM.OCX
                  O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                  C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                  O4 - HKLM\..\Run: [internat.exe] internat.exe
                  O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                  O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
                  O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\SPRINT & FINEREADER
                  5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                  O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                  O4 - HKLM\..\Run: [Sunkist] C:\Program Files\Multimedia Card
                  Reader\shwicon98.exe
                  O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                  O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                  O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                  powrprof.dll,LoadCurrentPwrScheme
                  O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
                  O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
                  O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRAM FILES\WANADOO\taskbaricon.exe
                  O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay]
                  C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                  O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -
                  autorun
                  O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
                  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
                  Files\Real\Update_OB\realsched.exe" -osboot
                  O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                  O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                  powrprof.dll,LoadCurrentPwrScheme
                  O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
                  O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                  O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GAD\GG.EXE" /tray
                  O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                  O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
                  O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
                  O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                  O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM
                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
                  O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
                  O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
                  O8 - Extra context menu item: Translate into English - res://C:\PROGRAM
                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                  C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                  00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                  O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
                  O15 - Trusted Zone: *.windupdates.com
                  O15 - Trusted Zone: *.skoobidoo.com
                  O15 - Trusted Zone: *.crazywinnings.com
                  O15 - Trusted Zone: *.windupdates.com (HKLM)
                  O15 - Trusted Zone: *.skoobidoo.com (HKLM)
                  O15 - Trusted Zone: *.crazywinnings.com (HKLM)
                  O15 - Trusted IP range: 67.19.178.84
                  O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet
                  Zone
                  O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
                  O16 - DPF: ppctlcab - ppupdates.ca.com/downloads/scanner/ppctlcab.cab
                  O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
                  (PPSDKActiveXScanner.MainScreen) -
                  ppupdates.ca.com/downloads/scanner/axscanner.cab
                  O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
                  www3.ca.com/securityadvisor/virusinfo/webscan.cab
                  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                  www.pandasoftware.com/activescan/as5/asinst.cab
                  O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) -
                  www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
                  • Gość: Akus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 14.05.05, 08:17
                    Wczoraj jeszcze udalo uruchomic skaner.mks... i zdaje sie usunelam z 9
                    trojanow...
                  • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 14.05.05, 11:37
                    Nie uruchamiaj hijackthis z temp'a tylko przegraj go sobie na pulpit bo pozniej
                    nie bedziesz mogla odzyskac jak skasujesz za duzo.

                    Wybierz w hijackthis scan only i zaznacz te wpisy:


                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
                    www.allcybersearch.com/ie/
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
                    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
                    www.searchv.com/1/search.html
                    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
                    www.searchv.com/1/
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
                    www.searchv.com/1/search.html
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
                    www.searchv.com/1/
                    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
                    red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*www.yahoo.com
                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
                    Plus wita Cie w Internecie
                    O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                    O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                    O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
                    O15 - Trusted Zone: *.windupdates.com
                    O15 - Trusted Zone: *.skoobidoo.com
                    O15 - Trusted Zone: *.crazywinnings.com
                    O15 - Trusted Zone: *.windupdates.com (HKLM)
                    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
                    O15 - Trusted Zone: *.crazywinnings.com (HKLM)
                    O15 - Trusted IP range: 67.19.178.84
                    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet
                    Zone
                    O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab

                    I Fix Checked, nastepnie sciagasz killbox:
                    www.downloads.subratam.org/KillBox.zip
                    Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
                    szukaj tylko wklejaj gotowa) i naciskaj czerwony przycisk ale na pytanie o
                    reset odpowiadaj nie i tak zrob z tymi plikami:

                    C:\WINDOWS\Java\classes\win32ie4.cab
                    C:\WINDOWS\SYSTEM\atiupdpl.exe

                    Nastepnie reset i po resecie przeskanuj system tym:
                    housecall.trendmicro.com/housecall/start_corp.asp
                    www.windowsecurity.com/trojanscan/
                    www.pandasoftware.com/activescan/pol/activescan_principal.htm
                    Zainstaluj:
                    www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D ->
                    przeskanuj i wlacz ochrone przegladarki
                    www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz
                    ochrone przegladarki
                    www.wilderssecurity.net/spywareguard.html <- SpywareGuard

                    Na koniec wklej nowy log z hijackthis.
                    • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 16.05.05, 12:07
                      Uff, to mnie przerasta :( ale prosze:


                      Logfile of HijackThis v1.99.1
                      Scan saved at 12:06:24, on 16-05-05
                      Platform: Windows 98 Gold (Win9x 4.10.1998)
                      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                      Running processes:
                      C:\WINDOWS\SYSTEM\KERNEL32.DLL
                      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                      C:\WINDOWS\SYSTEM\SPOOL32.EXE
                      C:\WINDOWS\SYSTEM\MPREXE.EXE
                      C:\WINDOWS\SYSTEM\mmtask.tsk
                      C:\WINDOWS\SYSTEM\MSTASK.EXE
                      C:\WINDOWS\EXPLORER.EXE
                      C:\WINDOWS\SYSTEM\INTERNAT.EXE
                      C:\WINDOWS\RUNDLL32.EXE
                      C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                      C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
                      C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE
                      C:\WINDOWS\TASKMON.EXE
                      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                      C:\WINDOWS\TPPALDR.EXE
                      C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE
                      C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                      C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
                      C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
                      C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
                      C:\PROGRAM FILES\GADU-GAD\GG.EXE
                      C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
                      C:\WINDOWS\SYSTEM\RNAAPP.EXE
                      C:\WINDOWS\SYSTEM\TAPISRV.EXE
                      C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE
                      C:\PROGRAM FILES\WANADOO\COMCOMP.EXE
                      C:\PROGRAM FILES\WANADOO\WATCH.EXE
                      C:\WINDOWS\SYSTEM\DDHELP.EXE
                      C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
                      C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
                      C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
                      C:\WINDOWS\TEMP\HIJACKTHIS.EXE

                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                      www.gazeta.pl/
                      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                      O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                      C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                      C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
                      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
                      c:\program files\google\googletoolbar2.dll (file missing)
                      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
                      Files\Spybot - Search & Destroy\SDHelper.dll
                      O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
                      0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
                      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
                      files\google\googletoolbar2.dll (file missing)
                      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                      C:\WINDOWS\SYSTEM\MSDXM.OCX
                      O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                      C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                      O4 - HKLM\..\Run: [internat.exe] internat.exe
                      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                      O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
                      O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\SPRINT & FINEREADER
                      5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                      O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                      O4 - HKLM\..\Run: [Sunkist] C:\Program Files\Multimedia Card
                      Reader\shwicon98.exe
                      O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                      powrprof.dll,LoadCurrentPwrScheme
                      O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
                      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
                      O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRAM FILES\WANADOO\taskbaricon.exe
                      O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay]
                      C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                      O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -
                      autorun
                      O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
                      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
                      Files\Real\Update_OB\realsched.exe" -osboot
                      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                      powrprof.dll,LoadCurrentPwrScheme
                      O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
                      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GAD\GG.EXE" /tray
                      O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
                      O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
                      O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                      O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                      O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM
                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
                      O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
                      O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
                      O8 - Extra context menu item: Translate into English - res://C:\PROGRAM
                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                      C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                      00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                      O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
                      O15 - Trusted IP range: 67.19.178.84
                      O16 - DPF: ppctlcab - ppupdates.ca.com/downloads/scanner/ppctlcab.cab
                      O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
                      (PPSDKActiveXScanner.MainScreen) -
                      ppupdates.ca.com/downloads/scanner/axscanner.cab
                      O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
                      www3.ca.com/securityadvisor/virusinfo/webscan.cab
                      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                      www.pandasoftware.com/activescan/as5/asinst.cab
                      O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) -
                      www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
                      O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
                      www.windowsecurity.com/trojanscan/axscan.cab
                      O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                      skaner.mks.com.pl/SkanerOnline.cab
                      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
                      a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                      O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\PROGRAM
                      FILES\WIRTUALNA POLSKA\KONTAKT\URL_WPMSG.DLL
                      O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

                      Lepiej? ;-)
                      • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 16.05.05, 15:38
                        Jak widac nie przerasta :-)

                        Odinstaluj Google Toolbar bo i tak nie dziala z tego co widze.
                        W hijackthis wykasuj jeszcze to:

                        Wspomniane juz google:
                        O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
                        c:\program files\google\googletoolbar2.dll (file missing)
                        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
                        files\google\googletoolbar2.dll (file missing)
                        O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                        FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                        O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM
                        FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
                        O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
                        FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
                        O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
                        FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
                        O8 - Extra context menu item: Translate into English - res://C:\PROGRAM
                        FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

                        Jakby to wrocilo po resecie:
                        O15 - Trusted IP range: 67.19.178.84
                        To uzyj tego:
                        www.searchengines.pl/phpbb203/index.php?
                        s=5debf1bfeab0c89e54567f66c39699f0&act=Attach&type=post&id=459

                        O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) -
                        www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
                        Tutaj widze cos nowego:
                        O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


                        Nastepnie reset i wklej nowy log z hijackthis.
                        • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 16.05.05, 21:04
                          Przerasta, przerasta ;-) ale nie bede polemizowac :-)

                          Proszę, oto najnowsze osiagniecie, log sprzed chwili:

                          Logfile of HijackThis v1.99.1
                          Scan saved at 20:58:37, on 16-05-05
                          Platform: Windows 98 Gold (Win9x 4.10.1998)
                          MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                          Running processes:
                          C:\WINDOWS\SYSTEM\KERNEL32.DLL
                          C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                          C:\WINDOWS\SYSTEM\MPREXE.EXE
                          C:\WINDOWS\SYSTEM\mmtask.tsk
                          C:\WINDOWS\SYSTEM\MSTASK.EXE
                          C:\WINDOWS\EXPLORER.EXE
                          C:\WINDOWS\SYSTEM\INTERNAT.EXE
                          C:\WINDOWS\RUNDLL32.EXE
                          C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                          C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
                          C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE
                          C:\WINDOWS\TASKMON.EXE
                          C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                          C:\WINDOWS\TPPALDR.EXE
                          C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE
                          C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                          C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
                          C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
                          C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
                          C:\PROGRAM FILES\GADU-GAD\GG.EXE
                          C:\WINDOWS\SYSTEM\SPOOL32.EXE
                          C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
                          C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
                          C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
                          C:\WINDOWS\SYSTEM\RNAAPP.EXE
                          C:\WINDOWS\SYSTEM\TAPISRV.EXE
                          C:\WINDOWS\PULPIT\HIJACKTHIS.EXE

                          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                          www.gazeta.pl/
                          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                          O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                          C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                          C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
                          O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
                          \SPYBOT~1\SDHELPER.DLL
                          O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
                          0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
                          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                          C:\WINDOWS\SYSTEM\MSDXM.OCX
                          O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                          C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                          O4 - HKLM\..\Run: [internat.exe] internat.exe
                          O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                          O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
                          O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\SPRINT & FINEREADER
                          5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                          O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                          O4 - HKLM\..\Run: [Sunkist] C:\Program Files\Multimedia Card
                          Reader\shwicon98.exe
                          O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                          O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                          O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                          powrprof.dll,LoadCurrentPwrScheme
                          O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
                          O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
                          O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRAM FILES\WANADOO\taskbaricon.exe
                          O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay]
                          C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                          O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -
                          autorun
                          O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
                          O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
                          Files\Real\Update_OB\realsched.exe" -osboot
                          O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                          powrprof.dll,LoadCurrentPwrScheme
                          O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
                          O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GAD\GG.EXE" /tray
                          O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
                          O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
                          O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                          O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                          FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                          C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                          00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                          O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
                          O15 - Trusted IP range: 67.19.178.84
                          O16 - DPF: ppctlcab - ppupdates.ca.com/downloads/scanner/ppctlcab.cab
                          O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
                          (PPSDKActiveXScanner.MainScreen) -
                          ppupdates.ca.com/downloads/scanner/axscanner.cab
                          O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
                          www3.ca.com/securityadvisor/virusinfo/webscan.cab
                          O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                          www.pandasoftware.com/activescan/as5/asinst.cab
                          O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
                          www.windowsecurity.com/trojanscan/axscan.cab
                          O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                          skaner.mks.com.pl/SkanerOnline.cab
                          O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
                          a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                          O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\PROGRAM
                          FILES\WIRTUALNA POLSKA\KONTAKT\URL_WPMSG.DLL


                          To jak widać siedzi i po resecie ciagle jest, ech :-( : O15 - Trusted IP range:
                          67.19.178.84 a to: <www.searchengines.pl/phpbb203/index.php?
                          s=5debf1bfeab0c89e54567f66c39699f0&act=Attach&type=post&id=459mimo prób u mnie
                          nie zadzialalo w zasadzie wcale> :-(

                          • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 16.05.05, 21:07
                            Ech, wyzej naskrobalam ciut_nie_czytelnie ale mam nadzieje, ze jest jasne ;-) ?
                            Ciagle zapominam podziekowac i ... pozdrowic. Ala
                            • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 16.05.05, 21:45
                              No to uzyj tego:
                              mvps.org/winhelp2002/DelDomains.inf
                              Sciagasz to, nastepnie klikasz prawoklikem na pliku i wybierasz install.
                              Log jest juz ok, a to wytnie ten jeden wpis i juz :-)
                              • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 16.05.05, 22:02
                                Nie ma 015 :-)))) wszak chcialam już ponarzekac..plik informacyjno czy jakos
                                tak, ale jest OK.
                                Stawiam kawę i co tam jeszcze sobie zażyczysz.
                                Dzięki bardzo. Powodzenia... ogólnie we wszystkim!
                                Ala (GG 4385803)
                                • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 23.05.05, 22:54
                                  Znowuz cos wlazlo.. ech :( ?

                                  Proszę:

                                  Logfile of HijackThis v1.99.1
                                  Scan saved at 22:53:00, on 23-05-05
                                  Platform: Windows 98 Gold (Win9x 4.10.1998)
                                  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                                  Running processes:
                                  C:\WINDOWS\SYSTEM\KERNEL32.DLL
                                  C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                                  C:\WINDOWS\SYSTEM\MPREXE.EXE
                                  C:\WINDOWS\SYSTEM\mmtask.tsk
                                  C:\WINDOWS\SYSTEM\MSTASK.EXE
                                  C:\WINDOWS\EXPLORER.EXE
                                  C:\WINDOWS\SYSTEM\INTERNAT.EXE
                                  C:\WINDOWS\RUNDLL32.EXE
                                  C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                                  C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
                                  C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE
                                  C:\WINDOWS\TASKMON.EXE
                                  C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                                  C:\WINDOWS\TPPALDR.EXE
                                  C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE
                                  C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                                  C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
                                  C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
                                  C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
                                  C:\WINDOWS\SYSTEM\WINSHOST.EXE
                                  C:\PROGRAM FILES\GADU-GAD\GG.EXE
                                  C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
                                  C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
                                  C:\WINDOWS\SYSTEM\SPOOL32.EXE
                                  C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
                                  C:\WINDOWS\SYSTEM\RNAAPP.EXE
                                  C:\WINDOWS\SYSTEM\TAPISRV.EXE
                                  C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE
                                  C:\PROGRAM FILES\WANADOO\COMCOMP.EXE
                                  C:\PROGRAM FILES\WANADOO\WATCH.EXE
                                  C:\WINDOWS\SYSTEM\DDHELP.EXE
                                  C:\WINDOWS\PULPIT\HIJACKTHIS.EXE

                                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                                  www.gazeta.pl/
                                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                                  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                                  C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                                  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                                  C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
                                  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
                                  \SPYBOT~1\SDHELPER.DLL
                                  O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
                                  0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
                                  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                                  C:\WINDOWS\SYSTEM\MSDXM.OCX
                                  O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                                  C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                                  O4 - HKLM\..\Run: [internat.exe] internat.exe
                                  O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                                  O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
                                  O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\SPRINT & FINEREADER
                                  5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                                  O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                                  O4 - HKLM\..\Run: [Sunkist] C:\Program Files\Multimedia Card
                                  Reader\shwicon98.exe
                                  O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                                  O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                                  O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                                  powrprof.dll,LoadCurrentPwrScheme
                                  O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
                                  O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
                                  O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRAM FILES\WANADOO\taskbaricon.exe
                                  O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay]
                                  C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                                  O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -
                                  autorun
                                  O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
                                  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
                                  Files\Real\Update_OB\realsched.exe" -osboot
                                  O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
                                  O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                                  powrprof.dll,LoadCurrentPwrScheme
                                  O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
                                  O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GAD\GG.EXE" /tray
                                  O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
                                  O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
                                  O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
                                  O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                                  O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                                  FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                                  C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                                  00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                                  O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
                                  O16 - DPF: ppctlcab - ppupdates.ca.com/downloads/scanner/ppctlcab.cab
                                  O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
                                  (PPSDKActiveXScanner.MainScreen) -
                                  ppupdates.ca.com/downloads/scanner/axscanner.cab
                                  O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
                                  www3.ca.com/securityadvisor/virusinfo/webscan.cab
                                  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                                  www.pandasoftware.com/activescan/as5/asinst.cab
                                  O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
                                  www.windowsecurity.com/trojanscan/axscan.cab
                                  O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                                  skaner.mks.com.pl/SkanerOnline.cab
                                  O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
                                  a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                                  O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\PROGRAM
                                  FILES\WIRTUALNA POLSKA\KONTAKT\URL_WPMSG.DLL


                                  • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 23.05.05, 23:11
                                    W hijackthis to:
                                    O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe

                                    Killbox'em to:
                                    C:\WINDOWS\SYSTEM\winshost.exe

                                    I nie klikaj juz na zalaczniki z virusami albo zmien czytnik na inny (i tez nie
                                    klikaj ;-)) to nie bedzie wlazic do tego przeskanuj system:
                                    housecall.trendmicro.com/housecall/start_corp.asp
                                    www.windowsecurity.com/trojanscan/
                                    www.pandasoftware.com/activescan/pol/activescan_principal.htm
                                    Reszta log'a wyglada ok.
                                    • Gość: Alus Re: Trojan IP: *.neoplus.adsl.tpnet.pl 24.05.05, 00:31
                                      Czolem ;-)

                                      Prosze bardzo:

                                      ogfile of HijackThis v1.99.1
                                      Scan saved at 00:29:35, on 24-05-05
                                      Platform: Windows 98 Gold (Win9x 4.10.1998)
                                      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                                      Running processes:
                                      C:\WINDOWS\SYSTEM\KERNEL32.DLL
                                      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                                      C:\WINDOWS\SYSTEM\SPOOL32.EXE
                                      C:\WINDOWS\SYSTEM\MPREXE.EXE
                                      C:\WINDOWS\SYSTEM\MSTASK.EXE
                                      C:\WINDOWS\SYSTEM\mmtask.tsk
                                      C:\WINDOWS\EXPLORER.EXE
                                      C:\WINDOWS\SYSTEM\INTERNAT.EXE
                                      C:\WINDOWS\RUNDLL32.EXE
                                      C:\PROGRAM FILES\SPRINT & FINEREADER 5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                                      C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
                                      C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE
                                      C:\WINDOWS\TASKMON.EXE
                                      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                                      C:\WINDOWS\TPPALDR.EXE
                                      C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE
                                      C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                                      C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
                                      C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
                                      C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
                                      C:\PROGRAM FILES\GADU-GAD\GG.EXE
                                      C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
                                      C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
                                      C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
                                      C:\WINDOWS\SYSTEM\RNAAPP.EXE
                                      C:\WINDOWS\SYSTEM\TAPISRV.EXE
                                      C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE
                                      C:\PROGRAM FILES\WANADOO\COMCOMP.EXE
                                      C:\PROGRAM FILES\WANADOO\WATCH.EXE
                                      C:\WINDOWS\SYSTEM\DDHELP.EXE
                                      C:\WINDOWS\PULPIT\HIJACKTHIS.EXE
                                      C:\PROGRAM FILES\SYMANTEC\WINFAX\WFVW32.EXE

                                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                                      www.gazeta.pl/
                                      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                                      O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                                      C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                                      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                                      C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
                                      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
                                      \SPYBOT~1\SDHELPER.DLL
                                      O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
                                      0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
                                      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                                      C:\WINDOWS\SYSTEM\MSDXM.OCX
                                      O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                                      C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
                                      O4 - HKLM\..\Run: [internat.exe] internat.exe
                                      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                                      O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
                                      O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\SPRINT & FINEREADER
                                      5.0 OFFICE TRY&BUY\SPRINT\CAGENT.EXE
                                      O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                                      O4 - HKLM\..\Run: [Sunkist] C:\Program Files\Multimedia Card
                                      Reader\shwicon98.exe
                                      O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                                      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                                      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                                      powrprof.dll,LoadCurrentPwrScheme
                                      O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
                                      O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
                                      O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRAM FILES\WANADOO\taskbaricon.exe
                                      O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay]
                                      C:\WINDOWS\SYSTEM\MSTMON_N.EXE
                                      O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -
                                      autorun
                                      O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
                                      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
                                      Files\Real\Update_OB\realsched.exe" -osboot
                                      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                                      powrprof.dll,LoadCurrentPwrScheme
                                      O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
                                      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GAD\GG.EXE" /tray
                                      O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
                                      O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
                                      O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                                      O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
                                      FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
                                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                                      C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                                      00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
                                      O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
                                      O16 - DPF: ppctlcab - ppupdates.ca.com/downloads/scanner/ppctlcab.cab
                                      O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
                                      (PPSDKActiveXScanner.MainScreen) -
                                      ppupdates.ca.com/downloads/scanner/axscanner.cab
                                      O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
                                      www3.ca.com/securityadvisor/virusinfo/webscan.cab
                                      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                                      www.pandasoftware.com/activescan/as5/asinst.cab
                                      O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
                                      www.windowsecurity.com/trojanscan/axscan.cab
                                      O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                                      skaner.mks.com.pl/SkanerOnline.cab
                                      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
                                      a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                                      O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\PROGRAM
                                      FILES\WIRTUALNA POLSKA\KONTAKT\URL_WPMSG.DLL

                                      Zdolna jestem? ;-)

                                      Jesli w porzadku - dziekuje Kolobos, jesli nie, czekam na dalsze wskazowki.
                                      • Gość: Kolobos Re: Trojan IP: *.warszawa.sdi.tpnet.pl 24.05.05, 00:36
                                        Log jest czysty i postaraj sie go nie zarobaczac znowu ;-)
    Inne wątki na temat:

    Najnowsze z forum Wirusy, trojany, spyware

    Nie masz jeszcze konta? Zarejestruj się

    Nakarm Pajacyka
    Osoby zamieszczające wypowiedzi naruszające prawo lub prawem chronione dobra osób trzecich mogą ponieść z tego tytułu odpowiedzialność karną lub cywilną. Regulamin
    Treści z serwisów internetowych Grupy Wyborcza.pl oraz serwisu tokfm.pl prezentujemy w ramach komercyjnej współpracy z ich wydawcami: Wyborcza sp. z o.o. oraz Grupą Radiową Agory sp. z o.o.
    Wybrane treści z serwisu Sport.pl są dostępne po wykupieniu płatnej subskrypcji