|
ongelmia; windows firewall ym. HJT
|
|
|
kara
Newbie
|
17. toukokuuta 2006 @ 05:44 |
Linkki tähän viestiin
|
Hei
Kotikone meni sekaisin, kaapatuksi luulen.
Safemodessa spy-bot ja ad-ware löytävät ja poistavat vaikka mitä, mutta heti kun avaan normaalitilassa on kone taas tukossa. Osa ongelmaa on se etten saa windowsin palomuuria päälle; antaa ilmoituksen: "Virhe 1060; Palvelua ei asennettu"/ (error 1060: The specified service does not exist as an installed service). Aiemmin palomuuri ollut kyllä päällä.
Asensin ja hijackthis-ohjelman. Ohessa logi. En onnistunut poistamaan (tulivat takaisi)O1-kohdan vieraita (?) hosteja. Pystyisikö kukaan antamaan hyviä vinkkejä mitä tehdä?
MS Internet Exploreria en onnistunut päivittämään (SP2).
___________________________________
Logfile of HijackThis v1.99.1
Scan saved at 18:23:28, on 16.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\WINDOWS\System32\7da9422e.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Windows\xpupdate.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv3.fi/uutiset/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mxjut.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: Class - {569F191B-24D3-6830-313D-6EC509405F3B} - C:\WINDOWS\system32\appxq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [netss.exe] C:\WINDOWS\netss.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp" /m
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\syswp.exe
O4 - HKLM\..\Run: [sdkom32.exe] C:\WINDOWS\system32\sdkom32.exe
O4 - HKLM\..\Run: [iexh32.exe] C:\WINDOWS\iexh32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [atlti32.exe] C:\WINDOWS\atlti32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch08.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
|
AfterDawn Addict
|
17. toukokuuta 2006 @ 06:31 |
Linkki tähän viestiin
|
Siinä on aika paljonkin vikaa.
Kokeillaas tätä:
Tulosta ensin nämä ohjeet. Internet Explorer täytyy olla suljettuna koko prosessin ajan.
Lataa Intermuten CWShredder:
http://cwshredder.net/bin/CWShredder.exe
Tallenna se työpöydälle, mutta ÄLÄ aja sitä vielä.
Lataa About:Buster:
http://www.malwarebytes.org/AboutBuster.zip
Pura se työpöydälle, käynnistä, klikkaa Check for Updates, ja päivitä, mutta ÄLÄ skannaa vielä.
Päivitä ewido, mutta ÄLÄ skannaa vielä.
Lataa Hoster http://www.funkytoad.com/download/hoster.zip
[*]Pura Hoster sopivaan kansioon, kuten C:\Hoster
Älä käytä sitä vielä.
Lataa Atribunen ATF Cleanerhttp://www.atribune.org/ccount/click.php?id=1 ja tallenna työpöydälle
Älä käytä sitä vielä.
Käynnistä kone vikasietotilaan seuraavien ohjeiden mukaisesti:
1) Käynnistä tietokone
2) Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
3) Seuraavaksi pitäisi ilmestyä valikko
4) Valitse valikosta vikasietotila.
Vikasietotilassa käynnistä CWShredder ja paina Fix.
Käynnistä About:Buster ja paina Start. Jos kysytään, haluatko lopettaa Explorer.exe-prosessin, paina Yes. Työpöytä voi hävitä, se on normaalia. . Skannaa kahdesti ja kun valmis, klikkaa "Save Log". Tämä luo lokin "AB Logfile.txt" siihen kansioon, mihin about:buster on tallennettu.
Poista, jos löytyy:
C:\WINDOWS\nsjxt.dll
C:\WINDOWS\system32\mxjut.dll
c:\secure32.html
C:\WINDOWS\inet20001
C:\WINDOWS\system32\winbrume.dll
C:\WINDOWS\netss.exe
C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp
C:\WINDOWS\syswp.exe
C:\WINDOWS\system32\sdkom32.exe
C:\WINDOWS\iexh32.exe
C:\WINDOWS\atlti32.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\svch08.dll
C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.
Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasi
Klikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Aja ewido linkin ohjeiden mukaisesti ja tallenna raportti.
Lopuksi, käynnistä HijackThis, klikkaa do a system scan only ja merkkaa nämä rivit:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mxjut.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [netss.exe] C:\WINDOWS\netss.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp" /m
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\syswp.exe
O4 - HKLM\..\Run: [sdkom32.exe] C:\WINDOWS\system32\sdkom32.exe
O4 - HKLM\..\Run: [iexh32.exe] C:\WINDOWS\iexh32.exe
O4 - HKLM\..\Run: [atlti32.exe] C:\WINDOWS\atlti32.exee
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch08.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
Sulje kaikki muut ohjelmat ja ikkunat paitsi HijackThis ja paina Fix Checked.
[*]Aja Hoster.exe sen uudesta kansiosta
[*]Klikkaa "Make Hosts Writable?" oikeassa yläkulmassa (jos toiminnassa)
[*]Klikkaa "Restore Original Hosts" ja sitten klikkaa OK
[*]Sulje Hoster
Huomaa; JOS käytit mukautettuja Hosts-filuja, sinun täytyy laittaa yksikin niistä riveistä itse takaisin.
Käynnistä kone normaalisti, lähetä HijackThis-logi ja AboutBusterin ja Ewidon lokit.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 17. toukokuuta 2006 @ 07:03
|
|
kara
Newbie
|
17. toukokuuta 2006 @ 12:14 |
Linkki tähän viestiin
|
Ok. Tein työtä käskettyä.
Ohessa logeja (HJT x2, AboutBuster ja ewido);
HJT #1 (ajettu safemodessa ko. järjetyksessä):
_____________________________________
Logfile of HijackThis v1.99.1
Scan saved at 15:44:24, on 17.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv3.fi/uutiset/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
*************************
AboutBuster:
___________________
AboutBuster 6.01
Scan started on [17.5.2006] at [15:08:19]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:08:58
AboutBuster 6.01
Scan started on [17.5.2006] at [15:09:39]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:10:11
********************
Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 15:34:41, 17.5.2006
+ Report-Checksum: A7E10F00
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{2A7363DF-C45A-5954-477D-0C78AF4A207C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{569F191B-24D3-6830-313D-6EC509405F3B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} -> Downloader.Fugif : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{569F191B-24D3-6830-313D-6EC509405F3B} -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Anna\Cookies\anna@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\Cookies\lina@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\maxdd1.game -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\vxt2.game -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\install[1].js -> Downloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\BDM64ZDK\zAKgUL1qb9E3o[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\PRNF194E\xpl[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Sari\Local Settings\Temp\B.tmp -> Dropper.Small.na : Cleaned with backup
C:\Documents and Settings\Sari\Local Settings\Temp\vxt2.game -> Trojan.Small : Cleaned with backup
C:\ms32.tmp -> Downloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\cpebopjk.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINDOWS\system32\dmpiiccm.dll -> Proxy.Wopla.s : Cleaned with backup
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\srshost.exe -> Proxy.Agent.hy : Cleaned with backup
C:\WINDOWS\winexec.exe -> Downloader.Agent.ts : Cleaned with backup
::Report End
****************************
ja vielä uusi HjT logi (ajettu rebootin jälkeen normaalitilassa). Jotain ilmeisesti vielä jäänyt, kun nuo vieraat hostit ilmaantui takaisin O1-kohtaan??
_____________
Logfile of HijackThis v1.99.1
Scan saved at 16:03:59, on 17.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\cmd.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\7da9422e.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
|
AfterDawn Addict
|
17. toukokuuta 2006 @ 12:45 |
Linkki tähän viestiin
|
Sitten katotaan vähän tarkemmin:
Lataa ja tallenna http://www.f-secure.com/blacklight/try.shtml Blacklight työpöydällesi;
Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa > Scan, sitten > Next
Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita).
Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe".
|
|
kara
Newbie
|
17. toukokuuta 2006 @ 13:17 |
Linkki tähän viestiin
|
|
Tässä blbeta logi:
05/17/06 17:10:52 [Info]: BlackLight Engine 1.0.36 initialized
05/17/06 17:10:52 [Info]: OS: 5.1 build 2600 (Service Pack 1)
05/17/06 17:10:52 [Note]: 7019 4
05/17/06 17:10:52 [Note]: 7005 0
05/17/06 17:11:00 [Note]: 7006 0
05/17/06 17:11:00 [Note]: 7011 1304
05/17/06 17:11:00 [Note]: 7026 0
05/17/06 17:11:00 [Note]: 7026 0
05/17/06 17:11:00 [Note]: 7024 3
05/17/06 17:11:00 [Info]: Hidden process: C:\WINDOWS\System32\prsvc.exe
05/17/06 17:11:01 [Note]: FSRAW library version 1.7.1015
05/17/06 17:15:15 [Info]: Hidden file: c:\WINDOWS\system32\dfcpr.dll
05/17/06 17:15:15 [Note]: 10002 1
05/17/06 17:15:28 [Info]: Hidden file: C:\WINDOWS\System32\prsvc.exe
05/17/06 17:15:28 [Note]: 10002 1
05/17/06 17:15:32 [Info]: Hidden file: c:\WINDOWS\system32\hksrv.dll
05/17/06 17:15:32 [Note]: 10002 1
|
AfterDawn Addict
|
17. toukokuuta 2006 @ 13:26 |
Linkki tähän viestiin
|
No niin, jotain oli piilossa :)
Tarkista nämä:
C:\WINDOWS\System32\prsvc.exe
c:\WINDOWS\system32\dfcpr.dll
c:\WINDOWS\system32\hksrv.dll
täällä -> http://www.virustotal.com/flash/index_en.html
ja lähetä tulokset tänne.
Jos et löydä niitä selaamalla, niin syötä tuo polku siihen kenttään, joka on Selaa...-painikkeen vasemmalla puolella.
|
|
kara
Newbie
|
18. toukokuuta 2006 @ 12:38 |
Linkki tähän viestiin
|
|
Moi
Ei suostu avaamaan www.virustotal.com -sivustoa; työntää vaan puppua:
�?��ÍYënÛ8�þÝ�}�?�?¤X[?/I?Äö M²Ó�I;?d:;¿�Z¢-62©??�Ï¢�´?·o°ç?ÔÅ·\°;?MQ[æå\xnß¡�ß?:»ùýç ?èYJ~þõÝå?3âµ?à·ÞY�?ß??¼¿¹º$�?$79�?k.�M?àâ£G¼Dëì8��??¿èù2?�7¿�÷H«??Ýc[7vú±?½Ñ«?�Ã1¥b:ô?òÈý,�j¸?bçèèÈ�Âmd?0�ã��h®S6úüá?_¯o>Ý?^?6ù{Î�ù$R.�ùÌóB�*brEÓ�Í�¹?¨��vÛ«?¯^¾�
Päivällä virustotal-sivut näytti hieman toiselta, kun katsoin työkoneelta.
|
AfterDawn Addict
|
18. toukokuuta 2006 @ 12:53 |
Linkki tähän viestiin
|
|
|
|
kara
Newbie
|
18. toukokuuta 2006 @ 13:26 |
Linkki tähän viestiin
|
|
No niin, ohessa tulokset. Kaikista 3 tiedostosta löytyi jotakin.
***************************
File: prsvc.exe
Status: INFECTED/MALWARE
MD5 930fdb6f69363e14c2873b303135fe2a
Packers detected: UPX
Scanner results
AntiVir Found Heuristic/Hijacker (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found W32/Cvsr.A!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]
* Decompressing UPX.
* Accesses executable file from resource section.
* File length: 35840 bytes.
[ Changes to filesystem ]
* Creates file C:\Windows\system32\prsvc.exe.
* Creates file C:\WINDOWS\SYSTEM32\dfcpr.dll.
* Creates file C:\WINDOWS\SYSTEM32\hksrv.dll.
* Deletes file .
[ Changes to registry ]
* Sets value "MBRunFrom"="C:\SAMPLE.EXE " in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Sets value "hksrv.dll"="{000000-0000-000000" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad".
* Creates key "HKCR\CLSID\{000000-0000-000000\InProcServer32".
* Sets value "default"="hksrv.dll" in key "HKCR\CLSID\{000000-0000-000000\InProcServer32".
* Sets value "MBVersion"="6.9" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Deletes value "MBRunFrom" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Creates key "HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
[ Process/window information ]
* Creates a mutex T-55C75D8-93V3-429R-E13E-566C206D898A.
* Enumerates running processes.
* Modifies other process memory.
* Creates a remote thread.
* Creates a mutex R-45G75B8-93K3-429F-H13E-730C206D898A.
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Spambot
*************************
File: dfcpr.dll
Status: INFECTED/MALWARE
MD5 1a5e917c49c3463605572bd9fdbd8174
Packers detected: PE-CRYPT.XORPE, UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
****************************
File: hksrv.dll
Status: INFECTED/MALWARE
MD5 74538e6232d3ca0959cdec42e5c9413f
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Agent.Hp.A27
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
************************************
|
AfterDawn Addict
|
18. toukokuuta 2006 @ 13:56 |
Linkki tähän viestiin
|
Jep, kaikki ovat örkkejä :)
Nyt ne lähtee pois:
Sammuta ensin Microsoft Antispyware ettei se estä fixejä:
1. Klikkaa Microsoft Anti-Spyware-kuvaketta tehtäväpalkissa [se on punainen, jossa keltainen häränsilmä].
2. Klikkaa "Security Agents Status".
3. Klikkaa "Disable real-time protection".
Klikkaa Microsoft Anti-Spyware-kuvaketta tehtäväpalkissa hiiren oikealla
1. Klikkaa Options -> Settings.
2. Vasemmalla klikkaa "Real Time Protection".
3. Startup Options-kohdassa, ota rasti pois "Enable (MSAS) Security Agents on startup (recommended)"-kohdasta.
4. Real-time spyware threat protection-kohdassa ota rasti pois "Enable real-time spyware threat protection" (recommended)-kohdasta.
5. Klikkaa Save ja sulje Microsoft AntiSpyware.
Lopuksi klikkaa MSAS-kuvaketta tehtäväpalkissa hiiren oikealla ja valitse "Shutdown Microsoft Antispyware"
Käynnistä HijackThis, klikkaa do a system scan only ja merkkaa nämä rivit:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll
Hae KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Pura,avaa ja täppi kohtaan Delete on Reboot
Sitte kopioi rivit tosta alapuolelta yhellä kertaa
C:\WINDOWS\System32\prsvc.exe
c:\WINDOWS\system32\dfcpr.dll
c:\WINDOWS\system32\hksrv.dll
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
C:\WINDOWS\System32\lhoalgai.dll
c:\secure32.html
Sitten KillBoxissa ylhäältä File > Paste from Clipboard
Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X)
Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se.
Lähetä sen jälkeen uus HijackThis-logi.
|
|
kara
Newbie
|
18. toukokuuta 2006 @ 14:38 |
Linkki tähän viestiin
|
Tässä uusi HjT-log. Ainakin nuo 01:n vieraat hostit tuli takaisin, vaikka poistin hjt:lla.
**************************************
Logfile of HijackThis v1.99.1
Scan saved at 18:35:29, on 18.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll (file missing)
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
|
AfterDawn Addict
|
18. toukokuuta 2006 @ 15:22 |
Linkki tähän viestiin
|
|
|
|
kara
Newbie
|
18. toukokuuta 2006 @ 15:45 |
Linkki tähän viestiin
|
|
jotti.org ilmoittaa winrnt.exe:stä (13kt):
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
Virustotal.com ei vieläkään aukea.
|
AfterDawn Addict
|
18. toukokuuta 2006 @ 16:19 |
Linkki tähän viestiin
|
Jatketaan.
Fixaa nämä:
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll (file missing)
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)
Avaa KillBox ja täppi kohtaan Delete on Reboot
Sitte kopioi rivi tosta alapuolelta
C:\WINDOWS\System32\winrnt.exe
Sitten KillBoxissa ylhäältä File > Paste from Clipboard
Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X)
Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se.
Lähetä sen jälkeen uus HijackThis-logi.
|
|
kara
Newbie
|
18. toukokuuta 2006 @ 17:03 |
Linkki tähän viestiin
|
Tässä tuore logi. Sitkeässä tuntuu olevan...
***********************************
Logfile of HijackThis v1.99.1
Scan saved at 21:02:04, on 18.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
|
AfterDawn Addict
|
19. toukokuuta 2006 @ 06:05 |
Linkki tähän viestiin
|
|
Hyvin sitkeässä. Nimittäin tuo tiedosto ei lähtenyt -> joku muu örkki pidättelee sitä.
Ajapa ensi alkuun tuo Blacklight uudestaan ja lähetä sen loki tänne.
|
|
kara
Newbie
|
19. toukokuuta 2006 @ 06:13 |
Linkki tähän viestiin
|
|
Eilen illalla ajoin mm. blacklightin, eikä se löytänyt mitään.
Cwshredder sen sijaan löytää toistuvasti CWS.Bootconf (variant 2) ja CWS.Svchost32 (variant 7) örkit; tulevat heti takaisin vaikka shredder ne poistaakin.
Lisäksi ajoin ewidon (normaalitilassa) ja se löysi n. 60 (!) örkkiä.
|
AfterDawn Addict
|
19. toukokuuta 2006 @ 06:28 |
Linkki tähän viestiin
|
Seuraavaksi sitten tämä:
Imuroi winpfind täältä:
http://www.bleepingcomputer.com/files/winpfind.php
Pura zippi c:\WinPFind-kansioon
Buuttaa vikasietoon ja tuplaklikkaa WinPFind.exe
Paina nappia start scan
Odota kunnes se kertoo olevansa valmis ja sen loki aukee
Sitte buuttaa takas normaalitilaan ja laita tänne c:\WinPFind\WinPFind.txt:n sisältö
EDIT: Ja jos tallensit sen ewidon raportin, niin lähetä se ihmeessä tänne.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 19. toukokuuta 2006 @ 07:06
|
|
kara
Newbie
|
19. toukokuuta 2006 @ 12:09 |
Linkki tähän viestiin
|
|
Ohessa winpfind-logi.
Eilistä ewido logia ei ole. Ajoin ewidon äsken uudelleen; ei löytänyt mitään.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 16.9.2002 15:00:00 41113 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 12.5.2006 14:40:08 64492 C:\WINDOWS\SYSTEM32\ipod.raw.exe
PTech 14.2.2006 9:20:14 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6.7.2005 19:26:32 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6.7.2005 19:26:32 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 16.9.2002 15:00:00 635392 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 16.9.2002 15:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 11.5.2006 17:21:12 RH 10301 C:\WINDOWS\SYSTEM32\win_lcb.exe
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
19.5.2006 15:54:26 S 2048 C:\WINDOWS\bootstat.dat
11.5.2006 9:20:50 H 0 C:\WINDOWS\inf\oem13.inf
16.5.2006 19:01:44 H 0 C:\WINDOWS\inf\oem14.inf
11.5.2006 17:21:12 RH 10301 C:\WINDOWS\system32\win_lcb.exe
19.5.2006 15:54:22 H 8192 C:\WINDOWS\system32\config\default.LOG
19.5.2006 15:54:36 H 1024 C:\WINDOWS\system32\config\SAM.LOG
19.5.2006 15:54:28 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
19.5.2006 15:54:50 H 143360 C:\WINDOWS\system32\config\software.LOG
19.5.2006 15:54:50 H 966656 C:\WINDOWS\system32\config\system.LOG
11.5.2006 9:20:56 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
19.5.2006 15:53:46 H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 16.9.2002 15:00:00 67584 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 18.6.2003 15:14:48 8605696 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 16.9.2002 15:00:00 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Conexant Systems 16.7.2001 4:37:46 316416 C:\WINDOWS\SYSTEM32\csacpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 16.9.2002 15:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.8.2002 13:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 10.10.2005 17:29:28 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 16.9.2002 15:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 16.9.2002 15:00:00 561152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 16.9.2002 15:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 16.9.2002 15:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 16.9.2002 15:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 16.9.2002 15:00:00 109568 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 30.3.2000 20:00:32 250880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 16.9.2002 15:00:00 268800 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 16.9.2002 15:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 16.9.2002 15:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26.5.2005 4:16:30 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 67584 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 16.9.2002 15:00:00 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 16.9.2002 15:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29.8.2002 13:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 16.9.2002 15:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 16.9.2002 15:00:00 561152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 16.9.2002 15:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 16.9.2002 15:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 16.9.2002 15:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 16.9.2002 15:00:00 109568 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 16.9.2002 15:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 16.9.2002 15:00:00 268800 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 16.9.2002 15:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 16.9.2002 15:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
6.9.2003 3:36:56 HS 84 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini
16.12.2003 5:52:22 1791 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\InterVideo WinCinema Manager.lnk
10.11.2005 19:23:10 763 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Picture Package Menu.lnk
10.11.2005 19:23:04 813 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Picture Package VCD Maker.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
5.9.2003 18:30:58 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
6.9.2003 3:36:56 HS 84 C:\Documents and Settings\Karri\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
5.9.2003 18:30:58 HS 62 C:\Documents and Settings\Karri\Application Data\desktop.ini
7.2.2006 15:16:10 560 C:\Documents and Settings\Karri\Application Data\ViewerApp.dat
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
E3003 FI = IEAKElisa Internet
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Käynnistä-valikon nasta = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Yahoo! Toolbar Helper = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Päivän vihje = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Etsintäpalkki = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media-palkki = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Tiedostojen etsintä -Explorer-palkki = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Lähiosoite : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Linkit : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIModeChange Ati2mdxx.exe
Wizard
ATIPTA C:\ATI-CPanel\atiptaxx.exe
SoundMan SOUNDMAN.EXE
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
HP Software Update C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
InCD C:\Program Files\Ahead\InCD\InCD.exe
Norman ZANDA C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 a
winrnt.exe C:\Program Files\Common Files\System\winrnt.exe
brmfrsmq C:\WINDOWS\System32\brmfrsmq.exe
ZPoint C:\WINDOWS\System32\winmuse.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
ClassicShell 0
ForceActiveDesktopOn 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
Muumit4 {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} = C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
ewidosecuritysuite {FFDAFC46-4058-DB0E-7576-A470BB733BED} = C:\Program Files\ewido\security suite\german.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe
Shell = explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = C:\WINDOWS\System32\idbg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 19.5.2006 15:58:51
|
AfterDawn Addict
|
19. toukokuuta 2006 @ 14:56 |
Linkki tähän viestiin
|
Tästä olikin apua :)
Tehdään näin:
Ota nettipiuha pois päältä
Fixaa ne O1-rivit HjT:llä.
Sitten:
1. Lataa http://swandog46.geekstogo.com/avenger.zip
The Avenger (c)työpöydällesi.
[*]Klikkaa Avenger.zip filua avataksesi sen.
[*]Pura Avenger.exe työpöydällesi.
2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle(alkaen files to delete):
Quote:
Files to delete:
C:\Program Files\Common Files\System\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\WINDOWS\System32\winmuse.exe
Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.]
3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.
[*]"Script file to execute" alapuolelta valitse "Input Script Manually".
[*]Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script".
[*] Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.
[*] Klikkaa Done.
[*] Nyt klikkaa vihreää valoa aloittaaksesi skriptin.
[*] Klikkaa "Yes" kun tulee kaksi varoitusboksia.
Avenger tekee automaattisesti seuraavat:[list]
[*] Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)
[*] Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.
[*] Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt
[*] Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.
5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 19. toukokuuta 2006 @ 15:47
|
|
kara
Newbie
|
20. toukokuuta 2006 @ 07:37 |
Linkki tähän viestiin
|
Ok, tehty. O1-rivit tulevat takaisin vaikka hjt:lla ne poistaakin; cwshredder löytää toistuvasti em. CWS.Bootconf (variant 2) ja CWS.Svchost32 (variant 7) örkit.
Ohessa avenger ja HjT logi:
AVENGER:
***************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\muwpekxk
*******************
Script file located at: \??\C:\pbcvhinj.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\Common Files\System\winrnt.exe deleted successfully.
File C:\WINDOWS\System32\winrnt.exe deleted successfully.
File C:\WINDOWS\System32\brmfrsmq.exe not found!
Deletion of file C:\WINDOWS\System32\brmfrsmq.exe failed!
Could not process line:
C:\WINDOWS\System32\brmfrsmq.exe
Status: 0xc0000034
File C:\WINDOWS\System32\winmuse.exe not found!
Deletion of file C:\WINDOWS\System32\winmuse.exe failed!
Could not process line:
C:\WINDOWS\System32\winmuse.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
**************************************
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:32, on 20.5.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.61.45.227 search.msn.com beta.search.msn.es uk.search.yahoo.com www.google.pl www.google.com.br google.sk google.co.je
O1 - Hosts: 69.61.45.227 google.pl www.google.co.nz www.google.se google.com.co google.it google.ie google.no
O1 - Hosts: 69.61.45.227 www.google.ie google.es google.td www.google.com.do mx.search.yahoo.com google.com.pe google.com.uy
O1 - Hosts: 69.61.45.227 www.google.ro search.msn.se www.google.com.ly beta.search.msn.com.sg google.cd www.google.gg google.mn
O1 - Hosts: 69.61.45.227 google.mu beta.search.msn.co.za google.com.ni www.google.co.th google.co.nz www.google.com.nf www.google.com.ua
O1 - Hosts: 69.61.45.227 www.google.kz www.google.ch google.lv google.gl www.google.es www.google.com.sv search.msn.ch
O1 - Hosts: 69.61.45.227 search.msn.de google.co.ls google.com.au google.de google.com.sv www.google.dj www.google.no
O1 - Hosts: 69.61.45.227 www.google.co.uk google.com.ar www.google.co.cr google.nl www.google.de google.com.nf www.google.td
O1 - Hosts: 69.61.45.227 google.com.ly google.uz google.az google.com.br www.google.li www.google.co.kr google.ru
O1 - Hosts: 69.61.45.227 google.co.th www.google.com.cu www.google.ci toolbar.search.msn.com www.google.com.py google.com.gt www.google.com.ni
O1 - Hosts: 69.61.45.227 au.search.yahoo.com beta.search.ninemsn.com.au de.search.yahoo.com google.com.sa www.google.off.ai www.google.sh www.google.cg
O1 - Hosts: 69.61.45.227 www.google.com.ag www.google.am beta.search.msn.it www.google.uz google.off.ai google.pn google.fr
O1 - Hosts: 69.61.45.227 www.google.co.ug google.se www.google.ca it.search.yahoo.com www.google.co.jp google.tt www.google.dk
O1 - Hosts: 69.61.45.227 google.com google.com.np www.google.at google.rw google.com.pr google.cl google.com.fj
O1 - Hosts: 69.61.45.227 google.ci google.com.gr www.google.tt google.com.pk www.google.as www.google.co.je ct.search.yahoo.com
O1 - Hosts: 69.61.45.227 beta.search.msn.at google.am search.ninemsn.com.au google.com.ph www.google.fr google.hn google.co.uk
O1 - Hosts: 69.61.45.227 search.msn.fi www.google.az www.google.com.pr google.com.vc www.google.sk www.google.com.gt www.google.com.np
O1 - Hosts: 69.61.45.227 search.msn.at google.dk google.bi www.google.co.il google.be www.google.hn www.google.co.ls
O1 - Hosts: 69.61.45.227 google.pt beta.search.msn.co.in www.google.com google.ch www.google.com.tw google.co.ve www.google.com.pe
O1 - Hosts: 69.61.45.227 google.com.vn google.ms google.com.tw www.google.cl beta.search.sympatico.msn.ca search.msn.be www.google.com.sa
O1 - Hosts: 69.61.45.227 www.google.vg search.msn.dk google.co.jp www.google.nl google.li br.search.yahoo.com www.google.rw
O1 - Hosts: 69.61.45.227 cf.search.yahoo.com google.ro www.google.mw beta.search.xtramsn.co.nz google.com.na google.tm search.msn.com.sg
O1 - Hosts: 69.61.45.227 beta.search.msn.no google.as search.msn.it www.google.co.ve espanol.search.yahoo.com search.msn.no google.co.il
O1 - Hosts: 69.61.45.227 google.com.do beta.search.msn.co.uk www.google.co.in www.google.tm google.co.kr uk.search.msn.com beta.search.msn.com
O1 - Hosts: 69.61.45.227 beta.search.msn.nl google.co.in beta.search.msn.dk www.google.com.mx www.google.lv beta.search.msn.be www.google.com.vc
O1 - Hosts: 69.61.45.227 www.google.com.co www.google.com.sg www.google.be search.msn.nl www.google.com.pk www.google.com.ar www.google.com.gi
O1 - Hosts: 69.61.45.227 google.gg google.com.ec www.google.com.ec google.com.pa google.sh www.google.mu www.google.pt
O1 - Hosts: 69.61.45.227 google.lu www.google.ae search.msn.es google.mw google.sm beta.search.msn.se www.google.it
O1 - Hosts: 69.61.45.227 google.vg www.google.pn google.com.ag www.google.ms google.at google.com.tr www.google.gm
O1 - Hosts: 69.61.45.227 ar.search.yahoo.com google.com.my www.google.com.au google.fi www.google.co.hu search.msn.fr google.gm
O1 - Hosts: 69.61.45.227 google.co.hu www.google.lu beta.search.msn.ch www.google.mn beta.search.msn.fi www.google.com.vn www.google.com.na
O1 - Hosts: 69.61.45.227 google.com.mt www.google.com.gr google.co.ug www.google.com.my www.google.gl google.ca www.google.sm
O1 - Hosts: 69.61.45.227 google.com.gi google.ae www.google.com.tr google.com.hk search.sympatico.msn.ca search.xtramsn.co.nz google.dj
O1 - Hosts: 69.61.45.227 www.google.lt google.cg www.google.bi google.com.cu www.google.com.ph www.google.com.hk google.kz
O1 - Hosts: 69.61.45.227 google.com.ua search.msn.co.uk www.google.com.fj www.google.com.mt www.google.co.ke www.google.fm www.google.com.pa
O1 - Hosts: 69.61.45.227 google.com.sg fr.search.yahoo.com search.yahoo.com www.google.cd search.msn.co.za www.google.ru ca.search.yahoo.com
O1 - Hosts: 69.61.45.227 www.google.fi beta.search.msn.de google.com.mx beta.search.msn.fr google.fm google.co.ke google.com.py
O1 - Hosts: 69.61.45.227 google.co.cr search.msn.co.in google.lt www.google.com.uy auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
|
AfterDawn Addict
|
20. toukokuuta 2006 @ 08:07 |
Linkki tähän viestiin
|
Noita cws-variantteja ei ole lokin mukaan kylläkään.
Siellä on jotain piilossa, mikä tuo ne takaisin. Nyt vaan selvitetään mitä.
Luo uusi kansio C:\ - levylle, anna sille nimeksi blacklight
Seuraavaksi,
Lataa http://www.f-secure.com/blacklight/try.shtml F-Secure Blacklight työpöydällesi ja siirrä blbeta.exe uuteen kansioosi.
Sulje BlackLight jos se on auki. Klikkaa Käynnistä -> Suorita ja kirjoita sisään: cmd
Paina Enter. Kun komentorivi aukeaa, kirjoita sisään: c:\blacklight\blbeta.exe /expert (Huomaa että ennen c:\blacklight\blbeta.exe riviä on yksi tyhjä väli kuten myös blbeta.exe rivin jälkeenkin, ennen /expert komentoa)
Jos ei onnistu mene Käynnistä -> Ohjelmat -> Apuohjelmat -> komentorivi ja tee tuo sama siellä.
BlackLightin pitäisi nyt aueta Expert-tilassa. Aja skannaus. Näet listan löytyneistä filuista. Työpöydällesi myös ilmestyy fsbl.xxxxxxx.log (xxxxxxx on numeroita).
Kopioi ja liitä tämä loki seuraavaan vastaukseesi.
EDIT: Ja tarkista tämä -> C:\WINDOWS\System32\idbg32.exe
täällä -> http://virusscan.jotti.org
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 20. toukokuuta 2006 @ 08:24
|
|
kara
Newbie
|
20. toukokuuta 2006 @ 09:41 |
Linkki tähän viestiin
|
|
Ok, done.
Blacklight ei löytänyt mitään, ohessa logi,
Samoin idbg32.exe on jotti.orgin mukaan puhdas.
******************************
05/20/06 13:12:59 [Info]: BlackLight Engine 1.0.36 initialized
05/20/06 13:12:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/20/06 13:12:59 [Note]: 7019 4
05/20/06 13:12:59 [Note]: 7005 0
05/20/06 13:13:16 [Note]: 7006 0
05/20/06 13:13:16 [Note]: 7022 0
05/20/06 13:13:16 [Note]: 7011 1820
05/20/06 13:13:16 [Note]: 7026 0
05/20/06 13:13:16 [Note]: 7026 0
05/20/06 13:13:16 [Note]: FSRAW library version 1.7.1015
05/20/06 13:36:16 [Note]: 7007 0
**************************************
|
AfterDawn Addict
|
20. toukokuuta 2006 @ 09:44 |
Linkki tähän viestiin
|
|
|
|
Mainos
|
|
|
|
kara
Newbie
|
20. toukokuuta 2006 @ 10:26 |
Linkki tähän viestiin
|
|
Taas mennään. Ohessa rootkit-logi.
idbg32.exe oli puhdas myös virustotalin mukaan.
RootkitRevealer:
*******************************
HKLM\S-1-5-21-3209661291-2546901333-765719832-1005\RemoteAccess\InternetProfile 2.3.2004 23:35 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 2.5.1697 1:03 4 bytes Hidden from Windows API.
SOFTWARE 1.1.1601 3:00 0 bytes Error dumping hive: Internal error.
C:\Documents and Settings\Karri\Cookies\karri@microsoft[1].txt 19.5.2006 17:23 347 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Karri\Cookies\karri@microsoft[2].txt 20.5.2006 14:05 347 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Cookies\karri@www.sysinternals[1].txt 20.5.2006 14:01 103 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\1_star_rating[1].gif 20.5.2006 14:02 1.45 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\4_star_rating[1].gif 20.5.2006 14:04 1.58 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\broker[1].js 19.5.2006 16:11 42.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\CAU30167.htm 20.5.2006 14:05 35.03 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\closed_topic_icon[1].gif 20.5.2006 14:02 280 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\hot_topic_no_new_posts_icon[1].gif 20.5.2006 14:01 190 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\listener[1].aspx 19.5.2006 17:23 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\listener[1].htm 20.5.2006 14:05 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\ms_masthead_ltr[2].htm 20.5.2006 14:05 181 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-events-7142[1].js 20.5.2006 14:07 43.64 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-simplePopover-26705[1].js 20.5.2006 14:07 22.69 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-staticPopover-29432[1].js 20.5.2006 14:07 20.22 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-utilities-737[1].js 20.5.2006 14:07 41.88 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\post_reply[1].gif 20.5.2006 14:02 785 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\quote_icon[1].gif 20.5.2006 14:02 1.06 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\rdttdl15or[1].png 20.5.2006 14:03 4.99 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\right_arrow[1].gif 20.5.2006 14:01 163 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\search[1].gif 20.5.2006 14:01 408 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\subject_folder[1].gif 20.5.2006 14:02 336 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\tabs-line[1].gif 20.5.2006 14:07 61 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\2006-05-18_140819_2001stargate[1].jpg 20.5.2006 14:04 11.20 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\broker[1].js 20.5.2006 14:05 42.88 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\default_javascript[1].js 20.5.2006 14:01 990 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\help_icon[1].gif 20.5.2006 14:01 394 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\mask[1].jpg 20.5.2006 14:03 1.85 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\moved_icon[1].gif 20.5.2006 14:01 207 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\n2CoreLibs-n2v1-57804[1].css 20.5.2006 14:07 6.34 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\open_folder_icon[1].gif 20.5.2006 14:01 165 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\pinned_topic_icon[1].gif 20.5.2006 14:01 235 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\pl[1].htm 20.5.2006 13:46 28 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\priority_post_icon[1].gif 20.5.2006 14:02 253 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\profile_icon[1].gif 20.5.2006 14:02 636 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\RootkitRevealer[1].htm 20.5.2006 14:04 28.67 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\search_sm[1].gif 20.5.2006 14:02 506 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\0000053432_000000000000000289007[1].htm 20.5.2006 14:05 181 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\3_star_rating[1].gif 20.5.2006 14:02 1.54 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\header[1].gif 20.5.2006 14:02 9.59 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\hot_topic_new_posts_icon[1].gif 20.5.2006 14:02 148 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\members_list[1].gif 20.5.2006 14:01 483 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\no_new_posts_icon[1].gif 20.5.2006 14:01 142 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\pl[4].htm 20.5.2006 14:05 28 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\print_version[1].gif 20.5.2006 14:02 1.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\priority_post_locked_icon[1].gif 20.5.2006 14:01 289 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\register_icon[1].gif 20.5.2006 14:01 404 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\smiley36[1].gif 20.5.2006 14:03 486 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\table_bg_image[1].gif 20.5.2006 14:02 227 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2006-02-09_181557_Gears64[1].png 20.5.2006 14:02 9.11 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2006-04-14_104013_avatar[1].jpg 20.5.2006 14:03 1.37 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2_star_rating[1].gif 20.5.2006 14:02 1.50 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\5point0[1].gif 20.5.2006 14:05 484 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\active_topics[1].gif 20.5.2006 14:01 617 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\arrow_px_up[1].gif 20.5.2006 14:05 53 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\css[1].css 20.5.2006 14:05 2.59 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\default_style[1].css 20.5.2006 14:01 5.86 KB Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\header-background[1].gif 20.5.2006 14:02 511 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\home_icon[1].gif 20.5.2006 14:02 612 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\login_icon[1].gif 20.5.2006 14:01 484 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\new_post[1].gif 20.5.2006 14:01 775 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\new_posts_icon[1].gif 20.5.2006 14:02 150 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pages_icon[1].gif 20.5.2006 14:01 131 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pl[1].htm 20.5.2006 13:46 28 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pl[2].htm 20.5.2006 14:04 28 bytes Hidden from Windows API.
C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\RootkitRevealer[1].htm 20.5.2006 13:46 28.67 KB Visible in Windows API, but not in MFT or directory index.
|
