|
|
|
Keskustelualueet
Keskustelualueet
|
|
|
F-securen mukaan koneessa yli 8000 virusta. Auttaisko joku?
|
|
|
fixeri
Member
|
14. marraskuuta 2006 @ 13:02 |
Linkki tähän viestiin
|
Fixaa hjt:llä nuo rivit:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\11.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\11.bin\MWSBAR.DLL
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - \UCMTSAIE.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{383B1303-09E5-1035-0128-030308190166}\MyToolBar.dll
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tcnoki.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [MS] adwareremover.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\11.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [piletrustpinglite] C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Show log.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e57.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e57.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e57.exe
O4 - HKLM\..\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] c:\\windows_e57.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [MS] adwareremover.exe
O4 - HKCU\..\Run: [third 4] C:\DOCUME~1\SUSANN~1\APPLIC~1\SAVEBI~1\proxy sect.exe
O4 - HKCU\..\Run: [JewelQuestSetup.exe] C:\DOCUME~1\SUSANN~1\TYPYT~1\JEWELQ~1.EXE \r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\RunServices: [MS] adwareremover.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...html?p=ZNfox000
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/p...133352D2D2D.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
Vikasietotilassa piilotiedostot näkyviin ja poista nuo kansiot:
C:\Program Files\---->Deskbar<----
C:\Program Files\---->DeluxeCommunications<----
C:\WINDOWS\---->DOWNLO~1<----
C:\Program Files\---->MyWebSearch<----
C:\Program Files\---->MyGlobalSearch<----
C:\Program Files\---->TheSearchAccelerator<----
Poista lisää/poista sovelluksesta Error safe.
Sit combofix:
1. Lataa combofix.exe tiedosto työpöydällesi: http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Lähetä combofix logi, ja uus HjT logi.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 14. marraskuuta 2006 @ 13:11
|
AfterDawn Addict
|
14. marraskuuta 2006 @ 13:12 |
Linkki tähän viestiin
|
Ei HjT-lokeja tms. yksityisviestillä!
|
|
chili80
Junior Member
|
14. marraskuuta 2006 @ 15:12 |
Linkki tähän viestiin
|
kesti vähän, kun piti hoitaa pari asiaa. tässä on nyt combofixin muistio.Aika pitkä pätkä. mitäs nyt teen?
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Susanna Koskinen\Ty?p?yt?"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}]
@=""
[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\InprocServer32]
@="C:\\WINDOWS\\system32\\beotvid.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\InprocServer32]
@="C:\\WINDOWS\\system32\\puustab.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\system32\aza6l9fs1.dll
C:\WINDOWS\system32\beotvid.dll
C:\WINDOWS\system32\d8j02i1mg8.dll
C:\WINDOWS\system32\dnj4011qe.dll
C:\WINDOWS\system32\e2jm0c11ef.dll
C:\WINDOWS\system32\en0ol1d31.dll
C:\WINDOWS\system32\en6ul1j91.dll
C:\WINDOWS\system32\enlol1331.dll
C:\WINDOWS\system32\enlsl1371.dll
C:\WINDOWS\system32\enlul1391.dll
C:\WINDOWS\system32\f2l02c3mgf.dll
C:\WINDOWS\system32\f82m0if1e82.dll
C:\WINDOWS\system32\f8l02i3mg8.dll
C:\WINDOWS\system32\fp0q03d5e.dll
C:\WINDOWS\system32\fp8m03l1e.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\g804lidq180e.dll
C:\WINDOWS\system32\g8jo0i13e8.dll
C:\WINDOWS\system32\gp4sl3h71.dll
C:\WINDOWS\system32\h00q0ad5ed0.dll
C:\WINDOWS\system32\h44mleh11h4.dll
C:\WINDOWS\system32\hr0205doe.dll
C:\WINDOWS\system32\hr4805hue.dll
C:\WINDOWS\system32\hrnm0551e.dll
C:\WINDOWS\system32\i4240efqeh2e0.dll
C:\WINDOWS\system32\i442leho1h4c.dll
C:\WINDOWS\system32\ir2ml5f11.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\j06m0aj1edo.dll
C:\WINDOWS\system32\j2j6lc1s1f.dll
C:\WINDOWS\system32\j6p00g7me6.dll
C:\WINDOWS\system32\jr0025dmg.dll
C:\WINDOWS\system32\jt6q07j5e.dll
C:\WINDOWS\system32\jtj0071me.dll
C:\WINDOWS\system32\jtjq0715e.dll
C:\WINDOWS\system32\k0440ahqed4e0.dll
C:\WINDOWS\system32\kt0sl7d71.dll
C:\WINDOWS\system32\ktlsl7371.dll
C:\WINDOWS\system32\ktnul7591.dll
C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\lv8609lse.dll
C:\WINDOWS\system32\m6po0g73e6.dll
C:\WINDOWS\system32\m8po0i73e8.dll
C:\WINDOWS\system32\mv26l9fs1.dll
C:\WINDOWS\system32\mv84l9lq1.dll
C:\WINDOWS\system32\n42ulef91h2.dll
C:\WINDOWS\system32\n8r20i9oe8.dll
C:\WINDOWS\system32\nvtui2.dll
C:\WINDOWS\system32\o6660gjse6o60.dll
C:\WINDOWS\system32\p48qlel51hq.dll
C:\WINDOWS\system32\puustab.dll
C:\WINDOWS\system32\q268lcju1fo8.dll
C:\WINDOWS\system32\r0r6la9s1d.dll
C:\WINDOWS\system32\r26ulcj91fo.dll
C:\WINDOWS\system32\r48slel71hq.dll
C:\WINDOWS\system32\s2880cluefq80.dll
C:\WINDOWS\system32\scpblb.dll
C:\WINDOWS\system32\t4r80e9ueh.dll
C:\WINDOWS\system32\wobvw.dll
Granting sedebugprivilege to Järjestelmänvalvojat ... successful
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Susanna Koskinen\Application Data\Dxcknwrd.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\drsmartload1135a.exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\teller2.chk
C:\dfndrff_e18.exe
C:\dfndrff_e19.exe
C:\dfndrff_e20.exe
C:\dfndrff_e21.exe
C:\dfndrff_e22.exe
C:\dfndrff_e23.exe
C:\dfndrff_e24.exe
C:\dfndrff_e25.exe
C:\dfndrff_e26.exe
C:\dfndrff_e27.exe
C:\dfndrff_e28.exe
C:\dfndrff_e30.exe
C:\dfndrff_e31.exe
C:\dfndrff_e32.exe
C:\dfndrff_e33.exe
C:\dfndrff_e34.exe
C:\dfndrff_e35.exe
C:\dfndrff_e38.exe
C:\dfndrff_e41.exe
C:\dfndrff_e42.exe
C:\dfndrff_e43.exe
C:\dfndrff_e44a.exe
C:\dfndrff_e45.exe
C:\dfndrff_e46a.exe
C:\dfndrff_e47.exe
C:\dfndrff_e48.exe
C:\dfndrff_e49.exe
C:\dfndrff_e51.exe
C:\dfndrff_e52.exe
C:\dfndrff_e53.exe
C:\dfndrff_e54.exe
C:\dfndrff_e56.exe
C:\dfndrff_e57.exe
C:\drsmartload.exe
C:\drsmartload1.exe
C:\drsmartload45a45a45o.exe
C:\drsmartload45a45a45p.exe
C:\drsmartload45a45a45q.exe
C:\drsmartload45a45a45s.exe
C:\drsmartload45a45a45t.exe
C:\deskbar.exe
C:\deskbar_e18.exe
C:\deskbar_e19.exe
C:\deskbar_e20.exe
C:\deskbar_e21.exe
C:\deskbar_e25.exe
C:\deskbar_e26.exe
C:\deskbar_e28.exe
C:\deskbar_e29.exe
C:\deskbar_e31.exe
C:\deskbar_e34.exe
C:\deskbar_e37.exe
C:\deskbar_e41.exe
C:\deskbar_e42.exe
C:\deskbar_e44.exe
C:\deskbar_e45.exe
C:\deskbar_e46.exe
C:\deskbar_e47.exe
C:\deskbar_e48.exe
C:\deskbar_e49.exe
C:\deskbar_e51.exe
C:\deskbar_e52.exe
C:\deskbar_e53.exe
C:\deskbar_e55.exe
C:\kybrdff_e18.exe
C:\kybrdff_e19.exe
C:\kybrdff_e20.exe
C:\kybrdff_e21.exe
C:\kybrdff_e22.exe
C:\kybrdff_e23.exe
C:\kybrdff_e24.exe
C:\kybrdff_e26.exe
C:\kybrdff_e27.exe
C:\kybrdff_e28.exe
C:\kybrdff_e30.exe
C:\kybrdff_e31.exe
C:\kybrdff_e32.exe
C:\kybrdff_e33.exe
C:\kybrdff_e34.exe
C:\kybrdff_e35.exe
C:\kybrdff_e38.exe
C:\kybrdff_e41.exe
C:\kybrdff_e42.exe
C:\kybrdff_e43.exe
C:\kybrdff_e44.exe
C:\kybrdff_e45.exe
C:\kybrdff_e46.exe
C:\kybrdff_e47.exe
C:\kybrdff_e48.exe
C:\kybrdff_e49.exe
C:\kybrdff_e51.exe
C:\kybrdff_e52.exe
C:\kybrdff_e53.exe
C:\kybrdff_e54.exe
C:\kybrdff_e56.exe
C:\kybrdff_e57.exe
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNg12112006.exe
C:\MTE3NDI6ODoxNg14112006.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\MTE3NDI6ODoxNgV2.exe
C:\nwnmff_e19.exe
C:\nwnmff_e20.exe
C:\nwnmff_e21.exe
C:\nwnmff_e22.exe
C:\nwnmff_e23.exe
C:\nwnmff_e24.exe
C:\nwnmff_e25.exe
C:\nwnmff_e26.exe
C:\nwnmff_e27.exe
C:\nwnmff_e28.exe
C:\nwnmff_e30.exe
C:\nwnmff_e32.exe
C:\nwnmff_e33.exe
C:\nwnmff_e34.exe
C:\nwnmff_e35.exe
C:\nwnmff_e38.exe
C:\nwnmff_e41.exe
C:\nwnmff_e43.exe
C:\nwnmff_e44.exe
C:\nwnmff_e45.exe
C:\nwnmff_e46.exe
C:\nwnmff_e47.exe
C:\nwnmff_e49.exe
C:\nwnmff_e51.exe
C:\nwnmff_e52.exe
C:\nwnmff_e53.exe
C:\nwnmff_e54.exe
C:\nwnmff_e56.exe
C:\nwnmff_e57.exe
C:\warebundlenewer.exe
C:\ac3_0010.exe
C:\mte3ndi6odoxng.exe
C:\RDFX4.exe
C:\ucmoreiex.exe
C:\Installer4.exe
C:\Installer5.exe
C:\Program Files\CONEXANT\nico.html
C:\dollarrev.exe
C:\windows.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\TheSearchAccelerator
C:\Program Files\Common Files\{383B1303-09E5-1035-0128-030308190166}
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\Program Files\PrintView
C:\Program Files\Common Files\{783B1303-09E5-1035-0128-030308190166}
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg
((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 ))))))))))))))))))))))))))))))))))
2006-11-14 12:46 446,464 --a------ C:\windows_e57.exe
2006-11-14 12:45 32,768 --a------ C:\mc44a57.exe
2006-11-14 07:14 6,687 --a------ C:\WINDOWS\system32\ldcore.dll
2006-11-14 07:14 446,464 --a------ C:\windows_e56.exe
2006-11-14 07:13 32,768 --a------ C:\mc44a56.exe
2006-11-11 10:39 20,480 --a------ C:\mc44a54.exe
2006-11-10 15:36 69,632 --a------ C:\WINDOWS\system32\srshost.exe
2006-11-10 15:36 48,128 --a------ C:\WINDOWS\system32\srshostu.exe
2006-11-10 15:36 179,200 --a------ C:\WINDOWS\system32\winl0gon.exe
2006-11-10 00:03 434,176 --a------ C:\windows_e53.exe
2006-11-10 00:02 20,480 --a------ C:\mc44a53.exe
2006-11-09 12:57 430,080 --a------ C:\windows_e52.exe
2006-11-09 12:55 24,576 --a------ C:\mc44a52.exe
2006-11-07 18:36 442,368 --a------ C:\windows_e51.exe
2006-11-07 18:35 24,576 --a------ C:\mc44a51.exe
2006-11-06 11:57 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-06 00:01 28,672 --a------ C:\mc44a49.exe
2006-11-04 00:01 28,672 --a------ C:\mc44a47.exe
2006-11-03 21:45 100,028 --a------ C:\autoexes.exe
2006-11-03 00:01 28,672 --a------ C:\mc44a46.exe
2006-11-02 00:03 143,360 --a------ C:\yz02.exe
2006-11-02 00:03 110,592 --a------ C:\WINDOWS\v1201.exe
2006-11-02 00:00 24,576 --a------ C:\mc44a45.exe
2006-11-01 00:01 24,576 --a------ C:\mc44a44.exe
2006-10-31 00:02 24,576 --a------ C:\mc44a43.exe
2006-10-30 00:04 24,576 --a------ C:\mc44a42.exe
2006-10-28 15:12 24,576 --a------ C:\mc44a41.exe
2006-10-27 06:03 16,384 --a------ C:\mc44a38.exe
2006-10-23 23:05 16,384 --a------ C:\mc44a35.exe
2006-10-22 20:51 20,480 --a------ C:\mc44a34.exe
2006-10-18 23:02 24,576 --a------ C:\mc44a3.exe
2006-10-17 23:01 24,576 --a------ C:\mc44a2.exe
2006-10-16 04:37 50,912 --a------ C:\WINDOWS\iconu.exe
2006-10-16 02:19 24,296 --a------ C:\WINDOWS\icont.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-14 18:20 -------- d-------- C:\Program Files\Common Files
2006-11-14 18:09 -------- d-------- C:\Program Files\CONEXANT
2006-11-14 17:42 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\Starware
2006-11-08 20:10 -------- d-------- C:\Program Files\Error Safe Free
2006-11-06 11:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-05 03:40 -------- d-------- C:\Program Files\Windows NT
2006-11-02 00:03 517 --a------ C:\Program Files\Common Files\niwy
2006-10-23 01:22 -------- d-------- C:\Program Files\DeluxeCommunications
2006-10-13 23:01 96768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-10-13 23:00 32768 --a------ C:\DXC9.exe
2006-10-12 15:35 69165 --a------ C:\pp4ico.exe
2006-10-08 08:04 1233 --a------ C:\WINDOWS\system32\zrx20540.sys
2006-10-05 13:32 -------- d-------- C:\Program Files\MSN Messenger
2006-10-01 18:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 18:30 -------- d-------- C:\Program Files\ArcSoft
2006-10-01 18:28 -------- d-------- C:\Program Files\Morgan
2006-10-01 18:26 -------- d-------- C:\Program Files\Yahoo!
2006-10-01 18:11 176640 --a------ C:\WINDOWS\system32\Yinstall.exe
2006-10-01 18:11 138862 --a------ C:\WINDOWS\system32\mny.exe
2006-10-01 18:10 20480 --a------ C:\WINDOWS\system32\a.exe
2006-09-30 12:41 61952 --a------ C:\WINDOWS\system32\zrx20540.dll
2006-09-24 20:37 -------- d-------- C:\Program Files\Java
2006-09-20 19:42 -------- d---s---- C:\Documents and Settings\Susanna Koskinen\Application Data\Microsoft
2006-09-13 07:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 17:49 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 15:00 11749 --------- C:\WINDOWS\_000007_.tmp.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"MS"="adwareremover.exe"
"third 4"="C:\\DOCUME~1\\SUSANN~1\\APPLIC~1\\SAVEBI~1\\proxy sect.exe"
"JewelQuestSetup.exe"="C:\\DOCUME~1\\SUSANN~1\\TYPYT~1\\JEWELQ~1.EXE /r"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\mwsoemon.exe"
"Error Safe"="\"C:\\Program Files\\Error Safe Free\\ers.exe\" /min"
"srshost.exe"="C:\\WINDOWS\\system32\\srshost.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"MS"="adwareremover.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"Wizard"=hex(2):00
"SoundMan"="SOUNDMAN.EXE"
"MPTBox"="C:\\PROGRA~1\\Canon\\MULTIP~1\\MPTBox.exe"
"Cryptographic Service"="C:\\WINDOWS\\System32\\tcnoki.exe"
"F-Secure Manager"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"SearchUpgrader"="C:\\Program Files\\Common files\\SearchUpgrader\\SearchUpgrader.exe"
"F-Secure Startup Wizard"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\FSSW.EXE\" /reboot"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"MS"="adwareremover.exe"
"FireWire Service"="nvscv32.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\mwsoemon.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"News Service"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\ispnews.exe\""
"VVSN"="C:\\Program Files\\VVSN\\VVSN.exe"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"My Web Search Bar"="rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\MWSBAR.DLL,S"
"piletrustpinglite"="C:\\Documents and Settings\\All Users\\Application Data\\MFCD PLUS PILE TRUST\\Show log.exe"
"ExtraFilmHemmaAgent"="\"C:\\Program Files\\ExtraFilm Kotona\\Agent.exe\""
"zrx20540"="RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3"
"Error Safe"="C:\\Program Files\\Error Safe Free\\ers.exe /scan"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"windows"="c:\\\\windows_e57.exe"
"Microsoft Windows System"="syshost.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MS"="adwareremover.exe"
"FireWire Service"="nvscv32.exe"
"Microsoft Windows System"="syshost.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\qufyturu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\CONEXANT\\nico.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A747984B9188134B.job
C:\WINDOWS\tasks\Scheduled scanning task.job
Completion time: 06-11-14 18:21:48.75
C:\ComboFix.txt ... 06-11-14 18:21
|
|
Marku2
Senior Member
|
14. marraskuuta 2006 @ 15:20 |
Linkki tähän viestiin
|
Lähetä uusi HjT-loki, jotta voin antaa puhdistus ohjeet :)
|
|
chili80
Junior Member
|
14. marraskuuta 2006 @ 15:39 |
Linkki tähän viestiin
|
fiksasin noi fixerin antamat rivit ja nyt HjT-logi on tällainen:
Logfile of HijackThis v1.99.1
Scan saved at 20:36:52, on 14.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\ExtraFilm Kotona\Agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\windows_e57.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\dollarrev.exe
c:\nwnmff_e57.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
c:\degoqatr.exe
C:\WINDOWS\system32\msasvc.exe
c:\windows\lsass.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Susanna Koskinen\Työpöytä\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1I...pSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1I...gA+HKxlX3Nblrs=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [zrx20540] RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [System] c:\windows\lsass.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WINCBR.0XE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/...eInstall_fi.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
|
|
chili80
Junior Member
|
14. marraskuuta 2006 @ 15:43 |
Linkki tähän viestiin
|
|
[quote=fixeri]
Vikasietotilassa piilotiedostot näkyviin ja poista nuo kansiot:
C:\Program Files\---->Deskbar<----
C:\Program Files\---->DeluxeCommunications<----
C:\WINDOWS\---->DOWNLO~1<----
C:\Program Files\---->MyWebSearch<----
C:\Program Files\---->MyGlobalSearch<----
C:\Program Files\---->TheSearchAccelerator<----
Poista lisää/poista sovelluksesta Error safe.
Hmm.. joskus oon jotai joutunu tekemään vikasietotilassa, mutta en nyt muista miten sinne pääsee..? kertoisko joku? ja miten saan piilotiedostot näkyviin? oon ihan pihalla ;)
|
|
Marku2
Senior Member
|
14. marraskuuta 2006 @ 16:18 |
Linkki tähän viestiin
|
Jatka tämän ohjeen mukaan:
Lataa
SDFix by AndyManchesta ja tallenna se työpöydällesi.
Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:[list][*]Käynnistä tietokone
[*]Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
[*]Seuraavaksi pitäisi ilmestyä valikko
[*]Valitse valikosta vikasietotila.
[/list][list]
[*] Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
[*] Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
[*] Paina Y käynnistääksesi skriptin.
[*] Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, " Press any key to Reboot".
[*] Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
[*] Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
[*] Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, " Finished".
[*] Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
[*] Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis lokin kera.
[/list]
Fixaa HjT:llä (Do a system scan only, merkkaa ja paina fix checked)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1I...pSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1I...gA+HKxlX3Nblrs=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [zrx20540] RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [System] c:\windows\lsass.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/...eInstall_fi.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
1. Lataa The Avenger (c) työpöydällesi.[list]
[*]Klikkaa Avenger.zip filua avataksesi sen.
[*]Pura Avenger.exe työpöydällesi.
[/list]
2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle:
Lainaus:
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to delete:
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\durvilx.dll
C:\windows\lsass.exe
C:\WINDOWS\system32\msasvc.exe
C:\windows_e57.exe
C:\dollarrev.exe
C:\nwnmff_e57.exe
C:\degoqatr.exe
Folders to delete:
C:\Program Files\DeluxeCommunications
C:\Program Files\Starware
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg
C:\Program Files\Network Monitor
C:\Program Files\Deskbar
C:\Program Files\MyWebSearch
C:\Program Files\MyGlobalSearch
C:\Program Files\TheSearchAccelerator
[color=#CC0000]Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.[/color]
3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.[list]
[*]" Script file to execute" alapuolelta valitse " Input Script Manually".
[*]Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä " View/edit script".
[*] Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.
[*] Klikkaa Done.
[*] Nyt klikkaa [color=#009900]vihreää valoa[/color] aloittaaksesi skriptin.
[*] Klikkaa " Yes" kun tulee kaksi varoitusboksia.
[/list]
Avenger tekee automaattisesti seuraavat:[list]
[*] Käynnistää koneesi. (Tapauksissa joissa skripti sisältää " Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)
[*] Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.
[*] Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt
[*] Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.
[/list]
5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HjT lokin mukana.
Hae AVG Anti-Spyware -> http://aaxxeell.googlepages.com/ewido4
Päivitä, Scannaa, Poista löydöt ja tallenna raportti.
Lähetä uusi HjT-loki, Report.txt, C:\avenger.txt ja AVG:n raportti.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 14. marraskuuta 2006 @ 16:21
|
|
chili80
Junior Member
|
14. marraskuuta 2006 @ 16:26 |
Linkki tähän viestiin
|
|
Ehtisin jo tulla siskon luota kotiin, mutta menen huomenna tekemään noitten ohjeitten mukaan. Huomasin juuri, että välissä oli kemistiltäkin tullut joitakin ohjeita. Noudatanko niitä sitten ensin vai vaan viimeisiä ohjeita? :D Onpas tää nyt hankalaa.
|
|
esakom
Member
2 tuotearviota
|
14. marraskuuta 2006 @ 17:22 |
Linkki tähän viestiin
|
|
No itse kyllä ainakin kokeilisin sitä recovery-cd:tä... (Varmuuskopiothan on otettu?)
|
|
chili80
Junior Member
|
14. marraskuuta 2006 @ 17:46 |
Linkki tähän viestiin
|
|
Miksi sitä nyt enää kokeilisin, kun jo on jotain tehty ja en tie, mut ainaki kone nyt paljon vakaampi kuin ennen. Luotan, että muutki pöpöt lähtee pois.
Niin en ymmärrä tota f-securea, kun sen uusimmat päivitykset on tullu tänään, mutta sit ei kuitenkaa mukamas toimi?
|
|
fixeri
Member
|
14. marraskuuta 2006 @ 18:07 |
Linkki tähän viestiin
|
|
Ei kannata enää ruveta formatoimaan konetta kun on alkuun päästy noiden örkkien poistamisessa.
Seuraa vaan nyt tuota Marku2 ohjetta, ja lisää ohjeita tulee, kyllä nuo pöpöt pois saadaan tuolta.
|
|
esakom
Member
2 tuotearviota
|
15. marraskuuta 2006 @ 04:05 |
Linkki tähän viestiin
|
Lainaus, alkuperäisen viestin kirjoitti chili80:
Miksi sitä nyt enää kokeilisin, kun jo on jotain tehty ja en tie, mut ainaki kone nyt paljon vakaampi kuin ennen. Luotan, että muutki pöpöt lähtee pois.
No hyvä että alkaa auttaa, joo ei sitä formattia enää kannata, kun on jo ties miten monta tuntia tuohon uhrattu... Itse olen joskus vastaaviin puhdistusoperaatioihin joutunut, ja todennut että täysi tyhjennys ja ohjelmien uusiksi asennus on vienyt vähemmän aikaa (pari tuntia) kuin winukan pöpö-siivous (pahimmillaan pari päivää)
Lainaus, alkuperäisen viestin kirjoitti chili80:
Niin en ymmärrä tota f-securea, kun sen uusimmat päivitykset on tullu tänään, mutta sit ei kuitenkaa mukamas toimi?
Tuohonkin on aiemmin törmätty... F-Securessa f tarkoittaa "fucked up".
Suosittelen kokeilemaan vaikka AVG:tä: http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5
Niin ja palomuuriksi sitten vaikka zone-alarm...
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 15. marraskuuta 2006 @ 04:09
|
AfterDawn Addict
|
15. marraskuuta 2006 @ 04:47 |
Linkki tähän viestiin
|
|
@esakom: Koneen putsaus harvemmin vie paria päivää, jos tunnistaa infektiot, jotka vaativat erikoisfixiä... Muutamassa tunnissa onnistuu, jollei nyt satu olemaan joitain v***umaisia rootkittejä mukana.
Ei HjT-lokeja tms. yksityisviestillä!
|
|
chili80
Junior Member
|
15. marraskuuta 2006 @ 08:40 |
Linkki tähän viestiin
|
tässä on sdfixin raportti, (Avengerin raportti hävisi kokonaan, kun jouduin käynnistämään koneen uudelleen ja en älynnyt tallentaa sitä. Löytyisköhän jostakin?) Skannaan juuri avg:llä konetta. on kestänyt jo tunnin. laitan kohta sen tulokset ja uuden HjT-login.
SDFix: Version 1.38
-------------------
Scan run on:
ke 15.11.2006
Time:
11:05
Microsoft Windows XP [versio 5.1.2600]
Running from: C:\Documents and Settings\Susanna Koskinen\Ty?p?yt?\SDFix\SDFix
Stage One...
Checking Services...
Name:
-----
MsaSvc
Path:
----
C:\WINDOWS\system32\msasvc.exe
MsaSvc Deleted...
Repairing Registry...
Killing PID 272 'lsass.exe'
Killing PID 272 'lsass.exe'
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two...
Checking For Malware:
--------------------
C:\FASTBOOT.EXE
C:\MC44A2.EXE
C:\MC44A3.EXE
C:\MC44A34.EXE
C:\MC44A35.EXE
C:\MC44A38.EXE
C:\MC44A41.EXE
C:\MC44A42.EXE
C:\MC44A43.EXE
C:\MC44A44.EXE
C:\MC44A45.EXE
C:\MC44A46.EXE
C:\MC44A47.EXE
C:\MC44A49.EXE
C:\MC44A51.EXE
C:\MC44A52.EXE
C:\MC44A53.EXE
C:\MC44A54.EXE
C:\MC44A56.EXE
C:\MC44A57.EXE
C:\WINDOWS\TEMP\STDRUN1.EXE
C:\WINDOWS\TEMP\STDRUN2.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\STDRUN1.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN1.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN2.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN3.EXE
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-113D05CC.pf
C:\uniq
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\durvil1.dll
C:\WINDOWS\system32\durvil1.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\srshostu.exe
C:\WINDOWS\system32\syshost.exe
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Files:
------
Any files removed are saved to the SDFix\backups Folder
FINISHED
|
|
chili80
Junior Member
|
15. marraskuuta 2006 @ 09:24 |
Linkki tähän viestiin
|
oisko tää se avengerin raportti? (AVG skannaa edelleen.. jo yli 1,5h mennyt... kestää!)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nonqhbbd
*******************
Script file located at: \??\C:\WINDOWS\system32\ddkysdtm.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\dxclib303562752.dll deleted successfully.
File C:\WINDOWS\system32\durvilx.dll not found!
Deletion of file C:\WINDOWS\system32\durvilx.dll failed!
Could not process line:
C:\WINDOWS\system32\durvilx.dll
Status: 0xc0000034
File C:\windows\lsass.exe not found!
Deletion of file C:\windows\lsass.exe failed!
Could not process line:
C:\windows\lsass.exe
Status: 0xc0000034
File C:\WINDOWS\system32\msasvc.exe not found!
Deletion of file C:\WINDOWS\system32\msasvc.exe failed!
Could not process line:
C:\WINDOWS\system32\msasvc.exe
Status: 0xc0000034
File C:\windows_e57.exe deleted successfully.
File C:\dollarrev.exe deleted successfully.
File C:\nwnmff_e57.exe deleted successfully.
File C:\degoqatr.exe deleted successfully.
Folder C:\Program Files\DeluxeCommunications deleted successfully.
Folder C:\Program Files\Starware deleted successfully.
Folder C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg deleted successfully.
Folder C:\Program Files\Network Monitor deleted successfully.
Folder C:\Program Files\Deskbar not found!
Deletion of folder C:\Program Files\Deskbar failed!
Could not process line:
C:\Program Files\Deskbar
Status: 0xc0000034
Folder C:\Program Files\MyWebSearch deleted successfully.
Folder C:\Program Files\MyGlobalSearch deleted successfully.
Folder C:\Program Files\TheSearchAccelerator not found!
Deletion of folder C:\Program Files\TheSearchAccelerator failed!
Could not process line:
C:\Program Files\TheSearchAccelerator
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
chili80
Junior Member
|
15. marraskuuta 2006 @ 09:43 |
Linkki tähän viestiin
|
tässä on uusi HjT-logi (nyt mulla on ongelmana, etten saa avg:n raporttia tänne.. mut kai mä sen kohta keksin..). Miten on, kun yritin ladata zonealarmia tähän koneeseen, muttei suostunut lataamaan f-securen takia? mitä teen? ku f-securen palomuuri ei kuitenkaan nyt toimi.
Logfile of HijackThis v1.99.1
Scan saved at 14:41:34, on 15.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\ExtraFilm Kotona\Agent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Susanna Koskinen\Työpöytä\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe (file missing)
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
|
|
chili80
Junior Member
|
15. marraskuuta 2006 @ 09:58 |
Linkki tähän viestiin
|
|
hah, löysinpäs sen :D eli tässä on avg:n raportti: Olisko joku niin kiltti, et kertois, mitä sitten teen? tosin nyt meen kyl välil syömään :D
General Susanna Koskinen Complete Test ended. Found 118 infected files.
Virus Susanna Koskinen C:\DOCUME~1\SUSANN~1\APPLIC~1\SAVEBI~1\proxy sect.exe was cleaned.
Virus Susanna Koskinen C:\dacmi.exe was cleaned.
Virus Susanna Koskinen C:\gwxelccp.exe was cleaned.
Virus Susanna Koskinen C:\MTE3NDI6ODoxNg14112006.exe was cleaned.
Virus Susanna Koskinen C:\oysb.exe was cleaned.
Virus Susanna Koskinen C:\rapqy.exe was cleaned.
Virus Susanna Koskinen C:\windows_e51.exe was cleaned.
Virus Susanna Koskinen C:\windows_e56.exe was cleaned.
Virus Susanna Koskinen C:\avenger\backup.zip was inserted into virus vault.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Army Readme.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\bike four.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Cast flaw.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\LicenseDog.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\multi store.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\PureWeb.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Show log.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Thismath.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\WINCBR.0XE was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\453DN3AE\eztzfplv[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C1WOGZCS\ykwitm[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C1WOGZCS\zvthabxhai[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPWIJECS\ytrhnxxhw[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NCPZ9V5R\deucmjscr[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NCPZ9V5R\rjhxtvg[1].txt was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\~ds39990.tmp was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LUVWXIF\ykwitm[1].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\0LUVWXIF\zvthabxhai[2].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\CB4HWXQD\deucmjscr[2].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\KL89UP89\rjhxtvg[1].txt was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\KL89UP89\ytrhnxxhw[2].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\YHSPA8W2\eztzfplv[2].htm was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\a.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\cs.0cr was inserted into virus vault.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\CS3.0CR was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\drsmartload1135a.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\1 Beep\Gplcdrom.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\acid amok program.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\btjzxcfz.0xe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\calklswl.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\eojcstey.0xe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\grsrazka.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\ilxmadix.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\kecvtuyh.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\mp3 find build 64.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\proxy sect.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\qkipekcz.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\qtvnhpyh.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\rokjnxdg.0xe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\tdipydvc.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\trkhaocs.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\twzbjclg.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\utxevgno.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace\wzfsetzw.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Local Settings\Temp\counter.exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Local Settings\Temp\Temporary Internet Files\Content.IE5\IAK6DZLJ\vv44[1].exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Local Settings\Temporary Internet Files\Content.IE5\WL638L67\wallpap[1].exe was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Työpöytä\ERRORSAFEFREEINSTALL_FI.0XE was cleaned.
Virus Susanna Koskinen C:\Documents and Settings\Susanna Koskinen\Työpöytä\SDFix\SDFix\backups\backups.zip was inserted into virus vault.
Virus Susanna Koskinen C:\My Downloads\++++++++ taivaassa tavanneet 45\setup.exe was cleaned.
Virus Susanna Koskinen C:\My Downloads\- TiGhT - tomi metsäketo\YSB_toolBar.exe was cleaned.
Virus Susanna Koskinen C:\Program Files\Adware\f.0xe was cleaned.
Virus Susanna Koskinen C:\Program Files\Adware\link.0xe was cleaned.
Virus Susanna Koskinen C:\Program Files\C2Media\Setup.0xe was cleaned.
Virus Susanna Koskinen C:\Program Files\Common Files\niwy.dll was cleaned.
Virus Susanna Koskinen C:\Program Files\Common Files\spsebmsl\sodaeootcl\abaquacqo.exe was cleaned.
Virus Susanna Koskinen C:\Program Files\Common Files\spsebmsl\unracben\ndabubau.exe was cleaned.
Virus Susanna Koskinen C:\Program Files\Mozilla Firefox\drsmartload1135a.exe was cleaned.
Virus Susanna Koskinen C:\Program Files\Mozilla Firefox\mt-uninstaller.exe was cleaned.
Virus Susanna Koskinen C:\Program Files\MSN\MSN.0XE was cleaned.
Virus Susanna Koskinen C:\Program Files\MSN\windows.0xe was cleaned.
Virus Susanna Koskinen C:\Program Files\MSN Messenger\MSNMSGR.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\drsx.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\drx.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\drxx.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\RATE.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\REML.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\REMS.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\tool.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\toosl.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\browserxtras\pn\remove.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\a.exe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\ADWAREREMOVER.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\ftpupd.0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\ldcore.dll was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\NVSCV32.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\TCNOKI.0XE was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\W5C041D3.0LL was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\winl0gon.exe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\zrx20540.dll was cleaned.
Virus Susanna Koskinen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0T2R41QF\x[1].0xe was cleaned.
Virus Susanna Koskinen C:\WINDOWS\Temp\~ds39990.tmp was cleaned.
|
|
Marku2
Senior Member
|
15. marraskuuta 2006 @ 11:25 |
Linkki tähän viestiin
|
Teit kaikki oikein, mutta jatketaan puhdistusta :)
Lataa Atribunen ATF Cleaner
Ohjeet;
Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasi Klikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Teknistä tukea tulee jos tupla-klikkaat sähköpostiosoitetta joka sijaitsee jokaisen menun alapuolella kyseisessä työkalussa. (Huomatkaa että se tuki on sitten englanniksi)
Lataa CCleaner -> http://www.download.fi/tyopoytaohjelmat/...to/ccleaner.cfm
Aja CCleaner näiden ohjeiden mukaan. (poista turhat tiedostot ja korjaa rekisteri virheet)
Siirrä HijackThis.exe omaan kansioon -> C:\hjt\
Fixaa nämä:
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe (file missing)
Laita piilotiedostot näkyviin -> Ohje!
Käynnistä kone vikasieotilaan -> Ohje!
Käytä hakua (käynnistä->etsi)
Paina "lisävaihtoehdot"
Merkkaa kolme ylintä.
Etsi tämä ja poista se: nvscv32.exe
Käynnistä kone normaalitilaan!
Poista Combofix.exe ja lataa se uudelleen.
1. Lataa combofix.exe tiedosto työpöydällesi.
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Lähetä uusi HjT-loki ja C:\Combofix.txt.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 15. marraskuuta 2006 @ 12:39
|
|
chili80
Junior Member
|
15. marraskuuta 2006 @ 11:52 |
Linkki tähän viestiin
|
|
Jatkan huomenna aamulla puhdistamista, kun en enää tänään ehdi sille koneelle :D
|
|
chili80
Junior Member
|
16. marraskuuta 2006 @ 07:40 |
Linkki tähän viestiin
|
no niin.. tein kaiken, paitsi, kun yritin etsiä nvscv32.exeä, sitä ei muka löytynyt, vaikka tein ohjeiden mukaan. mitäs nyt seuraavaksi teen?
Tässä on combofixin raportti (se tuli yllättävän nopeesti tähän aikaan):
Susanna Koskinen - 06-11-16 12:24:46,03 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Susanna Koskinen\Ty?p?yt?"
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Susanna Koskinen\Application Data\Dxcdmns.dll
C:\Documents and Settings\Susanna Koskinen\Application Data\Dxcknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\kybrdff_e57.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\ac3_0010.exe
C:\RDFX4.exe
C:\Program Files\Windows NT\qufyturu.html
C:\Program Files\CONEXANT\nico.html
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg
((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))
2006-11-15 11:57 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-15 11:57 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-15 11:57 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-15 11:56 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-15 11:56 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-15 11:56 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-14 18:31 17,920 --a------ C:\WINDOWS\system32\ntio256.sys
2006-11-14 18:30 96,256 --a------ C:\WINDOWS\system32\durvilx.exe
2006-11-14 18:30 96,256 --a------ C:\WINDOWS\system32\druid_unknown.exe
2006-11-14 18:30 96,256 --a------ C:\WINDOWS\druid_unknown.exe
2006-11-10 00:03 434,176 --a------ C:\windows_e53.exe
2006-11-09 12:57 430,080 --a------ C:\windows_e52.exe
2006-11-06 11:57 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-03 21:45 100,028 --a------ C:\autoexes.exe
2006-11-02 00:03 143,360 --a------ C:\yz02.exe
2006-10-16 04:37 50,912 --a------ C:\WINDOWS\iconu.exe
2006-10-16 02:19 24,296 --a------ C:\WINDOWS\icont.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
Rootkit driver pe386 is present. A rootkit scan is required
2006-11-16 12:25 -------- d-------- C:\Program Files\Windows NT
2006-11-16 12:25 -------- d-------- C:\Program Files\CONEXANT
2006-11-16 10:57 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\AVG7
2006-11-15 14:25 -------- d-------- C:\Program Files\MSN Messenger
2006-11-15 14:25 -------- d-------- C:\Program Files\MSN
2006-11-15 14:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-15 14:25 -------- d-------- C:\Program Files\Common Files
2006-11-15 14:25 -------- d-------- C:\Program Files\C2Media
2006-11-15 14:25 -------- d-------- C:\Program Files\Adware
2006-11-15 14:25 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\savebibace
2006-11-15 14:24 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\1 Beep
2006-11-15 13:43 -------- d-------- C:\Program Files\Zone Labs
2006-11-15 11:56 -------- d-------- C:\Program Files\Grisoft
2006-11-15 10:38 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\Starware
2006-11-14 18:26 517 --a------ C:\Program Files\Common Files\niwy
2006-11-08 20:10 -------- d-------- C:\Program Files\Error Safe Free
2006-10-13 23:00 32768 --a------ C:\DXC9.exe
2006-10-12 15:35 69165 --a------ C:\pp4ico.exe
2006-10-08 08:04 1233 --a------ C:\WINDOWS\system32\zrx20540.sys
2006-10-01 18:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 18:30 -------- d-------- C:\Program Files\ArcSoft
2006-10-01 18:28 -------- d-------- C:\Program Files\Morgan
2006-10-01 18:26 -------- d-------- C:\Program Files\Yahoo!
2006-10-01 18:11 176640 --a------ C:\WINDOWS\system32\Yinstall.exe
2006-10-01 18:11 138862 --a------ C:\WINDOWS\system32\mny.exe
2006-09-24 20:37 -------- d-------- C:\Program Files\Java
2006-09-20 19:42 -------- d---s---- C:\Documents and Settings\Susanna Koskinen\Application Data\Microsoft
2006-09-13 07:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 17:49 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 15:00 11749 --------- C:\WINDOWS\_000007_.tmp.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"MPTBox"="C:\\PROGRA~1\\Canon\\MULTIP~1\\MPTBox.exe"
"F-Secure Manager"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\FSSW.EXE\" /reboot"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"News Service"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\ispnews.exe\""
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"ExtraFilmHemmaAgent"="\"C:\\Program Files\\ExtraFilm Kotona\\Agent.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\qufyturu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\CONEXANT\\nico.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A747984B9188134B.job
C:\WINDOWS\tasks\Scheduled scanning task.job
Completion time: 06-11-16 12:29:15.29
C:\ComboFix.txt ... 06-11-16 12:29
C:\ComboFix2.txt ... 06-11-14 18:21
ja tässä HjT-logi:
Logfile of HijackThis v1.99.1
Scan saved at 12:35:00, on 16.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\ExtraFilm Kotona\Agent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Susanna Koskinen\Työpöytä\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
|
|
fixeri
Member
|
16. marraskuuta 2006 @ 08:33 |
Linkki tähän viestiin
|
Lataa RustBFix by ejvindh ja tallenna se työpöydälle:
http://www.uploads.ejvindh.net/rustbfix.exe
Tuplaklikkaa tiedostoa rustbfix.exe. Jos löytyy Rustock.b-infektio, sinua pyydetään pian käynnistämään kone uudelleen. Uudelleenkäynnistyminen saattaa kestää hetken ja joudut ehkä käynnistämään koneen vielä toisenkin kerran. Kaikki tämä tapahtuu automaattisesti. Uudelleenkäynnistyksen jälkeen kaksi lokitiedostoa avautuu (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Kopioi ja liitä nämä kaksi lokitiedostoa seuraavaan vastaukseesi uuden HijackThis lokin kera.
|
|
chili80
Junior Member
|
16. marraskuuta 2006 @ 09:52 |
Linkki tähän viestiin
|
eli tässä on nyt nää kaksi raporttia sekä uusi HjT-logi. Mitäs nyt mun vielä kentis pitää tehdä?
************************* Rustock.b-fix -- By ejvindh *************************
to 16.11.2006 14:37:45,45
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 68978
Total size: 68978 bytes.
Attempting to remove ADS...
system32: deleted 68978 bytes in 1 streams.
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No streams found.
******************************* End of Logfile ********************************
seuraava :)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sccmdwwc
*******************
Script file located at: \??\C:\acklodfy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
ja viel HjT-logi:
Logfile of HijackThis v1.99.1
Scan saved at 14:45:59, on 16.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
|
|
Marku2
Senior Member
|
16. marraskuuta 2006 @ 11:12 |
Linkki tähän viestiin
|
Moro, jatketaas...
Hae FindLop by Metallica.
pura zippi, tuplaklikkaa findlop.bat
loki on täällä -> C:\findlop.txt
Lataa ja tallenna Blacklight työpöydällesi;
Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa -> Scan, sitten -> Next
Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita).
Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe".
Lähetä uusi HjT-loki, C:\findlop.txt ja Blacklight-loki.
|
|
chili80
Junior Member
|
16. marraskuuta 2006 @ 14:06 |
Linkki tähän viestiin
|
tässä on nyt nää muistiot ja uusi HjT-logi:
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A747984B9188134B.job'
[TRACE] Printing all job properties
ApplicationName: 'c:\docume~1\susann~1\applic~1\savebi~1\acid amok program.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Susanna Koskinen'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2006 22:00:00
NextRun: 11/16/2006 19:00:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/22/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
[TRACE] Activating job 'Scheduled scanning task.job'
[TRACE] Printing all job properties
ApplicationName: 'C:\PROGRA~1\ELISAT~1\ANTI-V~1\fsav.exe'
Parameters: ' /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\ELISAT~1\ANTI-V~1\report.txt '
WorkingDirectory: 'C:\PROGRA~1\ELISAT~1\ANTI-V~1'
Comment: 'F-Secure Anti-Virus -ohjelman lisäämä tehtävä.'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: INFINITE
IdleWait: 5
IdleDeadline: 999
MostRecentRun: 11/10/2006 0:40:20
NextRun: 11/17/2006 0:00:00
StartError: S_OK
ExitCode: 0x5
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 1
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 11/14/2006
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
ja seuraava:
11/16/06 18:54:25 [Info]: BlackLight Engine 1.0.47 initialized
11/16/06 18:54:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/16/06 18:54:27 [Note]: 7019 4
11/16/06 18:54:27 [Note]: 7005 0
11/16/06 18:54:28 [Note]: 7006 0
11/16/06 18:54:28 [Note]: 7011 1520
11/16/06 18:54:28 [Note]: 7026 0
11/16/06 18:54:29 [Note]: 7026 0
11/16/06 18:54:29 [Note]: 7024 3
11/16/06 18:54:29 [Info]: Hidden process: C:\WINDOWS\system32\protector.exe
11/16/06 18:54:29 [Note]: FSRAW library version 1.7.1020
11/16/06 18:59:17 [Info]: Hidden file: c:\WINDOWS\system32\ntio256.sys
11/16/06 18:59:17 [Note]: 7002 0
11/16/06 18:59:17 [Note]: 7003 1
11/16/06 18:59:17 [Note]: 10002 1
11/16/06 18:59:24 [Info]: Hidden file: C:\WINDOWS\system32\protector.exe
11/16/06 18:59:24 [Note]: 7002 0
11/16/06 18:59:24 [Note]: 7003 1
11/16/06 18:59:24 [Note]: 10002 1
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:00:37 [Note]: 4020 34294 3997696
11/16/06 19:00:37 [Note]: 4018 34294 3997696
11/16/06 19:01:41 [Note]: 7007 0
ja HjT-logi:
Logfile of HijackThis v1.99.1
Scan saved at 19:03:09, on 16.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
|
|
Mainos
|
|
|
|
chili80
Junior Member
|
16. marraskuuta 2006 @ 14:09 |
Linkki tähän viestiin
|
|
ja sellanen kysymys, että jospa poistan koneesta f-securen, kun ei kerran tässä ole toiminut (itelläni on kyllä), niin mitä laitan tilalle? zonealarmin palomuuriksi mutta mikä ois paras virustorjuntaohjelma?
|
|
