HJT logi tarkastettavaksi
|
|
TD_13
Newbie
|
2. joulukuuta 2005 @ 11:29 |
Linkki tähän viestiin
|
Kone ollut nyt jumissa jonkun aikaa. Rekisteritiedostot puhdistettu, virukset tarkistettu, spywaret ajettu, mutta kone silti tökkii. Prosesseissa ja käynnistysvalikossa (msconfig) kummittelee tiedosto nimeltään hedgie, onko tietoa mikä se mahdollisesti on? Näkyy myös logissa.
Varsinkin netti ollut hidas, aivan kuin jokin söisi kaistat pois.
Tässä HJT logi
Logfile of HijackThis v1.99.1
Scan saved at 16:17:13, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\hedgie.exe
C:\Program Files\AVPersonal\AVWIN.EXE
C:\Ohjelmat\adware\Ad-Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
|
Zipp2
Member
|
2. joulukuuta 2005 @ 11:39 |
Linkki tähän viestiin
|
|
TD_13
Newbie
|
2. joulukuuta 2005 @ 11:44 |
Linkki tähän viestiin
|
Tulos näyttää tältä, pahasti näyttää troijan hevoselta, eikö?
Service load:
0% 100%
File: hedgie.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2019fc38af7f713802ad55c8b3bcb5fc
Packers detected:
FSG
Scanner results
AntiVir
Found Trojan/Dldr.Agen.xq.2.C
ArcaVir
Found Trojan.Proxy.Small.Bo
Avast
Found Win32:Trojano-2975
AVG Antivirus
Found Proxy.AMD
BitDefender
Found Trojan.Proxy.Small.DC
ClamAV
Found nothing
Dr.Web
Found Trojan.Proxy.524
F-Prot Antivirus
Found unknown virus (probable variant)
Fortinet
Found W32/Cosiam.D!tr
Kaspersky Anti-Virus
Found Trojan-Proxy.Win32.Small.bo
NOD32
Found a variant of Win32/TrojanProxy.Daemonize
Norman Virus Control
Found Sandbox: W32/Malware; [ General information ]
* File might be compressed.
* File length: 10672 bytes.
[ Changes to filesystem ]
* Deletes file C:\WINDOWS\SYSTEM32\hedgie.exe.
* Creates file C:\WINDOWS\SYSTEM32\hedgie.exe.
[ Changes to registry ]
* Sets value "ATI_VER"="Cs7?" in key "HKLM\Software\Microsoft".
[ Network services ]
* Opens URL: http://jupitersatellites.biz/hedgie/access.php.
[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 3599.
[ Process/window information ]
* Creates a mutex bin28-1024.
* Will automatically restart after boot (I'll be back...).
UNA
Found nothing
VBA32
Found Trojan-Proxy.Win32.Small.bo
|
Zipp2
Member
|
2. joulukuuta 2005 @ 11:50 |
Linkki tähän viestiin
|
Merkkaa nuo sulje selain ja paina Fix checked
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
Käynnistä sitte vikasietotilassa ja poista
C:\WINDOWS\system32\hedgie.exe
|
TD_13
Newbie
|
2. joulukuuta 2005 @ 12:07 |
Linkki tähän viestiin
|
Nyt pitäisi hedgie olla poistettu täydellisesti koneelta. Logissa se kuitenkin vielä on, kuten myös msconfigin käynnistysvalikossa, mutta ei valittuna käynnistymään. Noista ei liene haittaa, vai?
Logfile of HijackThis v1.99.1
Scan saved at 17:18:09, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Ohjelmat\bitcomet\BitComet.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 2. joulukuuta 2005 @ 12:21
|
Zipp2
Member
|
2. joulukuuta 2005 @ 12:27 |
Linkki tähän viestiin
|
Multa jäi huomaamatta tuo eka varvilla
C:\WINDOWS\SYSTEM32\msupdate32.dll
ja sillä voi olla kaveri mukana jonka nimi on mspostsp.exe ,mutta Ewidon pitäs kyllä löytää ja poistaa ne.
Hae tuolta
http://www.ewido.net/en/download/
asenna ja päivitä se.
Käynnistä sitte vikasietotilassa ja scannaa + putsaa Ewidolla ja säästä logi.
Käynnistä site normaalisti ja uus Hijack + Ewido logi.
|
TD_13
Newbie
|
2. joulukuuta 2005 @ 13:13 |
Linkki tähän viestiin
|
Tässä on ewidon raportti (löysi mainitsemasi tiedoston jo heti asennuksen jälkeen) :
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 18:06:52, 2.12.2005
+ Report-Checksum: A295B0A6
+ Scan result:
C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\WINDOWS\kl.exe -> Dropper.Agent.abo : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WH27STUF\hedgie[1].exe -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\system32\hedgie.exe -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Temp\100.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\102.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\103.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\105.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\106.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\109.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10C.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\113.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\114.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\117.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\11A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\11D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\120.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\123.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\128.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\131.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\133.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\134.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\137.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\25.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\2F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\30.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\328.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\331.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\334.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\337.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\33A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\34.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\35.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\38.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\39.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\41.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\42.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\43.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\45.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\4673.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4679.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\467F.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4686.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\468D.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4693.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4698.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\469D.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46A3.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46AB.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46B1.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46B7.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46BD.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46C3.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46C9.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46CF.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46D5.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46DE.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46E9.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46F0.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46F6.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\48.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\4B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\51.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\55.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\56.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\58.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\61.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\64.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\66.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\67.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\7F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\82.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\87.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\8A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\8D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\90.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\93.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\95.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\96.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\99.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9C.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A8.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BD.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D8.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\ED.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup
C:\WINDOWS\tool3.exe -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.VB.qr : Cleaned with backup
::Report End
Ja Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 18:10:20, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Ohjelmat\bitcomet\BitComet.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
c:\ohjelmat\ewido\ewidoctrl.exe
c:\ohjelmat\ewido\ewidoguard.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - c:\ohjelmat\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - c:\ohjelmat\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
|
Zipp2
Member
|
2. joulukuuta 2005 @ 13:35 |
Linkki tähän viestiin
|
Merkkaa nuo sulje selain ja paina Fix checked
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
Kato sitte jos tuo löyty piilotiedostot näkyvillä niin poista se
C:\WINDOWS\SYSTEM32\msupdate32.dll
Kato myös varalta että Host file on ok..ei ylimääräisiä rivejä
Avaa Hijackki
Config... > Misc Tools > Open host file manager.
|
TD_13
Newbie
|
2. joulukuuta 2005 @ 13:52 |
Linkki tähän viestiin
|
Tiedostoa ei löytynyt ja host file oli myös kunnossa. Ilmeisesti mitään muuta vikaa ei enää logissa ollut?
Kiitos paljon avusta! Pitää seurailla koneen käyttäytymistä, ainakin nyt kone toimii kunnolla.
|
Mainos
|
|
|
Zipp2
Member
|
2. joulukuuta 2005 @ 13:55 |
Linkki tähän viestiin
|
Joo ei logissa muuta näy.
|