afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat > kone otettu haltuun /wmf-virus?
Keskustelualueet
Keskustelualueet
Kone otettu haltuun /WMF-virus?
aos
Junior Member
1. tammikuuta 2006 @ 15:20
Linkki tähän viestiin
Newbielle apua, please.
Internet-yhteys on hidas. Pitäisi olla 1 M, mutta nopeustesti näyttää alle 600 kbs. Olen ladannut WMA-tiedostoja WMF-viruksen tulon jälkeen, mutta ilmeisesti eri asioita, vai onko? Jos joku on saanut koneen haltuunsa, näkeekö sen jostakin? Minulla dos-tilassa (Command Prompt) netstat-kommennolla näyttää seuraavan, vaikka internet-selain on suljettu. Mielestäni ei pitäisi näkyä mitään, jos selain on kiinni:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
Active Connections
Proto Local Address Foreign Address State
TCP unknown-cv287ob:3079 a195-197-54-151.deploy.akamaitechnologies.net:ht
tp TIME_WAIT
TCP unknown-cv287ob:3080 a195-197-54-151.deploy.akamaitechnologies.net:ht
tp TIME_WAIT
TCP unknown-cv287ob:3074 unknown-cv287ob:3073 TIME_WAIT
Seuraavassa HJT-loki:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\unknown>netstat
Active Connections
Proto Local Address Foreign Address State
TCP unknown-cv287ob:3079 a195-197-54-151.deploy.akamaitechnologies.net:ht
tp TIME_WAIT
TCP unknown-cv287ob:3080 a195-197-54-151.deploy.akamaitechnologies.net:ht
tp TIME_WAIT
TCP unknown-cv287ob:3074 unknown-cv287ob:3073 TIME_WAIT
C:\Documents and Settings\unknown>copy
The syntax of the command is incorrect.
C:\Documents and Settings\unknown>
Seuraavassa HiJackThis loki:
Logfile of HijackThis v1.99.1
Scan saved at 7:59:54 PM, on 1/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
E:\program files\Ewido\ewido anti-malware\ewidoctrl.exe
E:\program files\Ewido\ewido anti-malware\ewidoguard.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
E:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\PGPserv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\program files\OmniPage\opware32.exe
C:\WINNT\system32\wfxsnt40.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
E:\program files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
E:\program files\PowerDVD\PDVDServ.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\system32\ctfmon.exe
E:\program files\PGP\PGPtray.exe
C:\WINNT\system32\mapiicon.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\ntvdm.exe
E:\program files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://elisa.net/paketti/haku.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mf.launch.yahoo.com/launch/registration/?dest=http%3A//lau... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\program files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - E:\program files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Omnipage] E:\program files\OmniPage\opware32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] e:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] e:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\program files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
O4 - Startup: Vekkari.lnk = E:\program files\Vekkari\Vekkari.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\program files\MS Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = E:\program files\PGP\PGPtray.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM O8 - Extra context menu item: Search Using Copernic Agent - E:\program files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://E:\PROGRA~1\MSOFFI~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - E:\program files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - E:\program files\Free Surfer\FS20.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\program files\IrfanView\Ebay\Ebay.htm (file missing)
O9 - Extra button: Support - {010D7869-48A8-4061-9424-759F83E18A81} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS - {07132342-14B5-49CC-8EC0-276586157A67} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Service - {1D9DA27F-0D3B-4436-B289-1ED0B7D6DD60} - http://service.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/ O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - E:\program files\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\program files\Ewido\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\system32\PGPserv.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
aos
Junior Member
1. tammikuuta 2006 @ 15:25
Linkki tähän viestiin
(HJT-lokin alkuun tuli näköjään vahingossa ylimääräistä tekstiä.)
AfterDawn Addict
1. tammikuuta 2006 @ 15:32
Linkki tähän viestiin
Ei näy sellaisia, mutta muuta fixattavaa.
Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked):
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
aos
Junior Member
1. tammikuuta 2006 @ 15:41
Linkki tähän viestiin
Kiitos paljon, kemisti! Hieno foorumi tämä. Minä jo pelkäsin... Poistin nuo kolme ohjeittesi mukaan (mitä sitten ovatkin).
Mainos
yimanya
Suspended due to non-functional email address
1. tammikuuta 2006 @ 16:07
Linkki tähän viestiin
Quote: Olen ladannut WMA-tiedostoja WMF-viruksen tulon jälkeen, mutta ilmeisesti eri asioita, vai onko? Täysin eri asioita. WMA on äänitiedosto ja WMF on kuvatiedosto. WMV on videotiedosto. Mutta jotta asiat eivät olisi liian yksinkertaisia niin WMA-tiedosto voi olla WMF-tiedosto mutta sille on vaihdettu tiedostopäätettä.
Allekirjoitus
afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat > kone otettu haltuun /wmf-virus?