|
|
|
Keskustelualueet
Keskustelualueet
|
|
|
trojan vundo
|
|
|
janisilen
Newbie
|
22. maaliskuuta 2006 @ 14:32 |
Linkki tähän viestiin
|
Logfile of HijackThis v1.99.1
Scan saved at 19:19:10, on 22.3.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\nvidGUIv.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\spoolsrv.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\James69\Työpöytä\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\jkklj.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [log lies team comp] C:\Documents and Settings\All Users\Application Data\Waysizeloglies\Grid Axis.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows Update 64] WinV.exe
O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] lladik.exe
O4 - HKCU\..\Run: [MS lsassc Startup] lsass135c.exe
O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Windows Update 64] WinV.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\SYSTEM32\jkklj.dll
O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\l80u0id9e80.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe
|
Moderator
7 tuotearviota
|
22. maaliskuuta 2006 @ 16:32 |
Linkki tähän viestiin
|
|
siirretty paremmalle alueelle.
|
Senior Member
|
22. maaliskuuta 2006 @ 17:22 |
Linkki tähän viestiin
|
Poisto-ohje 1:
Päivitä Ewido. Älä scannaa vielä.
Mikäli ohjelman päivitys epäonnistuu voit ladata sen tunnisteet verkosta! -> http://www.ewido.net/en/download/updates/
Hae VundoFix.exe ja tallenna työpöydälle
http://www.atribune.org/ccount/click.php?id=4
-> Tuplaklikkaa VundoFix.exe
-> Pistä täppi kohtaan Run VundoFix as a task ja Ok,sen jälkeen oota että se fixi aukee uudestaan
-> Klikkaa Scan for Vundo
-> Kun scanni on valmis, klikkaa Remove Vundo
-> Kun kysytään, haluatko poistaa tiedostot, klikkaa Yes
-> Kun klikkaat Yes, työpöytä häviää, kun Vundon poisto alkaa.
-> Kun se on valmis, fixi ilmoittaa, että kone sammutetaan, klikkaa ok.
-> Käynnistä kone vikasietotilaan ja käynnistä Ewido
Ensin asetuksiin (Settings) ->
Merkkaa Scan every file ja OK -> Tee nyt "Complete system Scan" Eli ajat koko koneen läpi haittaohjelmien löytämiseksi.
-> Tallenna Ewidon loki
-> käynnistä kone normaalisti
-> Lähetä C:\vundofix.txt, uusi Hijack loki ja Ewidon loki.
Koneelle jäi vielä ainakin L2M örkki ja todennäköisesti muutakin.
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 22. maaliskuuta 2006 @ 17:23
|
AfterDawn Addict
6 tuotearviota
|
22. maaliskuuta 2006 @ 17:33 |
Linkki tähän viestiin
|
Sitä saa mitä tilaa, joskus enemmänkin.
|
|
janisilen
Newbie
|
24. maaliskuuta 2006 @ 13:04 |
Linkki tähän viestiin
|
VundoFix V4.2.35
Checking Java version...
Scan started at 18:01:06 23.3.2006
Listing files found while scanning....
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
Attempting to delete C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jkklj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V4.2.35
Checking Java version...
Scan started at 18:20:23 23.3.2006
Listing files found while scanning....
No infected files were found.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 20:10:19, 23.3.2006
+ Report-Checksum: 48131A76
+ Scan result:
[644] C:\WINDOWS\system32\wfweb.dll -> Adware.Look2Me : Error during cleaning
[776] C:\WINDOWS\system32\wfweb.dll -> Adware.Look2Me : Error during cleaning
:mozilla.24:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.76:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.77:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.88:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.91:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
:mozilla.104:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.133:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\WINDOWS\mansor.exe.mwt -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\akivvaxx.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\armlib.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\asiiiexx.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\awtqo.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\awvts.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\awvvs.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\awvvu.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\awvvv.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ayifile.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\aza80aluedq80.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cdpbk32.dll -> Adware.Look2Me : Cleaned with backup
:mozilla.16:C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bah92jm9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\system32\cpodm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\CyxClsCo.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ddabb.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ddaby.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ddaya.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ddccb.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ddccd.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ddcyy.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\dhnput8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dId8thk.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\DkvXc32f.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\DovXc32f.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\eeentcls.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\en20l1fm1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\eqentprf.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fpr6039se.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\FY20.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g8joli1318.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gebyv.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\geeba.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\geebb.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\huetcfg.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hxpertrm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iiircl.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\inhlpapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iompagnt.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ivs.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jkhfd.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\jkhfg.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\jkkjh.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\jkkll.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\jr0025dmg.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jxkll.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kldcz1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kldgae.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kt46l7hs1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kudgae.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l46olej31ho.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\llhsvc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lqcdll.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lshsvc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m2nq0c55ef.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m6460ghse6460.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\madimap.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mbacm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mdvideo.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mjtext40.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\MKCTFP.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mljge.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mljgf.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mljjg.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mljjh.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mlljh.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mllmj.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\mlrdim.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mpexch40.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mrdxmlc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mrljh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mtcshext.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mutask.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvacm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mwhgrcoi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mwljh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mwtlsapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mxpatcha.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\myxml.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nrhtml.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ohbcbcp.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oobctrac.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pmkji.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\putorsvc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qnery.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rdriv.sys.mwt -> Rootkit.Agent.o : Cleaned with backup
C:\WINDOWS\system32\rpgapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rSsdlg.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sdmapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\secsccp.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sqprv.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ssqpn.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ssqro.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ssqrp.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\sstqn.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\sstqo.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\sstqp.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\ssttr.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\stftpub.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\tiflog.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\uzbui.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\vtsqq.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\vtstt.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\vturs.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\vtutr.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\vtutu.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\wepcore.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\WghRm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wjpdxm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wrdmtpus.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wsnhttp.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wsnrnr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\tmp000a587f -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp000d0fee -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp001034be -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp00187da7 -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp001d2d6b -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp006eea49 -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Temp\tmp0093c6df -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\win3F7EC.mwt -> Backdoor.Aimbot.ca : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 20:17:54, on 23.3.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\spoolsrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James69\Työpöytä\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\hrl0053me.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe
|
|
Mainos
|
|
|
Senior Member
|
25. maaliskuuta 2006 @ 07:20 |
Linkki tähän viestiin
|
Poisto-ohje 2.
Tämä on niin pitkä, että kannattaa tulostaa ohje ennenkuin aloitat ta sitten tallennat koneellesi.
Ensiksi: siirrä hijackthis omaan kansioon, esim: C:/HJT/hijackthis.exe
Poista Lisää/poista sovelluksen kautta
Spyware Nuker
Suorita scannaus hijackilla Uudesta kansiosta
Laita rasti seuraavien rivien eteen:
O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\hrl0053me.dll
O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe
Sammuta muut ohjelmat ja ikkunat ja paina Fix checked.
Sitten, Sammuta ja Deletoi noi servicet:
F-Secure Internet Security 2005
fsbwsys
Network Monitor
nvidGUIv
Windows Update 64
Windows Archiver
Local Network Service
Näin:
valitse Käynnistä > suorita > kirjoita ruutuun "sc stop F-Secure Internet Security 2005"
valitse Käynnistä > suorita > kirjoita ruutuun "sc delete F-Secure Internet Security 2005"
Jokainen yo. listasta yksitellen.
Sitten käynnistä kone vikasietotilaan ja etsi ja poista seuraavat:
C:\WINDOWS\System32\ >>>regsys.dll <<<
C:\Program Files\ >>>Spyware Nuker\ <<<
C:\WINDOWS\System32\ >>>libmon.dll <<<
C:\WINDOWS\System32\ >>>v4mon.dll <<<
C:\DOCUME~1\James69\APPLIC~1\ >>>chinfrag\ <<<
C:\WINDOWS\system32\ >>>hrl0053me.dll <<<
C:\Program Files\ >>>F-Secure Internet Security\ <<<
C:\Program Files\ >>>Network Monitor\ <<<
C:\WINDOWS\ >>>nvidGUIv.exe <<<
C:\WINDOWS\System32\ >>>WinV.exe <<<
C:\WINDOWS\ >spoolsrv.exe <<<
Käynnistä kone normaalisti.
Päivitä Ewido. Älä scannaa vielä.
Mikäli ohjelman päivitys epäonnistuu voit ladata sen tunnisteet verkosta! -> http://www.ewido.net/en/download/updates/
Lataa tuosta Look2Me-Destroyer.exe työpöydällesi.
TÄRKEÄÄ: Ennen fixin jatkamista, sinun täytyy tehdä seuraavat:
* Tulosta tämä, tai tallenna tekstitiedostona sopivaan sijaintiin.
* Klikkaa käynnistä -> Suorita ja kirjoita: services.msc
* Klikkaa OK.
* Tarkista että tämä palvelu on käynnissä tai sen käynnistymistapa on automaattinen:
* Toissijainen kirjautuminen
* Seuraavaksi tietokoneesi on oltava offlinessa, vedä nettipiuha seinästä jos tarpeen.
* Virustorjuntasi, ja kaikkien muiden turvaohjelmistojen TÄYTYY olla suljettuja.
Jatka fixiä:
* Sulje ikkunat jatkaaksesi.
* Tupla-klikkaa Look2Me-Destroyer.exe filua ajaaksesi sen.
* Rastita Run this program as a task.
* Saat viestin joka sanoo "Look2Me-Destroyer will close and re-open in approximately 1 minute". Klikkaa OK
* Kun se avautuu uudestaan, klikkaa Scan for L2M valintaa, pikakuvakkeesi katoavat; tämä on normaalia.
* Kun skannaus on valmis, klikkaa Remove L2M.
* Saat Done Scanning viestin, klikkaa OK.
* Kun valmis, saat tämän viestin: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, klikkaa OK.
* Koneesi sammuu.
* Käynnistä se uudelleen.
* Postita C:\Look2Me-Destroyer.txt lokin sisältö seuraavaan viestiisi.
Jos Look2Me-Destroyer ei aukea automaattisesi, käynnistä tietokoneesi uudestaan ja koita uudelleen.
*Sitten käynnistä kone vikasietotilaan ja Scannaa Ewidolla.
Merkkaa Scan every file ja OK -> Tee nyt "Complete system Scan" Eli ajat koko koneen läpi haittaohjelmien löytämiseksi. Tallenna Ewidon loki.
*Lähetä uusi hijackthis logi, Ewidon loki ja C:\Look2Me-Destroyer.txt
|
|
