HjT logi näyttää tältä: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:31:23, on 3.8.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Power Manager\PM.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\tskmngr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DRam prosessor] tskmngr.exe O4 - HKLM\..\Run: [Mode Load Mpeg Less] C:\Documents and Settings\All Users\Application Data\two setup mode load\GPL RECT.exe O4 - HKLM\..\Run: [32 meet rect less] C:\Documents and Settings\All Users\Application Data\five each less two\else stop regs.exe O4 - HKLM\..\RunServices: [DRam prosessor] tskmngr.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [testcity] C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\mixwindowhtm.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?5b2dc87cb34a44a28c20f1b5c2226a27 O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?5b2dc87cb34a44a28c20f1b5c2226a27 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 8314 bytes
Jos käytät meseplussaa poista se.. ======== Avaa hijackthis merkkaa seuraavat rivi(t) ja paina fix checked, sulje muut ohjelmat siksi aikaa. O4 - HKLM\..\Run: [Mode Load Mpeg Less] C:\Documents and Settings\All Users\Application Data\two setup mode load\GPL RECT.exe O4 - HKLM\..\Run: [32 meet rect less] C:\Documents and Settings\All Users\Application Data\five each less two\else stop regs.exe Tässä ohje miten merkataan: ========= Lataa SDFix by AndyManchesta http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ja tallenna se työpöydällesi. Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi: * Käynnistä tietokone * Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa * Seuraavaksi pitäisi ilmestyä valikko * Valitse valikosta vikasietotila. * Tee ohjelmalle oma kansio C:\SDFix ja siirrä se sinne * Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman. * Paina Y käynnistääksesi skriptin. * Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot". * Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen. * Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta. * Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished". * Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle. * Lopuksi avaa SDFix kansio ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi ======= Lataa NoLop työpöydällesi yhdestä seuraavista linkeistä... http://www.spywareedge.net/nolop/NoLop.exe1 http://www.spywaretimes.com/Tools/Download/Anti-malwareToolsLinkki http://www.thespykiller.co.uk/index.php?action=tpmod;dl=get16 * Sulje kaikki ohjelmat, koska tämä vaihe vaatii uudelleenkäynnistyksen * Tuplaklikkaa NoLop.exe ajaaksesi sen * Klikkaa nappulaa "Search and Destroy" <<Tietokoneesi skannataan saastuneiden tiedostojen osalta>> * Kun skannaus on valmis, sinua pyydetään käynnistämään kone uudestaan, jos infektio löytyy. Klikkaa OK * Klikkaa "REBOOT"-painiketta. * NoLopin pitäisi antaa viesti. Jos ei, tuplaklikkaa ohjelmaa ja se valmistuu. Lähetä C:\NoLop.log-tiedoston sisältö uuden HijackThis-lokin kera. -- Jos saat seuraavan virheen, "mscomctl.ocx or one of its dependencies are not correctly registered," lataa mscomctl.ocx http://www.boletrice.com/downloads/mscomctl.ocx ja tallenna se system32-hakemistoosi (yleensä c:\Windows\system32). Tämän jälkeen aja ohjelma uudestaan. -- ========= 1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Siis yhteensä 3 logi (combo,nolop,sdfix)
Käytössä on Windows Live Messenger. Tässä kohtaa tyssäsi, suljin tietokoneen, käynnistin uudelleen, koneeni ei piippaa missään vaiheessa (ei ole ennenkään niin tehnyt), eikä F8:n painaminen aukaissut minkäännäköistä valikkoa...
Ookoo... tehdään sitten niin että jätät tuon sdfixin pois ja jatkat nolopista... jos haluat viel yrittää niin koneen käynnistyessä paina rytmikkäästi f8 nappulaa... tuosta meseplussasta kysyin vaan kun sen mukana tulee toi infektio... voi kyllä tulla muutenkin..
Tässä on nyt nämä logit nolopilta ja combofixiltä: NoLop! Log by Skate_Punk_21 Fix running from: C:\Documents and Settings\FujitsuSiemens [3.8.2007] [13:22:59] ---Infection Files Found/Removed--- C:\WINDOWS\tasks\ABF2115A9185907A.job Beginning Removal... Rebooting... Removing Lop's Leftover Files/Folders... Editing Registry... **Fix Complete!** ---Listing AppData sub directories--- C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Adobe Systems C:\Documents and Settings\All Users\Application Data\Espionserverdata C:\Documents and Settings\All Users\Application Data\Five Each Less Two C:\Documents and Settings\All Users\Application Data\Google C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Nvidia Corporation C:\Documents and Settings\All Users\Application Data\Skype C:\Documents and Settings\All Users\Application Data\Starware347 C:\Documents and Settings\All Users\Application Data\Two Setup Mode Load C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar C:\Documents and Settings\Default User\Application Data\Identities C:\Documents and Settings\Default User\Application Data\Microsoft C:\Documents and Settings\Fujitsusiemens\Application Data\Adobe C:\Documents and Settings\Fujitsusiemens\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Fujitsusiemens\Application Data\Azureus C:\Documents and Settings\Fujitsusiemens\Application Data\Blue Bags C:\Documents and Settings\Fujitsusiemens\Application Data\Google C:\Documents and Settings\Fujitsusiemens\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Fujitsusiemens\Application Data\Identities C:\Documents and Settings\Fujitsusiemens\Application Data\Macromedia C:\Documents and Settings\Fujitsusiemens\Application Data\Microsoft C:\Documents and Settings\Fujitsusiemens\Application Data\Mozilla C:\Documents and Settings\Fujitsusiemens\Application Data\Opera -- EMPTY Directory C:\Documents and Settings\Fujitsusiemens\Application Data\Skype C:\Documents and Settings\Fujitsusiemens\Application Data\Sopcast C:\Documents and Settings\Fujitsusiemens\Application Data\Sports Interactive C:\Documents and Settings\Fujitsusiemens\Application Data\Starware347 C:\Documents and Settings\Fujitsusiemens\Application Data\Sun C:\Documents and Settings\Fujitsusiemens\Application Data\Template C:\Documents and Settings\Fujitsusiemens\Application Data\U3 C:\Documents and Settings\Joku Muu\Application Data\Adobe C:\Documents and Settings\Joku Muu\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Joku Muu\Application Data\Google C:\Documents and Settings\Joku Muu\Application Data\Identities C:\Documents and Settings\Joku Muu\Application Data\Macromedia C:\Documents and Settings\Joku Muu\Application Data\Microsoft C:\Documents and Settings\Joku Muu\Application Data\Mozilla C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Networkservice\Application Data\Microsoft C:\Documents and Settings\Vieras\Application Data\Identities C:\Documents and Settings\Vieras\Application Data\Macromedia C:\Documents and Settings\Vieras\Application Data\Microsoft C:\Documents and Settings\Vieras\Application Data\Mozilla ------------------------------------------------- ComboFix 07-08-03.4 - "FujitsuSiemens" 2007-08-03 16:05:28.1 [GMT 3:00] - NTFS Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.Tosi * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347 C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\FindIt.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\FindItHot.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\findithotxp.png C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\finditxp.png C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\Highlight.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\HighlightHot.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\highlighthotxp.png C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\highlightxp.png C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\jokesearch.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\logo.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\logoxp.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\pranks.bmp C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\error.xml C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\related.xml C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\travel.xml C:\DOCUME~1\FUJITS~1\APPLIC~1\Starware347 C:\DOCUME~1\FUJITS~1\APPLIC~1\Starware347\Manager\ManagerOptions.xml C:\DOCUME~1\FUJITS~1\APPLIC~1\Starware347\Manager\ManagerOptions.xml.backup C:\WINDOWS\system32\winio.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_WINIO -------\WINIO ((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 ))))))))))))))))))))))))))))))) 2007-08-03 16:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-03 16:01 106 --a------ C:\delete.bat 2007-08-03 13:24 <KANSIO> d-------- C:\NoLopBackups 2007-08-03 13:14 <KANSIO> d-------- C:\Program Files\Trend Micro 2007-08-03 12:11 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\five each less two 2007-08-03 12:10 <KANSIO> d-------- C:\Program Files\Blue bags 2007-08-03 12:10 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\two setup mode load 2007-07-23 15:39 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems 2007-07-23 15:16 <KANSIO> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-07-23 15:11 16,384 --a------ C:\WINDOWS\system32\FileOps.exe 2007-07-23 15:00 <KANSIO> d-------- C:\Program Files\MagicISO 2007-07-19 13:18 <KANSIO> d-------- C:\Program Files\Last.fm (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-03 14:44 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Skype 2007-08-03 13:18 --------- d-------- C:\Program Files\mIRC 2007-08-03 12:11 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Blue bags 2007-08-01 18:30 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Azureus 2007-07-18 23:17 --------- d-------- C:\Program Files\LimeWire 2007-07-15 19:25 --------- d-------- C:\Program Files\B2BPOKER 2007-07-12 13:03 76894 --a--c--- C:\WINDOWS\system32\perfc00B.dat 2007-07-12 13:03 377716 --a--c--- C:\WINDOWS\system32\perfh00B.dat 2007-06-20 10:21 19000 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys 2007-06-07 13:52 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Sports Interactive 2007-06-07 12:10 --------- d-------- C:\Program Files\Sports Interactive 2007-06-07 12:09 --------- d-------- C:\Program Files\Common Files\InstallShield 2007-06-04 07:32 --------- d-------- C:\Program Files\Messenger 2007-06-03 19:20 --------- d-------- C:\Program Files\MSN Messenger 2007-05-22 20:39 5128 --a------ C:\DOCUME~1\FUJITS~1\APPLIC~1\wklnhst.dat 2007-05-16 18:14 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 18:14 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 18:14 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 18:14 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 18:14 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 18:14 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll 2007-05-04 15:59 3085312 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll 2006-01-19 10:09:42 624,740 --sh--r C:\WINDOWS\system32\tskmngr.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DRam prosessor"="tskmngr.exe" [2006-01-19 13:09 C:\WINDOWS\system32\tskmngr.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-19 12:55] "SoundMan"="SOUNDMAN.EXE" [2006-01-19 13:09 C:\WINDOWS\SOUNDMAN.EXE] "SMSERIAL"="sm56hlpr.exe" [2006-01-19 13:09 C:\WINDOWS\sm56hlpr.exe] "PowerManager"="C:\Program Files\Power Manager\PM.exe" [2006-01-19 12:57] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 17:57] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-10-25 08:37] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-19 13:08] "testcity"="C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\mixwindowhtm.exe" [2007-08-03 12:10] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 17:04] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-28 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "DRam prosessor"=tskmngr.exe C:\Documents and Settings\FujitsuSiemens\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2006-02-08 16:50:31] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24] Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 13:18:11] R0 iaStor;iaStor;C:\WINDOWS\system32\drivers\iaStor.sys R0 sfvfs02;StarForce Protection VFS Driver (version 2.x);C:\WINDOWS\system32\drivers\sfvfs02.sys R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys R3 smserial;smserial;C:\WINDOWS\system32\DRIVERS\smserial.sys R3 tifm21;tifm21;C:\WINDOWS\system32\drivers\tifm21.sys R3 WINIO;WINIO;\??\C:\WINDOWS\system32\WinIo.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{355cdbe0-cf46-11db-ae03-00c0a8b1341f}] AutoRun\command- F:\LaunchU3.exe -a *Newly Created Service* - WINIO Contents of the 'Scheduled Tasks' folder 2007-08-03 12:34:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-03 16:08:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xf9\x2022\xd3w\2] "b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd3w\2] "b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT" scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-03 16:10:19 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-03 16:10 --- E O F ---
Avaa Notepad ja kopioi/liitä allaolevassa lainausboxissa oleva teksti sinne: Tallenna se nimellä CFScript. (Tarkista että on juuri noin kirjoitettu) Sitten raahaa CFScript ComboFix.exeen kuten alla. Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
ComboFix 07-08-03.5 - "FujitsuSiemens" 2007-08-04 12:59:25.2 [GMT 3:00] - NTFS Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.Tosi Command switches used :: C:\Documents and Settings\FujitsuSiemens\Omat tiedostot\internet-lataukset\CFScript.txt * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1 C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\0 C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\dqgnlywu.exe C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\DrawLiesTrans.exe C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\DrawPileTrust.exe C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\mixwindowhtm.exe C:\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\uzcexyhk.exe C:\Documents and Settings\All Users\Application Data\Five Each Less Two C:\Documents and Settings\All Users\Application Data\Five Each Less Two\else stop regs.exe C:\Documents and Settings\All Users\Application Data\Two Setup Mode Load C:\Documents and Settings\All Users\Application Data\Two Setup Mode Load\GPL RECT.exe C:\WINDOWS\system32\tskmngr.exe C:\WINDOWS\system32\winio.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_WINIO -------\WINIO ((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 ))))))))))))))))))))))))))))))) 2007-08-04 13:05 6,144 --a------ C:\WINDOWS\system32\WinIo.sys 2007-08-03 16:04 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-03 16:01 106 --a------ C:\delete.bat 2007-08-03 13:24 <KANSIO> d-------- C:\NoLopBackups 2007-08-03 13:14 <KANSIO> d-------- C:\Program Files\Trend Micro 2007-08-03 12:10 <KANSIO> d-------- C:\Program Files\Blue bags 2007-07-23 15:39 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems 2007-07-23 15:16 <KANSIO> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-07-23 15:11 16,384 --a------ C:\WINDOWS\system32\FileOps.exe 2007-07-23 15:00 <KANSIO> d-------- C:\Program Files\MagicISO 2007-07-19 13:18 <KANSIO> d-------- C:\Program Files\Last.fm (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-04 12:58 --------- d-------- C:\Program Files\mIRC 2007-08-04 12:51 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Skype 2007-08-01 18:30 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Azureus 2007-07-18 23:17 --------- d-------- C:\Program Files\LimeWire 2007-07-15 19:25 --------- d-------- C:\Program Files\B2BPOKER 2007-07-12 13:03 76894 --a--c--- C:\WINDOWS\system32\perfc00B.dat 2007-07-12 13:03 377716 --a--c--- C:\WINDOWS\system32\perfh00B.dat 2007-06-20 10:21 19000 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys 2007-06-07 13:52 --------- d-------- C:\DOCUME~1\FUJITS~1\APPLIC~1\Sports Interactive 2007-06-07 12:10 --------- d-------- C:\Program Files\Sports Interactive 2007-06-07 12:09 --------- d-------- C:\Program Files\Common Files\InstallShield 2007-06-04 07:32 --------- d-------- C:\Program Files\Messenger 2007-05-22 20:39 5128 --a------ C:\DOCUME~1\FUJITS~1\APPLIC~1\wklnhst.dat 2007-05-16 18:14 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 18:14 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 18:14 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 18:14 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 18:14 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 18:14 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll 2007-05-04 15:59 3085312 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-19 12:55] "SoundMan"="SOUNDMAN.EXE" [2006-01-19 13:09 C:\WINDOWS\SOUNDMAN.EXE] "SMSERIAL"="sm56hlpr.exe" [2006-01-19 13:09 C:\WINDOWS\sm56hlpr.exe] "PowerManager"="C:\Program Files\Power Manager\PM.exe" [2006-01-19 12:57] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 17:57] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-10-25 08:37] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-19 13:08] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 17:04] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-28 14:52] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34] C:\Documents and Settings\FujitsuSiemens\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2006-02-08 16:50:31] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24] Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 13:18:11] R0 iaStor;iaStor;C:\WINDOWS\system32\drivers\iaStor.sys R0 sfvfs02;StarForce Protection VFS Driver (version 2.x);C:\WINDOWS\system32\drivers\sfvfs02.sys R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys R3 smserial;smserial;C:\WINDOWS\system32\DRIVERS\smserial.sys R3 tifm21;tifm21;C:\WINDOWS\system32\drivers\tifm21.sys R3 WINIO;WINIO;\??\C:\WINDOWS\system32\WinIo.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{355cdbe0-cf46-11db-ae03-00c0a8b1341f}] AutoRun\command- F:\LaunchU3.exe -a *Newly Created Service* - WINIO Contents of the 'Scheduled Tasks' folder 2007-08-03 13:34:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-04 13:05:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xf9\x2022\xd3w\2] "b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd3w\2] "b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT" scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-04 13:07:18 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-04 13:07 C:\ComboFix2.txt ... 2007-08-03 16:10 --- E O F ---
moi siellä on ny todella sitkee pöpö Tarkista koneesi F-Securen online skannerilla Huom, skanneri toimii vain Internet Explorer selaimella * Lue sivun ohjeet huolella läpi * Klikkaa Start scanning * Mikäli saat Internet Explorer -suojausvaroituksen, klikkaa Asenna * Klikkaa Accept * Klikkaa Custom Scan * Säädä asetukset seuraavasti o "Virus Scan Option" kohdasta valitse Scan whole system o "Other Scan Option" kohdasta valitse Scan All Files o Valitse Scan whole system for rootkits o Valitse Scan whole system for spyware o Laita ruksi kohtaan Scan inside archives o Varmista että Use advanced heuristics on valittuna * Klikkaa Start * Skannaus käynnistyy kun tarvittavat tiedostot/päivitykset on ladattu * Odota kärsivällisesti * Kun sakannaus on suoritettu, klikkaa Automatic cleaning * Klikkaa Show Report * Raportti aukeaa selaimessa, kopioi teksti kokonaan * Liitä kopioitu teksti esim. muistioon tai Wordiin ja tallenna työpöydälle * Voit sulkea skannerin * Lähetä raportti viestiketjuusi myös uusi hjtlogi
Online scannerin raportti: Scanning Report Sunday, August 05, 2007 15:12:22 - 18:25:32 Computer name: YOUR-E83B04BEE1 Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ Result: 47 malware found Backdoor.Win32.Rbot.cog (virus) * C:\QooBox\Quarantine\C\WINDOWS\system32\tskmngr.exe.vir (Renamed & Submitted) Exploit.Java.ByteVerify (virus) * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-182f9fdf-3e723cd9.zip\VerifierBug.class * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\6.0\50\53a81f2-7abc07b1\VerifierBug.class Java/Byteverify.J (virus) * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-182f9fdf-3e723cd9.zip\Dummy.class * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\6.0\50\53a81f2-7abc07b1\Dummy.class Tracking Cookie (spyware) * System (Disinfected) * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System * System Trojan-Downloader.Java.OpenConnection.aa (virus) * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-182f9fdf-3e723cd9.zip\Beyond.class * C:\Documents and Settings\FujitsuSiemens\Application Data\Sun\Java\Deployment\cache\6.0\50\53a81f2-7abc07b1\Beyond.class Trojan.Win32.Obfuscated.en (virus) * C:\QooBox\Quarantine\catchme2007-08-04_130513.46.zip\GPL RECT.exe * C:\QooBox\Quarantine\C\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\dqgnlywu.exe.vir (Renamed & Submitted) * C:\QooBox\Quarantine\C\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\DrawLiesTrans.exe.vir (Renamed & Submitted) * C:\QooBox\Quarantine\C\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\DrawPileTrust.exe.vir (Renamed & Submitted) * C:\QooBox\Quarantine\C\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\mixwindowhtm.exe.vir (Renamed & Submitted) * C:\QooBox\Quarantine\C\DOCUME~1\FUJITS~1\APPLIC~1\BLUEBA~1\uzcexyhk.exe.vir (Renamed & Submitted) * C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\five each less two\else stop regs.exe.vir (Renamed & Submitted) Statistics Scanned: * Files: 301006 * System: 3982 * Not scanned: 40 Actions: * Disinfected: 1 * Renamed: 7 * Deleted: 0 * None: 39 * Submitted: 7 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\BIOS1.ROM * C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS * C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG * C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG * C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB * C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4A30D2EE-C8ED-4CF3-A0DD-DCD201728987}.BIN * fonts/anewhope.fontdat * fonts/arialnb.fontdat * fonts/aurabesh.fontdat * fonts/ergoec.fontdat * fonts/ocr_a.fontdat * fonts/polish.fontdat * fonts/russian.fontdat * C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT * C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT * C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT * C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\NTUSER.DAT * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\MUSIIKKI\MUSIIKKI\APULANTA - ARMO.MP3 * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\MUSIIKKI\MUSIIKKI\LOVEX - YOURS.MP3 * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\MUSIIKKI\MUSIIKKI\TRIVIUM - ENTRANCE OF THE CONFLAGRATION.MP3 * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\MUSIIKKI\MUSIIKKI\ZEN CAF� - PIHA ILMAN SADETTAJAA.MP3 * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\LATAUKSET\STAR WARS JEDI KNIGHT JEDI ACADEMY\STAR WARS JEDI KNIGHT - JEDI ACADEMY (2 CDS)\STAWARS JEDI KNIGHT - JEDI ACADEMY_1.NRG * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\LATAUKSET\STAR WARS JEDI KNIGHT JEDI ACADEMY\STAR WARS JEDI KNIGHT - JEDI ACADEMY (2 CDS)\STAWARS JEDI KNIGHT - JEDI ACADEMY_2.NRG * C:\Documents and Settings\FujitsuSiemens\Omat tiedostot\Lataukset\photoshop\Adobe.Photoshop.Elements.v5.0-ZWTiSO\Adobe Photoshop Elements_5 [www.emwreloaded.com].rar\Adobe Photoshop Elements\Data1.cab * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\LATAUKSET\LOST SEASON 3\LOST SEASON 3 COMPLETE [HDTV][XVID]\LOST.S03E05.HDTV.XVID-LOL.AVI * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\OMAT TIEDOSTOT\LATAUKSET\HEROES SEASON 1\HEROES.S01E01-13.HDTV.XVID-LOL_FQM_SAINTS_FPN\HEROES.S01E13.HDTV.XVID-FPN.AVI * C:\DOCUMENTS AND SETTINGS\FUJITSUSIEMENS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT Options Scanning engines: * F-Secure Libra: 2.4.2, 2007-07-30 * F-Secure AVP: 7.0.171, 2007-08-03 * F-Secure Orion: 1.2.37, 2007-08-03 * F-Secure Blacklight: 1.0.64 * F-Secure Draco: 1.0.35, 0260-23-12 * F-Secure Pegasus: 1.19.0, 2007-07-01 Scanning options: * Scan all files * Scan inside archives * Use Advanced heuristics --------------------------------------------------------------------- Sekä uusi HjT-loki Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:28:14, on 5.8.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Power Manager\PM.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Winamp\winampa.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Last.fm\LastFM.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?5b2dc87cb34a44a28c20f1b5c2226a27 O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?5b2dc87cb34a44a28c20f1b5c2226a27 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 8005 bytes
Javan päivitys ja välimuistin tyhjennys: 1. Klikkaa Käynnistä -> Ohjauspaneeli ja tupla-klikkaa Lisää tai poista sovellus Ohjauspaneelissa. 2. Etsi listasta kaikki entiset Java versiosi. (J2SE Runtime Environment.... ) Niissä pitäisi olla seuraava kuva vieressä: 3. Valitse kaikki entiset Java versiosi ja valitse Poista. 4. Asenna uusin Java päivitys seuraavasta linkistä.. 5. Käynnistä kone uudelleen asennuksen jälkeen: http://java.sun.com/javase/downloads/index.jsp Rullaa alas kohteeseen Java Runtime Environment (JRE) 6u2 Paina Download Ruksaa Accept, ota offline installation, tallenna vaikka työpöydälle ja asenna se. 6. Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi). 7. General Settings -osion alla, vedä liukusäädintä (Disk Space) pienemmälle, ja klikkaa Delete Files -nappia. (Jotkut javapohjaiset ohjelmat saattavat tarvita enemmän levytilaa. Jos hjuomaat säädön pienentämisen jälkeen koneessa hitautta, siirrä liukusäädintä isommalle). 8. Varmista että kaikki kaksi valintaa ovat rastitettuja: *Applications and Applets *Trace and Log Files Ja paina OK -nappia 9. Klikkaa OK "Temporary Files Settings" -ikkunassasi. 10. Klikkaa OK jättääksesi Java asetusikkunasi. ' ========== Jos käytät vain Windowsin omaa palomuuria, niin se ei ole riittävä suoja. Lataa vaikka näistä kolmesta Yksi palomuuri koneellesi ja asenna se. Poista sitten myös windowsin palomuuri käytöstä. Nämä 3 ovat aika suosittuja ja ilmaisia palomuureja: Comodo Kerio Zonealarm ======== 1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
