cmb_243461.exe

Työpöydälleni ilmestyi tuollainen tiedosto, kokoa 0 tavua. En saa sitä poistettua millään ilveellä. Sanoo, että "ei voi poistaa, yhteiskäyttövirhe. Lähde- tai kohdetiedostot voivat olla käytössä. Sulje kaikki ohjelmat, jotka voivat..jne." Ewido ei tunnista sitä, ad-aware ei, antivir ei ja taisin spybottiaki kokeilla. Yritin etsiä apua netistä ja täältä, mutta missää ei oikeen tarkkaan neuvottu miten sen saa pois. Yritin vikasietotilassa poistaa myös. En tiedä oikein mistä se siihen ilmestyi, koneella on pari muutakin käyttäjää mun lisäksi.
Auttakaa hyvät ihmiset jos tiedätte=o)
Kiitos.

 

Lataa tuo ja lue ohjeet huolella...
http://keskustelu.afterdawn.com/thread_view.cfm/316714
eiköhän se siintä lähde.

 

Logfile of HijackThis v1.99.1
Scan saved at 1:51:01, on 20.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Microsoft AntiSpyware\gcasServ.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\Program Files\MessengerPlus! 3\MsgPlus.exe
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Free Notes\FreeNotes.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\Program Files\ewido anti-spyware 4.0\guard.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Raxco\PerfectDisk\PDSched.exe
H:\Program Files\Winamp\winamp.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "H:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "H:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Notes] "H:\Program Files\Free Notes\FreeNotes.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = H:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://H:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - H:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113303831562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA243EDD-2D24-477E-9F1A-5870FC506D1B}: NameServer = 212.50.211.242 212.50.192.226
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - H:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Tän voit fiksata.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

cmb_243461.exe<<Ewidon pitäs kyllä tunnistaa, päivittänyt Ewidoa. Kirjaadu järjestelmänvalvojana sisään, koita sitten poistaa.
Escannin pitäs myös tuohon pystyä....
http://koti.mbnet.fi/pattaya1/escanmwav.htm tästä ja vois löydöksistä login laittaa.

Näin aluksi, joku Virustohtori tarkistaneen viellä kunhan kerkiävät.

 

(varmistelua)
Eli siis ku hijackthis on tehny sen "do a system scan and save a logfile"-jutun, niin laitan raksin siihen
"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k" -kohdalle ja painan "fix checked" ??

 

Kyllä juuri noin, jos koittelet viellä poistaa tuon cmb_243461.exe .n
Tuolla mitä neuvoin, aja HijackThis ja uusi logi tänne ja Escan/ Ewido löydöksistä myös logi.

Kuten tuossa aikaisemmin mainitsin, tohtorit tutkailevat sitten tarkemmin.

Edit: Korjaus,>>Kirjaadu järjestelmänvalvojana<< sisään, koita sitten poistaa. >>Vikasietotilassa<< sisään, koita sitten poistaa.

 

Moi, kesälomat on lusittu. Jäi tämä homman kesken silloin. Ei tullut oikeen tietokonetta availtua. No, kyseinen tiedosto on yhä edelleen työpöydällä. Yritin poistaa sitä järjestelmänvalvojana vikasietotilassa. Ewidoa olen pyörittänyt ja päivitellyt, eScannin tehnyt ohjeiden mukaan. Ei lähde. Nykyään kone vähän väliä ohjelmia avatessa heittää ikkunan jossa valittaa ettei levyä ole sisässä??? Kun kerran pari laittaa 'peruuta' se yleensä auttaa. Olisikohan jollakin apua näihin ongelmiin.

Pistän loppuun HijackThis ja eScannin logit:

Logfile of HijackThis v1.99.1
Scan saved at 22:57:02, on 6.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\Program Files\MessengerPlus! 3\MsgPlus.exe
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Free Notes\FreeNotes.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\Program Files\ewido anti-spyware 4.0\guard.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Raxco\PerfectDisk\PDSched.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Kaspersky\mwavscan.com
H:\Kaspersky\kavss.exe
H:\Program Files\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "H:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Notes] "H:\Program Files\Free Notes\FreeNotes.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = H:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://H:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - H:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113303831562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA243EDD-2D24-477E-9F1A-5870FC506D1B}: NameServer = 212.50.211.242 212.50.192.226
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - H:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe





eScan:
File H:\Program Files\Messenger\Tiedotonsiirtoesto-juttu\INSTALL_MSN_MESSENGER_DL.EXE tagged as not-a-virus:RiskTool.Win32.ExtUnlock.a. No Action Taken.
File H:\Program Files\Messenger\Tiedotonsiirtoesto-juttu\INSTALL_MSN_MESSENGER_DL.zip tagged as not-a-virus:RiskTool.Win32.ExtUnlock.a. No Action Taken.

 

Annapa sen tiedoston polku, niin poistetaan se

 

Polku on:
"H:\Documents and Settings\Omistaja\Työpöytä\cmb_243461.exe"

 

Tuli tyhmä idea tossa mieleen, otin jonku asennustiedoston (.exe) ja nimesin sen samalla nimellä kuin tuo kyseinen tiedosto. Sitten heitin sen samaan kansioon, kysy että korvataanko, pistin että korvataan. Nyt se tiedosto makaa vieläkin tuolla, tai nyt se on uus tiedosto sillä samalla nimellä, ei vieläkään voi poistaa, mutta eipähän ole enää mikään pöpöohjelma tai vastaava. Mutta ei se lähde sieltä vieläkään pois. Apua=o)

 

1. Lataa The Avenger (c) työpöydällesi.
[*]Klikkaa Avenger.zip filua avataksesi sen.
[*]Pura Avenger.exe työpöydällesi.

2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle:

Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.

3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.
[*]"Script file to execute" alapuolelta valitse "Input Script Manually".
[*]Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script".
[*] Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.
[*] Klikkaa Done.
[*] Nyt klikkaa vihreää valoa aloittaaksesi skriptin.
[*] Klikkaa "Yes" kun tulee kaksi varoitusboksia.

Avenger tekee automaattisesti seuraavat:
[*] Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)
[*] Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.
[*] Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt
[*] Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.

5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.

 

Tiedosto lähti pois, kiitos -kemisti- =o)

Logfile of HijackThis v1.99.1
Scan saved at 16:45:32, on 17.9.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\Program Files\ewido anti-spyware 4.0\guard.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Raxco\PerfectDisk\PDSched.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\Program Files\MessengerPlus! 3\MsgPlus.exe
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Free Notes\FreeNotes.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\Winamp\winamp.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "H:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Notes] "H:\Program Files\Free Notes\FreeNotes.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = H:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://H:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - H:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113303831562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA243EDD-2D24-477E-9F1A-5870FC506D1B}: NameServer = 212.50.211.242 212.50.192.226
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - H:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDEngine - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - H:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - H:\WINDOWS\system32\ZoneLabs\vsmon.exe


Ja sitten


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ypcqqawf

*******************

Script file located at: \??\H:\WINDOWS\system32\ryjorceq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at H:\Avenger

*******************

Beginning to process script file:

File H:\Documents and Settings\Omistaja\Työpöytä\cmb_243461.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.