kun yritän avata F-secure se sammuu. Jos yritän asentaa f-secure ohjelmaa kone ehdotaa sen sammutamista eikä anna sen asentamista ja sammutaa sen. Logfile of HijackThis v1.99.1 Scan saved at 22:03:32, on 3.2.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Athan\Athan.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINDOWS\msmbw.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Shareaza\Shareaza.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\Network Monitor\netmon.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit F3 - REG:win.ini: run=C:\WINDOWS\inet20002\winlogon.exe O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20002\3.01.00.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\serbw.exe O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\serbw.exe O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Sulla onkin kiva örkkikokoelma koneella. Yhteytesi on kaapattu Valko-Venäjältä käsin. Lisäksi tuo yksi örkki imuroi koko ajan lisää roskaa koneellesi. Ja suurin syy tähän on se, ettet ole päivittänyt Windowsia.... Kun ollaan saatu kone puhtaaksi, niin saat kyllä hakea sen Service Pack 2:n + muut kriittiset päivitykset. Muuten sun loki on foralla kerran viikossa. Hae fixwareout http://forums.subratam.org/index.php?act=Attach&type=post&id=43811 tai http://swandog46.geekstogo.com/Fixwareout.exe Tallenna se työpöydälle Klikkaa fixwareout käyntiin ja painele ok jne kun kysytään Käynnistä uudelleen kun käsketään HijackThis aukeaa automaattisesti tämän jälkeen. Jos se ei aukea, niin avaa se itse. Fixaa nämä F3 - REG:win.ini: run=C:\WINDOWS\inet20002\winlogon.exe O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20002\3.01.00.dll O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\serbw.exe O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\formatsys.exe O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\serbw.exe O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe 04 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe Hae Ewido > http://keskustelu.afterdawn.com/thread_view.cfm/269186 Asenna ja päivitä. Älä tee vielä muuta Laita piilotiedostot näkyviin, ohje -> http://keskustelu.afterdawn.com/thread_view.cfm/248944 Käynnistä vikasietotilaan ( F8 käynnistyksen yhteydessä ) Poista nämä C:\WINDOWS\==============>inet20002<=== kansio C:\WINDOWS\System32\=====>formatsys.exe C:\WINDOWS\System32\=====>serbw.exe C:\WINDOWS\==============>msmbw.exe Skannaa Ewidolla vikasietotilassa ja tallenna raportti Käynnistä normaalitilaan, ja laita uusi loki+Ewidon raportti+ c:\fixwareout\report.txt sisältö
En löytänyt nämä C:\WINDOWS\System32\=====>serbw.exe C:\WINDOWS\==============>msmbw.exe muuten OK. Fixwareout ver 1.003 Last edited 1/12/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Search by size and names... »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 17:44:49, 4.2.2006 + Report-Checksum: EED706E4 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Spyware.CoolWebSearch : Cleaned with backup C:\Crazy frog gets killed by train!.pif -> Worm.Sumom.a : Cleaned with backup :mozilla.17:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.23:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.28:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.30:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.60:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.61:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.62:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.63:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.64:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.65:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup C:\Documents and Settings\mahad\Cookies\mahad@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\Documents and Settings\mahad\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe -> Worm.Sumom.a : Cleaned with backup C:\Documents and Settings\mahad\Local Settings\Temp\her.pt -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\mahad\Local Settings\Temp\isinst.exe -> Downloader.IstBar.oe : Cleaned with backup C:\Documents and Settings\mahad\Local Settings\Temporary Internet Files\Content.IE5\OHKNGJ07\1001[1].exe -> Downloader.Small.awa : Cleaned with backup C:\Documents and Settings\mahad\Local Settings\Temporary Internet Files\Content.IE5\ULTE3YDK\009[1].jpg -> Downloader.Small.ccn : Cleaned with backup C:\Documents and Settings\mahad\Omat tiedostot\Downloads\~~ the oc 311.rar/Setup_toolBar.exe -> Downloader.IstBar.nj : Cleaned with backup :mozilla.27:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.28:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.29:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\mahad1\Cookies\mahad1@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\mahad1\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe -> Worm.Sumom.a : Cleaned with backup C:\Fat Elvis! lol.pif -> Worm.Sumom.a : Cleaned with backup C:\Program Files\Avant Browser\fdsf -> Downloader.Small.awa : Cleaned with backup C:\Program Files\backups\backup-20060204-164155-397.dll -> Spyware.Ihbo : Cleaned with backup C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll -> Downloader.Small : Cleaned with backup C:\WINDOWS\system32\dial23.0xe -> Trojan.Dialer.ay : Cleaned with backup C:\WINDOWS\system32\howiper.0xe -> Trojan.Small.gq : Cleaned with backup ::Report End Logfile of HijackThis v1.99.1 Scan saved at 17:55:04, on 4.2.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Athan\Athan.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Shareaza\Shareaza.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Yhteys tulee vieläkin Valko-Venäjältä... Ajapa se FixWareOut uudestaan, ja kun HjT aukeaa fixaa nämä rivit: Jäi viimeksi jotenkin multa mainitsematta, vaikka noista sen örkin tunnistinkin =) O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81 O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81 Laita vielä uusi loki sen jälkeen.
Logfile of HijackThis v1.99.1 Scan saved at 18:14:26, on 7.2.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Shareaza\Shareaza.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\F-Secure\Common\FCH32.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Ares\Ares.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [VoipCheap] "C:\Program Files\VoipCheap\VoipCheap.exe" -nosplash -minimized O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Etsi - C:\Program Files\Avant Browser\Search.htm O8 - Extra context menu item: Korosta - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Lisää mainostenestolistalle - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Saanko muuten spertti kysyä, että mistä tuosta näkee että yhetys on kaapattu Valko-Venäjältä? Ihan puhtaasta mielenkiinnosta ja uteliaisuudesta kysyn ;D
Nuo 017 rivin IP:t johtivat Valko-Venäjälle. Ihan googlettamalla sen IP:n, tai laittamalla sen tänne > http://www.dnsstuff.com/ ja sieltä vaikka IP information saat selville aika paljon. Tuo WareOut örkki, joka sinulla oli on yleensä tunnistettavissa juurikin noista Valko-Venäläisistä IP-osoitteista, jotka johtavat Atrivon palvelimelle. Mutta tosiaan tuo fixi joka ajettiin poistaa kaikki sen jätökset todella hyvin. WareOut on vain siitä mukava mato, että se imuroi koko ajan lisää roskaa koneelle mihin se on asentunut =) Mutta nyt se huomattiin ajoissa, ja poistokin sujui suhteellisen helposti eikös juu?
