hakukoneiden linkit avaavat mainossivuja eikä varsinaisia sivustoja

Discussion in 'Virukset ja haittaohjelmat' started by Miansa, Nov 29, 2006.

  1. Miansa

    Miansa Member

    Joined:
    Nov 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Moi
    Pyytäisin apua ongelmaani

    Käyttäessäni eri hakukoneita hakiessani tiettyjä sivustoja niin aukeaa lähes aina mainossivusto. Olen kokeillut käyttää myös kahta eri selainta(Internet explorer ja Opera), molemmissa on sama ongelma.

    Olen yrittänyt löytää ongelmaa, mutta en vaan saa millään ratkaistua mikä on vikana. Viruksia norman ei löydä ja ad-aware on ajettu monta kertaa.

    Tässä olisi koneen Hijackthis loki

    Logfile of HijackThis v1.99.1
    Scan saved at 18:16:25, on 29.11.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\Nvc\BIN\ZANDA.EXE
    C:\Norman\Nvc\BIN\ZLH.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\unzipped\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4582A91-9F0D-4938-95CC-2F14C48FFE89}: NameServer = 85.255.114.40,85.255.112.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Nvc\BIN\ZANDA.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
     
    Miansa, Nov 29, 2006
    #1
  2. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    Eipä mikään ihme kun siellä on Wareout infektio.

    Lataa fixwareout.exe jommastakummasta osotteesta:

    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    -Tallenna se työpöydälle
    -Tuplaklikkaa ohjelman kuvaketta ja seuraa ohjeita.
    -Klikkaa Next.
    -sitten Install ja varmistu, että "Run fixit" on valittu.
    -Käynnistä kone uudelleen kun ohjelma niin pyytää.

    Lähetä FixWareout raportti, löytyy yleensä sijainnista c:\fixwareout\report.txt ja uus HJT logi.

    Niin ja nuo voit fixata HJT:llä:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4582A91-9F0D-4938-95CC-2F14C48FFE89}: NameServer = 85.255.114.40,85.255.112.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
     
    Last edited: Nov 29, 2006
    fixeri, Nov 29, 2006
    #2
  3. Miansa

    Miansa Member

    Joined:
    Nov 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Kiitos tosi paljon avusta sinulle.
    Nyt toimii taas hakukoneet

    ---Fixwareout raportti alkaa---

    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    ...

    Random Runs removed from HKLM
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...

    »»»»»
    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal

    Other suspects.
    Directory of C:\WINDOWS\system32

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.

    ---Fixwareout raportti loppuu---



    ---Hijackthis raportti alkaa---

    Logfile of HijackThis v1.99.1
    Scan saved at 19:01:51, on 29.11.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\Nvc\BIN\ZANDA.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Norman\Nvc\BIN\ZLH.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\unzipped\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4582A91-9F0D-4938-95CC-2F14C48FFE89}: NameServer = 85.255.114.40,85.255.112.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Nvc\BIN\ZANDA.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    ---Hijackthis raportti loppuu---

     
    Miansa, Nov 29, 2006
    #3
  4. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    Hyvä että toimii..=) fixaa nuo rivit vielä pois tuolta roikkumasta:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4582A91-9F0D-4938-95CC-2F14C48FFE89}: NameServer = 85.255.114.40,85.255.112.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
     
    fixeri, Nov 29, 2006
    #4
  5. Miansa

    Miansa Member

    Joined:
    Nov 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Okei..kiitos
     
    Miansa, Nov 30, 2006
    #5

Share This Page