hijack loki. apua tarvitaan

Logfile of HijackThis v1.99.1
Scan saved at 17:00:51, on 22.5.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Siemens Data Suite SX1\SDS\SDSScheduler.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\SIEMEN~1\SDS\SPHONE~2.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
C:\WINDOWS\system32\cidaemon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ltlftsaocnfelxq.com/wGzIstoVMQWzSYru44Eoorn8Xs1TEHiS4CJS_/6yfZ8vk_u8iKl4ph22JaucopNe.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://center.regionline.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - C:\WINDOWS\system32\ymzrjqzr.dll (file missing)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - C:\WINDOWS\system32\qgcienzj.dll (file missing)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoftShowKeepWeb] C:\Documents and Settings\All Users\Application Data\supportthunksoftshow\Test Date.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bib wait delete tons] C:\Documents and Settings\All Users\Application Data\base road bib wait\cashreal.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BuildFord] C:\DOCUME~1\DGC\APPLIC~1\PROCPE~1\tool this.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NewShortcut35.lnk = C:\Program Files\Siemens Data Suite SX1\SDS\SDSScheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.pillu.com/HotAdult.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095011809171
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: lkjmpuwklouo (wktgqshe6) - Unknown owner - C:\WINDOWS\system32\ualecnhe6.exe (file missing)

 

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
R3 - Default URLSearchHook is missing
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.pillu.com/HotAdult.exe
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - C:\WINDOWS\system32\ymzrjqzr.dll (file missing)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - C:\WINDOWS\system32\qgcienzj.dll (file missing)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)

Tommossii löyty ,mutta odota Toymaattia se tietää mitä noille pitää tehä.

 

Tänään ei taida olla ketään ammattitaitosta auttamassa, mutta tulipa vaan mieleen että toimiikohan tuo sun avast ihan oikeen. Voisit ajaa tuon escannin läpi. http://koti.mbnet.fi/pattaya1/escanmwav.htm
Ja laitat sen löydös listan tähän jatkoksi.

Tuo ei kuulu joukkon
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ltlftsaocnfelxq.com/wGzIstoVMQWzSYru44Eoorn8Xs1TEHiS4C...

Ja lisäksi siellä on paljon muutakin, joku on vissiin sun avastin tuhonnu.

 

Joo o Toymaattia tarvittais.. kyllä noi saa helposti selville missä on vika ,mutta tietäis vaa miten fixata

 

Niin ja aina voi tulla niitä komplikaatiota kun fixailee. Millon mitäkin netin korjaus palikkaa pitäis ola varalla jos ei satukkaan enään toimimaan. Itsellänihän ne kuitenki on valmiina jos vaikka joskus sattuis jotain kauheeta tapahtumaan. Nuo file missing kohdathan saa aina korjata.

 

Joo missään nimessä ei saa mennä fixailee jos ei tiedä ,mitä on tekemässä. Voi saada koneensa formatointi kuntoon.

 

Poista WildTangent Lisää/Poista sovelluksesta

Laita piilotiedostot näkyviin
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Laita merkki noiden eteen, sulje selain ja muut ikkunat, klikkaa Fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ltlftsaocnfelxq.com/wGzIstoVMQWzSYru44Eoorn8Xs1TEHiS4C...
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - C:\WINDOWS\system32\ymzrjqzr.dll (file missing)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - C:\WINDOWS\system32\qgcienzj.dll (file missing)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)
O4 - HKLM\..\Run: [SoftShowKeepWeb] C:\Documents and Settings\All Users\Application Data\supportthunksoftshow\Test Date.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bib wait delete tons] C:\Documents and Settings\All Users\Application Data\base road bib wait\cashreal.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [BuildFord] C:\DOCUME~1\DGC\APPLIC~1\PROCPE~1\tool this.exe
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.pillu.com/HotAdult.exe
O23 - Service: lkjmpuwklouo (wktgqshe6) - Unknown owner - C:\WINDOWS\system32\ualecnhe6.exe (file missing)

Käynnistä vikasietotilaan ja poista nuo kansiot
C:\Documents and Settings\All Users\Application Data\===>supportthunksoftshow<===
C:\Documents and Settings\All Users\Application Data\===>base road bib wait<===
C:\Program Files\===>WildTangent<===
C:\DOCUME~1\DGC\APPLIC~1\===>PROCPE~1<===

Käynnistä normaalisti ja laita uusi loki

Onko muuten MessengerPlus ollut koneella?

 

Koneella todellakin OLI MessengerPlus asennettu, mutta sehän lähti äkkiä pois kun huomasin et troijalaisia oli tullu kylään....

Tässä on eScanin löydökset:

File C:\DOCUME~1\ALLUSE~1\APPLIC~1\BASERO~1\cashreal.exe tagged as not-a-virus:AdWare.Lop.p. No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\in10b6s.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\PreInstaller_p1.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\base road bib wait\cashreal.exe tagged as not-a-virus:AdWare.Lop.p. No Action Taken.
File C:\Documents and Settings\DGC\Application Data\Kind Scr Chin\flaw boob.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Application Data\procpeakbalm\Gramsettingstransbend.exe infected by "Trojan-Downloader.Win32.Swizzor.ca" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Application Data\procpeakbalm\jgnjotvq.exe tagged as not-a-virus:AdWare.Lop.p. No Action Taken.
File C:\Documents and Settings\DGC\Application Data\procpeakbalm\Tonsamokshow.exe infected by "Trojan-Downloader.Win32.Swizzor.cb" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\7340125c.exe infected by "Trojan-Downloader.Win32.Swizzor.bn" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b599041f.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b5a7558b.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b62aa275.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b65498c5.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b655bb75.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b764b152.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b780c166.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b7885dcd.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b791527c.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b791cf9c.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b791d92a.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b792ac95.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b792b553.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b793a7a9.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b794141f.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b794164e.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b79ab964.exe infected by "Trojan-Downloader.Win32.Swizzor.bn" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b79b3e82.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b79c4913.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b79db097.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b79ec44c.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b7a865df.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\b7c06935.exe infected by "Trojan-Downloader.Win32.Swizzor.bk" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\DGC\Local Settings\Temp\ejcjlkga.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\glzsghdl.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\judseclz.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\lmeafbqg.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\ohvdtugl.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\pyvarzxd.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\qmoifmqz.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Local Settings\Temp\xsqsandk.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\Documents and Settings\DGC\Omat tiedostot\Tiia\omat jutut\ohjelmat\dxball.exe tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken.
File C:\Program Files\C2Media\Setup.exe tagged as not-a-virus:AdWare.Lop. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP472\A0289432.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP472\A0289434.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP493\A0324940.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP495\A0328179.dll tagged as not-a-virus:AdWare.TotalVelocity.aa. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP495\A0328180.dll tagged as not-a-virus:AdWare.TotalVelocity.aa. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP495\A0328193.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP496\A0328205.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP499\A0333307.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP499\A0333308.exe tagged as not-a-virus:AdWare.Suggestor.g. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP509\A0375579.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP513\A0393768.exe tagged as not-a-virus:AdWare.Lop.m. No Action Taken.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP513\A0397772.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0420002.exe infected by "Trojan-Downloader.Win32.Small.gr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0420003.exe infected by "Trojan-Downloader.Win32.Small.gr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0420180.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426326.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426327.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426328.exe infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426329.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426330.exe infected by "Trojan-Downloader.Win32.Swizzor.ca" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{60E2797A-29E3-415E-A50A-5A85F24511E7}\RP517\A0426331.exe infected by "Trojan-Downloader.Win32.Swizzor.cb" Virus. Action Taken: File Deleted.
File C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.
File C:\WINDOWS\wt\wtvh.dll tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken.

Uskokaa tai älkää mutta skannasin koneen just pari päivää sitte yhellä toisella ohjelmalla....

 

eScan on varmaan ajettu ennen HjT fixiä, scannaa uudelleen ja laita sen löydöt tänne. Poista ensin nuo vikasietotilassa
C:\DOCUME~1\ALLUSE~1\APPLIC~1\===>BASERO~1<===
C:\Program Files\===>MessengerPlus!<===

Tyhjennä tempit
Nuo alemmat kaikissa käyttäjätileissä
C:\Temp
C:\Windows\Prefetch
C:\Documents and Settings\Käyttäjä nimi\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Käyttäjä nimi\Local Settings\Temp

 

Nyt koneessa ilmeni sellainen ongelma että kun sen käynnistää niin se jumittuu heti aluksi tai se käynnistää itsensä uudelleen. Tuota samaa se teki silloin kun koneella vilisti troijalaisia.

Sain kuitenki sen hijack login laitettua ja tässä se on:

Logfile of HijackThis v1.99.1
Scan saved at 18:20:09, on 24.5.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Siemens Data Suite SX1\SDS\SDSScheduler.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\SIEMEN~1\SDS\SPHONE~2.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://center.regionline.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - (no file)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - (no file)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NewShortcut35.lnk = C:\Program Files\Siemens Data Suite SX1\SDS\SDSScheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095011809171
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: lkjmpuwklouo (wktgqshe6) - Unknown owner - C:\WINDOWS\system32\ualecnhe6.exe (file missing)

 

Höh? Loki on muuten kunnossa mutta miksi nuo ei ole lähteneet edellisessä fixauksessa
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - (no file)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - (no file)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)
O23 - Service: lkjmpuwklouo (wktgqshe6) - Unknown owner - C:\WINDOWS\system32\ualecnhe6.exe (file missing)

Kirjoita SUORITA kohtaan > services.msc < ja etsi jos tuo löytyy > lkjmpuwklouo <, tuplaklikkaa sitä ja laita PALVELUNTILA kohtaan SEIS ja KÄYNNISTYSTAPA kohtaan EI KÄYTÖSSÄ > OK , sulje ikkuna.

Etsi ja poista vikasietotilassa, jos löytyy
C:\WINDOWS\system32\===>ymzrjqzr.dll<===
C:\WINDOWS\system32\===>qgcienzj.dll<===
C:\WINDOWS\system32\===>ereihfjf.dll<===
C:\WINDOWS\system32\===>ualecnhe6.exe<===

Löytyikö, lähtikö???

 

En löytäny ja en saanu poistettua niitä paria tiedostoa hijack-ohjelmalla. Vaikka poistin niin ne vielä kummittelee koneella.
Ja kone myös käynnistelee itseään tai jumittuu. Mistä se vois johtua?

 

Löytyikös palveluista lkjmpuwklouo, voi olla tuollakin nimellä (wktgqshe6)

 

No johan se löytyi... oon varmaan tulossa sokeaks ku en sitä huomannu siellä...

 

Ei muuta kuin optikolla käymään ja sitten jatketaan

Eli HjT fixi uusix
O2 - BHO: (no name) - {30FA7A14-26AC-9589-6050-BE8DA0D7E9B3} - (no file)
O2 - BHO: (no name) - {C766381F-5449-053F-584A-3ACD01280FAB} - (no file)
O2 - BHO: (no name) - {F3C33746-6067-906B-DDA1-5D5853EBE93B} - C:\WINDOWS\system32\ereihfjf.dll (file missing)
O23 - Service: lkjmpuwklouo (wktgqshe6) - Unknown owner - C:\WINDOWS\system32\ualecnhe6.exe (file missing)

Etsi ja poista vikasietotilassa, jos löytyy
C:\WINDOWS\system32\===>ymzrjqzr.dll<===
C:\WINDOWS\system32\===>qgcienzj.dll<===
C:\WINDOWS\system32\===>ereihfjf.dll<===
C:\WINDOWS\system32\===>ualecnhe6.exe<===

Joko läksivät?

 

Tomia!! Vaikka tää ei ookkaä puhelin palsta niin osaaks neuvoo mihin liitän Fexplorerin N-gageen??
USb-piuhalla..
Oon imutta sen ohjelman jo mutta en tiedä mihin "Liitän" sen Fexpliorerin??
Helppii tarviin äkkiä apua!!

 

Logfile of HijackThis v1.99.1
Scan saved at 17:21:16, on 2.6.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\mIRC\mirc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telkku.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.suomihiphop.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AAE4670-9935-5F98-8253-165578D32D48} - (no file)
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [9AcoG] C:\WINDOWS\vdqloual.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bold][eytmzm] c:\windows\system32\cluznjb.exe[/bold] ?
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run:[bold] [Jkmbki]C:\WINDOWS\System32\xzkfm.exe[/bold] ?
O4 - HKCU\..\Run: [bold][ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe[/bold] ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[bold]Eli mitähän tulisi poistaa?
poller.exe tekee kiusaa.
pistin epäilyttävän näköisiä tiedostoja boldilla.[/bold]

 

Tuo ctfmon.exe on osa Microsoft Office sarjaa. Sitä ei tulisi tuhota jos et epäile sen aiheuttavan ongelmia koneellasi.

Varmaan katsoit logiasi jollain analyzerillä? Nimittäin useat anlyzerit kehottaa korjaaman tuon tai sitten se sanoo että se olisi tuntematon.

Noista muista en sitte tiiäkkää ,mutta älä tota CTFMON.EXE:ä fixaa.

 

Laita piilotiedostot näkyviin
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Hae tuo työkalu
http://www.mypctuneup.com/evaluate.php

Aja se ja kun kone käynnistyy uudelleen mene vikasietotilaan, merkkaa nuo HjT:ssä ja klikkaa Fix
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {1AAE4670-9935-5F98-8253-165578D32D48} - (no file)
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
O4 - HKLM\..\Run: [9AcoG] C:\WINDOWS\vdqloual.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eytmzm] c:\windows\system32\cluznjb.exe
O4 - HKCU\..\Run: [Jkmbki]C:\WINDOWS\System32\xzkfm.exe

Poista nuo
C:\WINDOWS\===>Nail.exe<===
C:\WINDOWS\===>lsasss.exe<===
C:\WINDOWS\===>vdqloual.exe<===
c:\windows\system32\===>cluznjb.exe<===
C:\WINDOWS\System32\===>xzkfm.exe<===

Käynnistä normaalisti, auttoiko?

 

Joo tuntuu toimivan, vaikka jäi vähän auki, että millä konstilla noi yllä olevat tiedostot pitäs poistaa? Manuaalisesti?

Paljon kiitoksia ajastasi!