Hijack this -loki

Discussion in 'Virukset ja haittaohjelmat' started by stubelius, Aug 4, 2005.

  1. stubelius

    stubelius Member

    Joined:
    May 29, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Nonni. 2 viikkoo poissa kotoa ja kone uudessa uskossa sisarusten jäljiltä. Ajoin adawaret ja virustorjunnat, mutta jos tuosta vielä analyysin sieltäpäin saisi. Ei tunnu mitään akuuttia hätää olevan, mutta jotenkin veikkaan että siellä jotain löytyy..

    Logfile of HijackThis v1.99.1
    Scan saved at 3:34:45, on 5.8.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program Files\DC++\DCPlusPlus.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hjt\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
    O4 - HKLM\..\Run: [hppwrsav] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117553600132
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
     
    stubelius, Aug 4, 2005
    #1
  2. V-kos

    V-kos Regular member

    Joined:
    Mar 13, 2005
    Messages:
    1,345
    Likes Received:
    0
    Trophy Points:
    46
    Oikein veikkasit.

    Piilotiedostot näkyviin:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

    Sulje selain ja ylimääräiset ohjelmat.

    FIXaa:
    O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
    O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe

    Poista vikasietotilassa tiedostot:
    C:\WINDOWS\system32\ --> richedtr.dll
    C:\WINDOWS\system32\ --> richup.exe


    Tyhjennä tempit, väliaikaiset internet tiedostot ja roskis.

    Boottaa.

    Tarkasta uudesta logista, että nuo rivit myös hävisivät.




     
    V-kos, Aug 5, 2005
    #2
  3. stubelius

    stubelius Member

    Joined:
    May 29, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Nyt kaikki ok. Kiitän ja kumarran.
     
    stubelius, Aug 5, 2005
    #3

Share This Page