löytyykö mitään paskaa? Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 17:36:26, on 20.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\DOCUME~1\Saari\OMATTI~1\FNTS~1\notepad.exe C:\Program Files\Folding@Home\winFAH.exe C:\Program Files\Folding@Home\FahCore_78.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\?dobe\?hkntfs.exe C:\Program Files\Opera 9 Beta\Opera.exe C:\Documents and Settings\Saari\Omat tiedostot\Sami\Hijackthis\HiJackThis_v2.0.0.0.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3397AA64-058F-7E33-F24C-67E34B9BAABD} - C:\WINDOWS\system32\ogohi.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7987A9E5-D175-4E09-8F9A-2582FE76F353} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: (no name) - {8568C7A8-D268-4FEE-AF82-4A92A71E71B8} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AC15BF4B-89C7-4571-B5A0-29872DAE184F} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll O2 - BHO: 0 - {F50F7AAD-C218-4BD5-72A8-A4AF2CC96FED} - C:\Program Files\MSN Gaming Zone\rydimywa.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe O4 - HKCU\..\Run: [Tupo] "C:\DOCUME~1\Saari\OMATTI~1\FNTS~1\notepad.exe" -vt yazb O4 - HKCU\..\Run: [Oenplw] "C:\WINDOWS\?dobe\?hkntfs.exe" 99001670 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Walden') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-1006\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Walden') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-500\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Järjestelmänvalvoja') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-500\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Järjestelmänvalvoja') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Vieras') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Folding@Home 5.03.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134998812734 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BAD73-2C7A-4AA1-A6BF-0859F2FD1968}: NameServer = 212.50.211.55,212.50.192.226,192.168.0.254 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 10184 bytes
Tapa 1: Etsi lisää/poista sovelluksesta PuritySCAN By OIN, OuterInfo, OIN tai ohjelma jolla samantapainen nimi , ja poista sen asennus. Käynnistä uudelleen ja poista tämä hakemisto, jos löytyy C:\Program Files\PurityScan Tapa 2: Jos ohjelmaa ei löydy, lataa ja aja tämä Uninstaller http://www.outerinfo.com/OiUninstaller.exe Käynnistä uudelleen ja poista tämä hakemisto: C:\Program Files\PurityScan ================================ C:\Documents and Settings\Saari\Omat tiedostot\Sami\Hijackthis\HiJackThis_v2.0.0.0.exe laita tuo HiJackThis_v2.0.0.0.exe omaan kansioo tuonne  C:\HJT\ HiJackThis_v2.0.0.0.exe nimeä vielä uudelleen saari.exe ========================== Scannaa hjt:llä merkkaa paina Fix checked O2 - BHO: (no name) - {7987A9E5-D175-4E09-8F9A-2582FE76F353} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: (no name) - {8568C7A8-D268-4FEE-AF82-4A92A71E71B8} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: (no name) - {AC15BF4B-89C7-4571-B5A0-29872DAE184F} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll O4 - HKCU\..\Run: [Tupo] "C:\DOCUME~1\Saari\OMATTI~1\FNTS~1\notepad.exe" -vt yazb ================================ Lataa NoLop työpöydällesi yhdestä seuraavista linkeistä... Linkki1 Linkki2 Linkki3 1.Sulje kaikki ohjelmat, koska tämä vaihe vaatii uudelleenkäynnistyksen 2.Tuplaklikkaa NoLop.exe ajaaksesi sen 3.Klikkaa nappulaa "Search and Destroy" <<Tietokoneesi skannataan saastuneiden tiedostojen osalta>> 4, Kun skannaus on valmis, sinua pyydetään käynnistämään kone uudestaan, jos infektio löytyy. Klikkaa OK 5. Klikkaa "REBOOT"-painiketta. 6. NoLopin pitäisi antaa viesti. Jos ei, tuplaklikkaa ohjelmaa ja se valmistuu. Lähetä C:\NoLop.log-tiedoston sisältö uuden HijackThis-lokin kera. -- Jos saat seuraavan virheen, "mscomctl.ocx or one of its dependencies are not correctly registered," lataa mscomctl.ocx ja tallenna se system32-hakemistoosi (yleensä c:\Windows\system32). Tämän jälkeen aja ohjelma uudestaan. ===================== Lataa VundoFix.exe työpöydällesi. Tupla-klikkaa VundoFix.exe ajaaksesi sen. Klikkaa Scan for Vundo valintaa. Kun skannaus on valmis, klikkaa Remove Vundo valintaa. Sinulta kysytään haluatko poistaa filut - klikkaa YES. Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa. Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK. Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö. Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan. Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä. =============== Mene vikasietotilaan Poista kansio C:\Program Files\Web Buying ========================== escan Ohjeet tuolla sivulla. http://koti.mbnet.fi/pattaya1/escanmwav.htm lataa tuosta http://www.spywareinfo.dk/download/mwav.exe päivitä tuosta http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat laita täpit merkkauksien mukaan http://koti.mbnet.fi/pattaya1/eScan6.jpg scannaa jos ala luukkuun tulee jotain niin kopioi se näin: Käytä komentoa Ctrl+A. Kopioi rivit komennolla Ctrl+C. Liitä rivit komennolla Ctrl+V. Laita virus log tänne. ============= Lähetä VundoFix loki NoLop.log-tiedoston sisältö Escan virus loki uusi scannattu hjt loki
NO LOP LOKI NoLop! Log by Skate_Punk_21 Fix running from: C:\Documents and Settings\Saari\Työpöytä [21.3.2007] [13:24:18] ---Infection Files Found/Removed--- NO INFECTION FILES FOUND - Cleaning Aborted. ---Listing AppData sub directories--- C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Aol C:\Documents and Settings\All Users\Application Data\Apple Computer C:\Documents and Settings\All Users\Application Data\Canonbj C:\Documents and Settings\All Users\Application Data\Cyberlink C:\Documents and Settings\All Users\Application Data\Ifi C:\Documents and Settings\All Users\Application Data\Installshield C:\Documents and Settings\All Users\Application Data\Lavasoft C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Msn6 C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Pc Suite C:\Documents and Settings\All Users\Application Data\Scansoft C:\Documents and Settings\All Users\Application Data\Skype -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy C:\Documents and Settings\All Users\Application Data\Symantec C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar C:\Documents and Settings\All Users\Application Data\Zylom C:\Documents and Settings\Default User\Application Data\Adobe C:\Documents and Settings\Default User\Application Data\Identities C:\Documents and Settings\Default User\Application Data\Intertrust C:\Documents and Settings\Default User\Application Data\Microsoft C:\Documents and Settings\Default User\Application Data\Sun C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Adobe C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Identities C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Intertrust C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Macromedia C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Microsoft C:\Documents and Settings\Järjestelmänvalvoja\Application Data\Sun C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Localservice\Application Data\Pc Suite C:\Documents and Settings\Networkservice\Application Data\Microsoft C:\Documents and Settings\Networkservice\Application Data\Symantec C:\Documents and Settings\Saari\Application Data\Adobe C:\Documents and Settings\Saari\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Saari\Application Data\Ahead C:\Documents and Settings\Saari\Application Data\Album Shaper -- EMPTY Directory C:\Documents and Settings\Saari\Application Data\Apple Computer C:\Documents and Settings\Saari\Application Data\Azureus C:\Documents and Settings\Saari\Application Data\Bsplayer C:\Documents and Settings\Saari\Application Data\Bsplayer Pro C:\Documents and Settings\Saari\Application Data\Canon C:\Documents and Settings\Saari\Application Data\Cyberlink C:\Documents and Settings\Saari\Application Data\Datalayer C:\Documents and Settings\Saari\Application Data\Dvdcss C:\Documents and Settings\Saari\Application Data\Extrafilm C:\Documents and Settings\Saari\Application Data\Fotowire C:\Documents and Settings\Saari\Application Data\Fujifilm-fi-photo-manager C:\Documents and Settings\Saari\Application Data\Google C:\Documents and Settings\Saari\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Saari\Application Data\Hewlett-packard C:\Documents and Settings\Saari\Application Data\Identities C:\Documents and Settings\Saari\Application Data\Installshield C:\Documents and Settings\Saari\Application Data\Intertrust C:\Documents and Settings\Saari\Application Data\Jasc Software Inc C:\Documents and Settings\Saari\Application Data\Kana Solution C:\Documents and Settings\Saari\Application Data\Lavasoft C:\Documents and Settings\Saari\Application Data\Leadertech C:\Documents and Settings\Saari\Application Data\Macromedia C:\Documents and Settings\Saari\Application Data\Media Player Classic C:\Documents and Settings\Saari\Application Data\Microsoft C:\Documents and Settings\Saari\Application Data\Mozilla C:\Documents and Settings\Saari\Application Data\Msn6 C:\Documents and Settings\Saari\Application Data\My Games -- EMPTY Directory C:\Documents and Settings\Saari\Application Data\Nokia C:\Documents and Settings\Saari\Application Data\Nokia Multimedia Player C:\Documents and Settings\Saari\Application Data\Openoffice.org2 C:\Documents and Settings\Saari\Application Data\Opera C:\Documents and Settings\Saari\Application Data\Pc Suite C:\Documents and Settings\Saari\Application Data\Real C:\Documents and Settings\Saari\Application Data\Scansoft C:\Documents and Settings\Saari\Application Data\Skype C:\Documents and Settings\Saari\Application Data\Slysoft C:\Documents and Settings\Saari\Application Data\Smartftp C:\Documents and Settings\Saari\Application Data\Sun C:\Documents and Settings\Saari\Application Data\Symantec C:\Documents and Settings\Saari\Application Data\Talkback C:\Documents and Settings\Saari\Application Data\Vlc C:\Documents and Settings\Vieras\Application Data\Adobe C:\Documents and Settings\Vieras\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Vieras\Application Data\Identities C:\Documents and Settings\Vieras\Application Data\Intertrust C:\Documents and Settings\Vieras\Application Data\Microsoft C:\Documents and Settings\Vieras\Application Data\Mozilla C:\Documents and Settings\Vieras\Application Data\Pc Suite C:\Documents and Settings\Vieras\Application Data\Real C:\Documents and Settings\Vieras\Application Data\Sun C:\Documents and Settings\Vieras\Application Data\Talkback C:\Documents and Settings\Walden\Application Data\Adobe C:\Documents and Settings\Walden\Application Data\Adobeaum C:\Documents and Settings\Walden\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Walden\Application Data\Apple Computer C:\Documents and Settings\Walden\Application Data\Azureus C:\Documents and Settings\Walden\Application Data\Fotowire C:\Documents and Settings\Walden\Application Data\Google C:\Documents and Settings\Walden\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Walden\Application Data\Identities C:\Documents and Settings\Walden\Application Data\Intertrust C:\Documents and Settings\Walden\Application Data\Jasc Software Inc C:\Documents and Settings\Walden\Application Data\Lavasoft C:\Documents and Settings\Walden\Application Data\Leadertech C:\Documents and Settings\Walden\Application Data\Macromedia C:\Documents and Settings\Walden\Application Data\Media Player Classic C:\Documents and Settings\Walden\Application Data\Microsoft C:\Documents and Settings\Walden\Application Data\Mozilla C:\Documents and Settings\Walden\Application Data\Opera C:\Documents and Settings\Walden\Application Data\Pc Suite C:\Documents and Settings\Walden\Application Data\Real C:\Documents and Settings\Walden\Application Data\Skype C:\Documents and Settings\Walden\Application Data\Slysoft C:\Documents and Settings\Walden\Application Data\Sun C:\Documents and Settings\Walden\Application Data\Talkback C:\Documents and Settings\Walden\Application Data\Vlc VUNDO FIX LOKI VundoFix V6.3.17 Checking Java version... Java version is 1.4.2.1 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 13:33:35 21.3.2007 Listing files found while scanning.... No infected files were found. Beginning removal... ESCAN LOKI Tue Oct 10 15:00:20 2006 => ********************************************************** Tue Oct 10 15:00:20 2006 => eScan AntiVirus Toolkit Utility. Tue Oct 10 15:00:20 2006 => Copyright © 2003-2004, MicroWorld Technologies Inc. Tue Oct 10 15:00:20 2006 => ********************************************************** Tue Oct 10 15:00:20 2006 => Version 4.4.7 Tue Oct 10 15:00:20 2006 => Log File: C:\KASPER~1\mwav.log Tue Oct 10 15:00:20 2006 => Latest Date of files inside MWAV: 18 Sep 2006 19:31:02. Tue Oct 10 15:00:22 2006 => AV Library Loaded... Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\kavss.exe Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\Getvlist.exe Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\kavss.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\kavssdi.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\kavssi.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\kavvlg.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\msvlclnt.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\ipc.dll Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\main.avi Tue Oct 10 15:00:22 2006 => Scanning File C:\KASPER~1\virus.avi Tue Oct 10 15:00:22 2006 => Virus Database Date: 2006/09/18 Tue Oct 10 15:00:22 2006 => Virus Database Count: 224509 Tue Oct 10 15:01:05 2006 => ********************************************************** Tue Oct 10 15:01:05 2006 => eScan AntiVirus Toolkit Utility. Tue Oct 10 15:01:05 2006 => Copyright © 2003-2004, MicroWorld Technologies Inc. Tue Oct 10 15:01:05 2006 => Tue Oct 10 15:01:05 2006 => Support: support@mwti.net Tue Oct 10 15:01:05 2006 => Web: http://www.mwti.net Tue Oct 10 15:01:05 2006 => ********************************************************** Tue Oct 10 15:01:05 2006 => Version 4.4.7 Tue Oct 10 15:01:05 2006 => Log File: C:\KASPER~1\mwav.log Tue Oct 10 15:01:05 2006 => Latest Date of files inside MWAV: 18 Sep 2006 19:31:02. Tue Oct 10 15:01:05 2006 => Options Selected by User: Tue Oct 10 15:01:05 2006 => Memory Check: Enabled Tue Oct 10 15:01:05 2006 => Registry Check: Enabled Tue Oct 10 15:01:05 2006 => StartUp Folder Check: Enabled Tue Oct 10 15:01:05 2006 => System Folder Check: Enabled Tue Oct 10 15:01:05 2006 => System Area Check: Disabled Tue Oct 10 15:01:05 2006 => Services Check: Enabled Tue Oct 10 15:01:05 2006 => Drive Check Option Disabled Tue Oct 10 15:01:05 2006 => Scanning Type: Scan And Clean Tue Oct 10 15:01:05 2006 => Drive Selected = Tue Oct 10 15:01:05 2006 => Folder Check: Enabled Tue Oct 10 15:01:05 2006 => Folder Selected = C:\WINDOWS\system32\directxdll Tue Oct 10 15:01:05 2006 => ***** Scanning Memory Files ***** Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\services.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\lsass.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\svchost.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\System32\svchost.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\ZONELABS\vsmon.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\spoolsv.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\ANTIVI~1\sched.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\Explorer.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\ANTIVI~1\avguard.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\nvsvc32.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\System32\svchost.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\DAEMON~1\daemon.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\Adobe\PHOTOS~1\3.0\Apps\apdproxy.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\ANTIVI~1\avgnt.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\Unlocker\UNLOCK~1.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\Picasa2\PICASA~2.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\WINDOWS\system32\ctfmon.exe Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE Tue Oct 10 15:01:05 2006 => Scanning File C:\PROGRA~1\MSNMES~1\MsnMsgr.Exe Tue Oct 10 15:01:06 2006 => Scanning File C:\PROGRA~1\Skype\Phone\Skype.exe Tue Oct 10 15:01:06 2006 => Scanning File C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~1.EXE Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\wuauclt.exe Tue Oct 10 15:01:07 2006 => Scanning File C:\PROGRA~1\OPERA9~1\Opera.exe Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\svchost.exe Tue Oct 10 15:01:07 2006 => Scanning File C:\Kaspersky\mwavscan.com Tue Oct 10 15:01:07 2006 => Scanning File C:\Kaspersky\kavss.exe Tue Oct 10 15:01:07 2006 => ***** Scanning Registry Files ***** Tue Oct 10 15:01:07 2006 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Tue Oct 10 15:01:07 2006 => *** File C:\WINDOWS\system32\SHELL32.dll having Size Restriction *** Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\SHELL32.dll [**] Tue Oct 10 15:01:07 2006 => *** File C:\WINDOWS\system32\SHELL32.dll having Size Restriction *** Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\SHELL32.dll [**] Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\webcheck.dll Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\System32\stobject.dll Tue Oct 10 15:01:07 2006 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects Tue Oct 10 15:01:07 2006 => {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll Tue Oct 10 15:01:07 2006 => Scanning File C:\PROGRA~1\Adobe\ACROBA~2.0\ActiveX\ACROIE~1.DLL Tue Oct 10 15:01:07 2006 => {9030D464-4C02-4ABF-8ECC-5164760863C6} = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll Tue Oct 10 15:01:07 2006 => Scanning File C:\PROGRA~1\COMMON~1\MICROS~1\WINDOW~1\WINDOW~1.DLL Tue Oct 10 15:01:07 2006 => Scanning HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\Explorer.exe Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\userinit.exe Tue Oct 10 15:01:07 2006 => Scanning HKCU\Control Panel\Desktop Tue Oct 10 15:01:07 2006 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\RUNDLL32.EXE Tue Oct 10 15:01:07 2006 => *** File C:\WINDOWS\system32\nwiz.exe having Size Restriction *** Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\nwiz.exe [**] Tue Oct 10 15:01:07 2006 => Scanning File C:\PROGRA~1\DAEMON~1\daemon.exe Tue Oct 10 15:01:07 2006 => Scanning File C:\WINDOWS\system32\RUNDLL32.EXE .... .... .... Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SANAKIR\SUEN_DBL.INF Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SANAKIR\SUEN_DBL.MAC Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SANAKIR\SUEN_DBL.NLT Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SANAKIR\SUEN_DBL.STY Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SANAKIR\SUEN_DBL.TBL Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SK40.CFG Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SK40.EXE Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SK\SK40.HLP Wed Mar 21 16:43:10 2007 => Scanning Folder: C:\WSOY\SUHISEE\*.* Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\SUHISE95.EXE Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\SUHISEE.ICO Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\SUHISEE.INI Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\SUHISEE.LG Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\WITW.TXT Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\WSOY.ICO Wed Mar 21 16:43:10 2007 => Scanning Folder: C:\WSOY\SUHISEE\XTRAS\*.* Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\XTRAS\FILEIO.X32 Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\XTRAS\FILEIO16.X16 Wed Mar 21 16:43:10 2007 => Scanning File C:\WSOY\SUHISEE\XTRAS\PMATIC.X16 Wed Mar 21 16:43:11 2007 => Scanning File C:\WSOY\SUHISEE\XTRAS\PMATIC.X32 Wed Mar 21 16:43:11 2007 => ***** Checking for specific ITW Viruses ***** Wed Mar 21 16:43:11 2007 => Checking for Welchia Virus... Wed Mar 21 16:43:11 2007 => Checking for LovGate Virus... Wed Mar 21 16:43:11 2007 => Checking for CodeRed Virus... Wed Mar 21 16:43:11 2007 => Checking for OpaServ Virus... Wed Mar 21 16:43:11 2007 => Checking for Sobig.e Virus... Wed Mar 21 16:43:11 2007 => Checking for Winupie Virus... Wed Mar 21 16:43:11 2007 => Checking for Swen Virus... Wed Mar 21 16:43:11 2007 => Checking for JS.Fortnight Virus... Wed Mar 21 16:43:11 2007 => Checking for Novarg Virus... Wed Mar 21 16:43:11 2007 => Checking for Pagabot Virus... Wed Mar 21 16:43:11 2007 => Checking for Parite.b Virus... Wed Mar 21 16:43:11 2007 => Checking for Parite.a Virus... Wed Mar 21 16:43:11 2007 => ***** Scanning complete. ***** Wed Mar 21 16:43:11 2007 => Total Number of Files Scanned: 210200 Wed Mar 21 16:43:11 2007 => Total Number of Virus(es) Found: 23 Wed Mar 21 16:43:11 2007 => Total Number of Disinfected Files: 0 Wed Mar 21 16:43:11 2007 => Total Number of Files Renamed: 4 Wed Mar 21 16:43:11 2007 => Total Number of Deleted Files: 3 Wed Mar 21 16:43:11 2007 => Total Number of Errors: 304 Wed Mar 21 16:43:11 2007 => Time Elapsed: 02:44:48 Wed Mar 21 16:43:11 2007 => Virus Database Date: 2007/03/21 Wed Mar 21 16:43:11 2007 => Virus Database Count: 283820 Wed Mar 21 16:43:11 2007 => Scan Completed. alalaatikossa olevat möröt File C:\WINDOWS\VTTC.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\Documents and Settings\Saari\Local Settings\Temporary Internet Files\Content.IE5\6LY22GGT\acdt-pid64[1].exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted. File C:\Documents and Settings\Saari\Local Settings\Temporary Internet Files\Content.IE5\BV30DUK1\SmileyCentralFWBInitialSetup1.0.0.15-3[1].cab tagged as not-a-virus:AdTool.Win32.MyWebSearch.aw. No Action Taken. File C:\Documents and Settings\Saari\Local Settings\Temporary Internet Files\Content.IE5\D2QQYYYV\VTTC[1].exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\Documents and Settings\Saari\Omat tiedostot\Sami\r9zhxw2GxB.rar infected by "Trojan-Downloader.Win32.Small.ddp" Virus. Action Taken: File Deleted. File C:\Documents and Settings\Walden\Omat tiedostot\Omat musiikkitiedostot\mirc617.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.617. No Action Taken. File C:\IIIR\Mukaan\02 Ja¨a¨ka¨rimarssi.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\IIIR\Mukaan\05 Erlko¨nig D. 328d.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\IIIR\Mukaan\12 Fantasiestu¨cke, Op 12 - 4 Grillen.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\INSTALL.LOG infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\Program Files\DAEMON Tools\SetupDTSB.exe tagged as not-a-virus:AdTool.Win32.WhenU.a. No Action Taken. File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.617. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP622\A0299342.exe tagged as not-a-virus:RiskTool.Win32.HideWindows. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP703\A0333567.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP705\A0333862.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP706\A0334125.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP707\A0334132.dll tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP707\A0334251.dll tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP707\A0334252.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP707\A0334327.exe tagged as not-a-virus:AdWare.Win32.TTC.a. No Action Taken. File C:\System Volume Information\_restore{62BE77C1-1D95-40F5-92E0-19823114E1E7}\RP707\A0334328.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.617. No Action Taken. File C:\WINDOWS\system32\bund1\ClientBundle1.exe tagged as not-a-virus:AdWare.Win32.SurfSide.ax. No Action Taken. File C:\WINDOWS\system32\bund1\mac.exe infected by "Trojan.Win32.VB.tg" Virus. Action Taken: File Deleted. HJT LOKI Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 20:24:34, on 21.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\LVComsX.exe C:\PROGRA~1\CURITY~1\netdde.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Saari\Omat tiedostot\s?curity\n?tdde.exe C:\Program Files\Opera 9 Beta\Opera.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\saari.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {65C6FC32-5489-2B34-A14C-67E34B9BA9BD} - C:\WINDOWS\system32\awoq.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {CF9DC1EA-9FD8-4165-9218-394627991941} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: 0 - {F50F7AAD-C218-4BD5-72A8-A4AF2CC96FED} - C:\Program Files\MSN Gaming Zone\rydimywa.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Tupo] "C:\PROGRA~1\CURITY~1\netdde.exe" -vt yazb O4 - HKCU\..\Run: [Rtgry] "C:\Documents and Settings\Saari\Omat tiedostot\s?curity\n?tdde.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Global Startup: delsgm.bat O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134998812734 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BAD73-2C7A-4AA1-A6BF-0859F2FD1968}: NameServer = 212.50.211.55,212.50.192.226,192.168.0.254 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 8730 bytes
Poista lisää poista sovelutuksesta java Java version is 1.4.2.1 ajas tuosta 1) Lataa VirtumundoBegone 2) Tallenna VirtumundoBeGone.exe työpöydällesi. 3) Aja VirtumundoBeGone.exe ja seuraa ohjeita. Älä huoli jos näet sinisen ruudun "Fatal Error" viestin, tämä on normaalia. 4) Kun työkalu on valmis, käynnistä kone uudelleen =============== Ohje AVG:n Anti-Spyware 7.5:n käyttöön Huom! Tässä ohjeessa sammutetaan tuo reaaliaikasuojaus (Shield). Näin vältetään tilanteet joissa suojaus estäisi esim HijackThis työkalun toimintaa. Tallenna nämä ohjeet tekstitiedostoon tai tulosta nämä, muuten et pääse niihin käsiksi vikasietotilasta Lataa AVG:n Anti-Spyware 7.5 http://www.ewido.net/en/download/ ja tallenna ohjelma työpöydällesi. • Kun olet ladannut ohjelman, kaksoisklikkaa asennuohjelman pikakuvaketta työpöydälläsi, asennus alkaa. • Asennuksen jälkeen täytyy ohjelma käynnistää ja sen tunnisteet päivittää. • Käynnistä AVG:n Anti-Spyware. • Klikkaa "Update" kuvaketta päävalikossa. Sen jälkeen klikkaa "Update now" painiketta. o Sitten klikkaa "Start Update" kuvaketta jolloin päivitys alkaa. • Kun päivitykset on ladattu, klikkaa "Scanner" kuvaketta ikkunan ylälaidassa. Valitse sitten "Settings" välilehti. • Kun "Settings" valikko on auennut, klikkaa "Recommended actions" ja sitten valitse "Quarantine". • Sitten "Reports" valikon alta: o Laita täppi kohtaan "Automatically generate report after every scan" o Ota täppi pois kohdasta"Only if threats were found" • Sitten klikkaa "Shield" kuvaketta ikkunan ylälaidassa • "Resident shield is", muuta tila active:sta inactive:ksi • Sulje ohjelma, ÄLÄ skannaa vielä. Käynnistä koneesi vikasietotilaan, sammuta ja käynnistä käynnistyksen yhteydessä naputtele F8 valitse nuoli näppäimellä vikasietotila paina enter ja enter HUOM! Älä käytä muita ohjelmia AVG:n skannauksen aikana, tämä saattaa häiritä skannausta. • Kun vikasietotilassa, käynnistä AVG:n Anti-Spyware. • Klikkaa "Scanner" kuvaketta ikkunan ylälaidassa ja valitse "Scan" välilehti. Sitten klikkaa "Complete System Scan". • Ewido aloittaa nyt tietokoneen skannaamisen, ole kärsivällinen sillä skannaus vie aikaa. Kun skannaus on valmis: TÄRKEÄÄ : Älä klikkaa "Save Scan Report" ennen kuin klikkaat "Apply all Actions" • Varmistu, että Set all elements to: näyttää Quarantine (1), jos ei, klikkaa linkkiä ja valitse Quarantine popup-valikosta. • Sinulta kysytään mitä tehdä jos infektioita löytyi, valitse silloin "Apply all actions" • Sitten klikkaa "Reports" kuvaketta ohjelma yläosasta. • Klikkaa "Save report as" painiketta ikkunan vasemmassa alalaidassa ja tallenna raportti työpöydälle. • Sulje ohjelma, käynnistä kone normaalisti ja lähetä AVG:n raportti viestikejuusi. =============== Lataa Atribunen ATF Cleaner Ohjeet; Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.Main:n alla valitse: Select All Klikkaa Empty Selected valintaa. Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All Klikkaa Empty Selected valintaa. HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy. Jos käytät Operaa selaimenasiKlikkaa Opera yläpuolelta ja valitse: Select All Klikkaa Empty Selected valintaa taas. HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy. Klikkaa Exit päävalikosta sulkeaksesi ohjelman. Teknistä tukea tulee jos tupla-klikkaat sähköpostiosoitetta joka sijaitsee jokaisen menun alapuolella kyseisessä työkalussa. (Huomatkaa että se tuki on sitten englanniksi) =========== ja laita uusi hjt loki
Lataa ja aja tämä Uninstaller Ohje englanniksi uninstallerin käyttöön, jos tarvis Käynnistä uudelleen ja poista tämä hakemisto, jos löytyy C:\Program Files\PurityScan Lähetä uusi HjT-loki.
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 21:56:19, on 22.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Folding@Home\winFAH.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Folding@Home\FahCore_78.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Opera 9 Beta\Opera.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\saari.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {C95488D7-6C61-4758-8A94-DA0C37153F4D} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: (no name) - {CF9DC1EA-9FD8-4165-9218-394627991941} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: 0 - {F50F7AAD-C218-4BD5-72A8-A4AF2CC96FED} - C:\Program Files\MSN Gaming Zone\rydimywa.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Global Startup: delsgm.bat O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134998812734 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BAD73-2C7A-4AA1-A6BF-0859F2FD1968}: NameServer = 212.50.211.55,212.50.192.226,192.168.0.254 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 8642 bytes
noniin, Avaa hijackthis merkkaa seuraavat rivi(t) ja paina fix checked, sulje muut ohjelmat siksi aikaa R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {C95488D7-6C61-4758-8A94-DA0C37153F4D} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: (no name) - {CF9DC1EA-9FD8-4165-9218-394627991941} - C:\Program Files\Online Services\nirysi.dll (file missing) O2 - BHO: 0 - {F50F7AAD-C218-4BD5-72A8-A4AF2CC96FED} - C:\Program Files\MSN Gaming Zone\rydimywa.dll O4 - Global Startup: delsgm.bat *********** 1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. ****** Laita uusi Hijackthis logi
COMBOFIX LOKI "Saari" - 07-03-23 11:02:15 Service Pack 2 ComboFix 07-03-22.2 - Running from: "C:\Documents and Settings\Saari\Ty”p”yt„" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1670OinAdmin.exe C:\Program Files\Common Files\Yazzle1670OinUninstaller.exe C:\WINDOWS\system32\drivers\npf.sys ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\DOCUME~1 C:\qoobox\purity\DOCUME~1\Saari C:\qoobox\purity\DOCUME~1\Saari\APPLIC~1 C:\qoobox\purity\DOCUME~1\Saari\APPLIC~1\ASKS~1 C:\qoobox\purity\DOCUME~1\Saari\APPLIC~1\from.txt C:\qoobox\purity\Program Files\CURITY~1 C:\qoobox\purity\WINDOWS\DOBE~1 C:\qoobox\purity\WINDOWS\system32\STEM32~1 ((((((((((((((((((((((((((((((( Files Created from 2007-02-23 to 2007-03-23 )))))))))))))))))))))))))))))))))) 2007-03-22 21:05 93,736 --a------ C:\WINDOWS\VTTC.exe 2007-03-22 16:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-03-21 13:50 <KANSIO> d-------- C:\Downloads 2007-03-21 13:50 <KANSIO> d-------- C:\Bases 2007-03-21 13:33 <KANSIO> d-------- C:\VundoFix Backups 2007-03-21 13:20 <KANSIO> d-------- C:\HJT 2007-03-20 14:49 <KANSIO> d-------- C:\Program Files\hexades 2007-03-20 14:42 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-03-18 20:37 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-03-15 14:49 <KANSIO> d-------- C:\Program Files\MagicISO 2007-03-15 14:47 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE 2007-03-15 14:47 69,632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE 2007-03-15 14:47 <KANSIO> d-------- C:\Program Files\Folding@Home 2007-03-13 15:33 <KANSIO> d-------- C:\DOCUME~1\Saari\APPLIC~1\Canon 2007-03-13 15:09 <KANSIO> d-------- C:\Program Files\Common Files\ScanSoft Shared 2007-03-13 15:09 <KANSIO> d-------- C:\DOCUME~1\Saari\APPLIC~1\ScanSoft 2007-03-13 15:09 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft 2007-03-13 15:08 <KANSIO> d-------- C:\Program Files\ScanSoft 2007-03-13 15:07 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL 2007-03-13 15:07 <KANSIO> d-------- C:\Program Files\ArcSoft 2007-03-13 15:06 <KANSIO> d-------- C:\Program Files\Common Files\CANON 2007-03-13 14:58 57,344 --a------ C:\WINDOWS\system32\CNCI160.DLL 2007-03-13 14:58 161,792 --a------ C:\WINDOWS\system32\CNMLM83.DLL 2007-03-13 14:58 135,168 --a------ C:\WINDOWS\system32\CNCL160.DLL 2007-03-13 14:58 106,496 --a------ C:\WINDOWS\system32\cnco160.dll 2007-03-13 14:58 1,134,592 --a------ C:\WINDOWS\system32\CNCC160.DLL 2007-03-13 14:58 <KANSIO> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information 2007-03-13 14:58 <KANSIO> d--h----- C:\Program Files\CanonBJ 2007-03-13 14:58 <KANSIO> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ 2007-03-13 14:56 <KANSIO> d-------- C:\Program Files\Canon 2007-03-11 11:42 <KANSIO> d-------- C:\WINDOWS\_ISTMP3.DIR 2007-03-11 11:42 <KANSIO> d-------- C:\WINDOWS\_ISTMP2.DIR 2007-03-11 11:42 <KANSIO> d-------- C:\WINDOWS\_ISTMP1.DIR 2007-03-05 22:38 5,632 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys 2007-03-04 12:11 <KANSIO> d-------- C:\DOCUME~1\Saari\APPLIC~1\dvdcss 2007-03-02 21:59 53,248 --a------ C:\WINDOWS\uni_eh10.exe 2007-02-26 21:00 <KANSIO> d-------- C:\WINDOWS\pss 2007-02-26 11:11 86,016 --a------ C:\WINDOWS\unvise32.exe 2007-02-26 11:11 <KANSIO> d-------- C:\Program Files\Daydream Software 2007-02-26 09:23 <KANSIO> d-------- C:\Program Files\Ski Jump International (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-23 11:00 -------- d-------- C:\Program Files\msn gaming zone 2007-03-22 22:38 42192 --a------ C:\DOCUME~1\Saari\APPLIC~1\wklnhst.dat 2007-03-22 22:32 -------- d-------- C:\Program Files\online services 2007-03-22 16:02 -------- d-------- C:\Program Files\java 2007-03-21 15:44 -------- d-------- C:\Program Files\mirc 2007-03-21 14:53 -------- d-------- C:\DOCUME~1\Saari\APPLIC~1\skype 2007-03-20 14:25 -------- d-------- C:\Program Files\ea sports 2007-03-19 21:14 -------- d-------- C:\Program Files\emule 2007-03-19 20:39 -------- d-------- C:\DOCUME~1\Saari\APPLIC~1\openoffice.org2 2007-03-18 20:37 -------- d-------- C:\Program Files\lavasoft 2007-03-18 11:59 -------- d-------- C:\DOCUME~1\Saari\APPLIC~1\fujifilm-fi-photo-manager 2007-03-15 17:33 -------- d-------- C:\Program Files\zylom games 2007-03-13 15:07 -------- d--h----- C:\Program Files\installshield installation information 2007-03-10 17:41 -------- d-------- C:\Program Files\xmoto 2007-03-05 20:33 -------- d-------- C:\Program Files\rockstar games 2007-02-25 15:23 -------- d-------- C:\Program Files\aspyr 2007-02-21 20:32 -------- d-------- C:\Program Files\guitar pro 5 2007-02-21 19:09 -------- d-------- C:\Program Files\microsoft games 2007-02-17 11:47 -------- d-------- C:\Program Files\dosbox-0.65 2007-02-17 11:46 -------- d-------- C:\Program Files\ark of time 2007-02-12 20:29 -------- d-------- C:\Program Files\three rings design 2007-02-09 17:25 1503267 --a------ C:\WINDOWS\neos.scr 2007-02-04 21:33 -------- d-------- C:\Program Files\google 2007-01-30 17:09 -------- d-------- C:\Program Files\directx 2007-01-29 17:47 -------- d-------- C:\Program Files\xbox image converter 3.0 2007-01-29 17:47 -------- d-------- C:\Program Files\wolfenstein 3d 2007-01-29 17:47 -------- d-------- C:\Program Files\wm recorder 10.2 2007-01-29 17:47 -------- d-------- C:\Program Files\gabest 2007-01-29 17:46 -------- d-------- C:\Program Files\windows live toolbar 2007-01-29 17:46 -------- d-------- C:\Program Files\streamboxvcrsuite2 2007-01-29 17:45 -------- d-------- C:\Program Files\traction software 2007-01-29 17:45 -------- d-------- C:\DOCUME~1\Saari\APPLIC~1\my games 2007-01-29 17:44 -------- d-------- C:\Program Files\rm to mp3 converter 2007-01-29 17:43 -------- d-------- C:\Program Files\morgan 2007-01-29 17:43 -------- d-------- C:\Program Files\mopokorttikoulu 2007-01-29 17:42 -------- d-------- C:\Program Files\magiccube5d 2007-01-29 17:37 -------- d-------- C:\Program Files\filezilla 2007-01-29 17:36 -------- d-------- C:\Program Files\dyndns updater 2007-01-29 17:36 -------- d-------- C:\Program Files\divx 2007-01-29 17:35 -------- d-------- C:\Program Files\slysoft 2007-01-29 17:34 -------- d-------- C:\Program Files\avisynth 2.5 2007-01-29 17:08 -------- d-------- C:\Program Files\sunbelt software 2007-01-28 18:04 50696 --a------ C:\DOCUME~1\Saari\APPLIC~1\gdipfontcachev1.dat 2007-01-28 15:43 -------- d-------- C:\Program Files\opera 9 beta 2007-01-27 20:01 -------- d-------- C:\Program Files\msn messenger 2007-01-25 21:41 -------- d-------- C:\Program Files\bitcomet 2007-01-25 21:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-01-24 17:08 -------- d-------- C:\Program Files\microsoft reader 2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll 2007-01-02 12:29 606848 --a------ C:\WINDOWS\flashax.exe 2007-01-02 12:29 12288 --a------ C:\WINDOWS\impborl.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\"" @="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"=dword:00000000 "NoLogoff"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070323-110009-845 O2 - BHO: 0 - {F50F7AAD-C218-4BD5-72A8-A4AF2CC96FED} - C:\Program Files\MSN Gaming Zone\rydimywa.dll backup-20070323-110009-251 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20070323-110009-636 O2 - BHO: (no name) - {CF9DC1EA-9FD8-4165-9218-394627991941} - C:\Program Files\Online Services\nirysi.dll (file missing) backup-20070323-110009-856 O2 - BHO: (no name) - {C95488D7-6C61-4758-8A94-DA0C37153F4D} - C:\Program Files\Online Services\nirysi.dll (file missing) backup-20070321-132301-712 O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll backup-20070321-132301-963 O2 - BHO: (no name) - {7987A9E5-D175-4E09-8F9A-2582FE76F353} - C:\Program Files\Online Services\nirysi.dll (file missing) backup-20070321-132301-890 O2 - BHO: (no name) - {AC15BF4B-89C7-4571-B5A0-29872DAE184F} - C:\Program Files\Online Services\nirysi.dll (file missing) backup-20070321-132301-680 O2 - BHO: (no name) - {8568C7A8-D268-4FEE-AF82-4A92A71E71B8} - C:\Program Files\Online Services\nirysi.dll (file missing) Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1143379105.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... ? [3436] scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 1 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-23 11:08:56 HJT LOKI Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:11:52, on 23.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Folding@Home\winFAH.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Folding@Home\FahCore_78.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Opera 9 Beta\Opera.exe C:\HJT\saari.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {F0A834F6-8E05-460E-9494-E8E7A5006312} - C:\Program Files\Online Services\nirysi.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Global Startup: delsgm.bat O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134998812734 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BAD73-2C7A-4AA1-A6BF-0859F2FD1968}: NameServer = 212.50.211.55,212.50.192.226,192.168.0.254 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 8350 bytes
Avaa hijackthis merkkaa seuraavat rivi(t) ja paina fix checked, sulje muut ohjelmat siksi aikaa O2 - BHO: (no name) - {F0A834F6-8E05-460E-9494-E8E7A5006312} - C:\Program Files\Online Services\nirysi.dll (file missing) O4 - Global Startup: delsgm.bat ******** Ajetaanpas blacklightia. Lataa ja tallenna Blacklight työpöydällesi; Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa > Scan, sitten > Next Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita). Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana. ****** Javan päivitys ja välimuistin tyhjennys: 1. Klikkaa Käynnistä -> Ohjauspaneeli ja tupla-klikkaa Lisää tai poista sovellus Ohjauspaneelissa. 2. Etsi listasta kaikki entiset Java versiosi. (J2SE Runtime Environment.... ) Niissä pitäisi olla seuraava kuva vieressä: 3. Valitse kaikki entiset Java versiosi ja valitse Poista. 4. Asenna uusin Java päivitys seuraavasta linkistä.. 5. Käynnistä kone uudelleen asennuksen jälkeen: http://java.sun.com/javase/downloads/index.jsp Rullaa alas kohteeseen Java Runtime Environment (JRE) 6 Paina Download Ruksaa Accept, ota offline installation, tallenna vaikka työpöydälle ja asenna se. 6. Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi). 7. General Settings -osion alla, vedä liukusäädintä (Disk Space) pienemmälle, ja klikkaa Delete Files -nappia. (Jotkut javapohjaiset ohjelmat saattavat tarvita enemmän levytilaa. Jos huomaat säädön pienentämisen jälkeen koneessa hitautta, siirrä liukusäädintä isommalle). 8. Varmista että kaikki kaksi valintaa ovat rastitettuja: *Applications and Applets *Trace and Log Files Ja paina OK -nappia 9. Klikkaa OK "Temporary Files Settings" -ikkunassasi. 10. Klikkaa OK jättääksesi Java asetusikkunasi. ******* Laita uusi hijackthis logi
HJT LOKI Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 16:38:06, on 26.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Opera 9 Beta\Opera.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Works\WkDStore.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\HJT\saari.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-21-4019890331-4264931360-704409861-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Vieras') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Global Startup: delsgm.bat O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134998812734 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BAD73-2C7A-4AA1-A6BF-0859F2FD1968}: NameServer = 212.50.211.55,212.50.192.226,192.168.0.254 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 8712 bytes blacklight loki 03/25/07 20:35:09 [Info]: BlackLight Engine 1.0.55 initialized 03/25/07 20:35:09 [Info]: OS: 5.1 build 2600 (Service Pack 2) 03/25/07 20:35:09 [Note]: 7019 4 03/25/07 20:35:09 [Note]: 7005 0 03/25/07 20:35:12 [Note]: 7006 0 03/25/07 20:35:12 [Note]: 7011 1708 03/25/07 20:35:12 [Note]: 7026 0 03/25/07 20:35:12 [Note]: 7026 0 03/25/07 20:35:29 [Note]: FSRAW library version 1.7.1021 03/25/07 20:45:12 [Note]: 2000 1012 03/25/07 20:45:12 [Note]: 2000 1012 03/25/07 20:45:12 [Note]: 2000 1012 03/25/07 20:48:32 [Note]: 7007 0 Tuota O4 - Global Startup: delsgm.bat ei tarvi poistaa. Se poistaa c: juureen ilmestyvät turhat sqm tiedostot.
