HJT logi tarkastettavaksi

TD_13 · Dec 2, 2005

Kone ollut nyt jumissa jonkun aikaa. Rekisteritiedostot puhdistettu, virukset tarkistettu, spywaret ajettu, mutta kone silti tökkii. Prosesseissa ja käynnistysvalikossa (msconfig) kummittelee tiedosto nimeltään hedgie, onko tietoa mikä se mahdollisesti on? Näkyy myös logissa.

Varsinkin netti ollut hidas, aivan kuin jokin söisi kaistat pois.

Tässä HJT logi

Logfile of HijackThis v1.99.1
Scan saved at 16:17:13, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\hedgie.exe
C:\Program Files\AVPersonal\AVWIN.EXE
C:\Ohjelmat\adware\Ad-Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Zipp2 · Dec 2, 2005

Scanna tuo tuolla ja kopioi tulos ja pistä tänne.

C:\WINDOWS\system32\hedgie.exe

http://virusscan.jotti.org/

TD_13 · Dec 2, 2005

Tulos näyttää tältä, pahasti näyttää troijan hevoselta, eikö?

Service load:
0% 100%
File: hedgie.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2019fc38af7f713802ad55c8b3bcb5fc
Packers detected:
FSG
Scanner results
AntiVir
Found Trojan/Dldr.Agen.xq.2.C
ArcaVir
Found Trojan.Proxy.Small.Bo
Avast
Found Win32:Trojano-2975
AVG Antivirus
Found Proxy.AMD
BitDefender
Found Trojan.Proxy.Small.DC
ClamAV
Found nothing
Dr.Web
Found Trojan.Proxy.524
F-Prot Antivirus
Found unknown virus (probable variant)
Fortinet
Found W32/Cosiam.D!tr
Kaspersky Anti-Virus
Found Trojan-Proxy.Win32.Small.bo
NOD32
Found a variant of Win32/TrojanProxy.Daemonize
Norman Virus Control
Found Sandbox: W32/Malware; [ General information ]

* File might be compressed.
* File length: 10672 bytes.

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\SYSTEM32\hedgie.exe.
* Creates file C:\WINDOWS\SYSTEM32\hedgie.exe.

[ Changes to registry ]
* Sets value "ATI_VER"="Cs7ˆ" in key "HKLM\Software\Microsoft".

[ Network services ]
* Opens URL: http://jupitersatellites.biz/hedgie/access.php.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 3599.

[ Process/window information ]
* Creates a mutex bin28-1024.
* Will automatically restart after boot (I'll be back...).
UNA
Found nothing
VBA32
Found Trojan-Proxy.Win32.Small.bo

Zipp2 · Dec 2, 2005

Merkkaa nuo sulje selain ja paina Fix checked

O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\system32\hedgie.exe

Käynnistä sitte vikasietotilassa ja poista

C:\WINDOWS\system32\hedgie.exe

TD_13 · Dec 2, 2005

Nyt pitäisi hedgie olla poistettu täydellisesti koneelta. Logissa se kuitenkin vielä on, kuten myös msconfigin käynnistysvalikossa, mutta ei valittuna käynnistymään. Noista ei liene haittaa, vai?

Logfile of HijackThis v1.99.1
Scan saved at 17:18:09, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Ohjelmat\bitcomet\BitComet.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\system32\hedgie.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Zipp2 · Dec 2, 2005

Multa jäi huomaamatta tuo eka varvilla

C:\WINDOWS\SYSTEM32\msupdate32.dll

ja sillä voi olla kaveri mukana jonka nimi on mspostsp.exe ,mutta Ewidon pitäs kyllä löytää ja poistaa ne.

Hae tuolta

http://www.ewido.net/en/download/

asenna ja päivitä se.
Käynnistä sitte vikasietotilassa ja scannaa + putsaa Ewidolla ja säästä logi.
Käynnistä site normaalisti ja uus Hijack + Ewido logi.

TD_13 · Dec 2, 2005

Tässä on ewidon raportti (löysi mainitsemasi tiedoston jo heti asennuksen jälkeen) :

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:06:52, 2.12.2005
+ Report-Checksum: A295B0A6

+ Scan result:

C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\WINDOWS\kl.exe -> Dropper.Agent.abo : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WH27STUF\hedgie[1].exe -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\system32\hedgie.exe -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Temp\100.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\102.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\103.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\105.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\106.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\109.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10C.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\10F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\113.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\114.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\117.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\11A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\11D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\120.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\123.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\128.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\12F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\131.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\133.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\134.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\137.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\25.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\2F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\30.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\328.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\32E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\331.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\334.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\337.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\33A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\34.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\35.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\38.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\39.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\3E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\41.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\42.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\43.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\45.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\4673.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4679.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\467F.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4686.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\468D.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4693.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\4698.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\469D.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46A3.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46AB.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46B1.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46B7.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46BD.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46C3.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46C9.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46CF.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46D5.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46DE.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46E9.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46F0.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\46F6.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\Temp\48.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\4B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\51.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\55.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\56.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\58.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5B.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\5F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\61.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\64.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\66.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\67.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\6F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\7F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\82.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\87.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\8A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\8D.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\90.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\93.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\95.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\96.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\99.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9A.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9C.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9E.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\9F.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\A8.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\AE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\B7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\BD.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\C9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\CF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D8.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\D9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\DF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E1.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E5.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\E9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EC.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\ED.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\EE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F0.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F2.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F3.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F4.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F6.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F7.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\F9.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FA.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FB.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FE.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\Temp\FF.tmp -> Proxy.Small.dc : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup
C:\WINDOWS\tool3.exe -> Dropper.Agent.abu : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.VB.qr : Cleaned with backup

::Report End

Ja Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 18:10:20, on 2.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\ohjelmat\antiblax\Anti-Blaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Ohjelmat\bitcomet\BitComet.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
c:\ohjelmat\ewido\ewidoctrl.exe
c:\ohjelmat\ewido\ewidoguard.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\ohjelmat\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/aloitussivu/ppo
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmat\spybot\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Anti-Blaxx Manager] c:\ohjelmat\antiblax\Anti-Blaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Ohjelmat\bitcomet\BitComet.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEABD7C2-9C82-417B-A96F-1D25D0EF43D3}: NameServer = 212.50.211.55 212.50.192.227
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - c:\ohjelmat\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - c:\ohjelmat\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\ohjelmat\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Zipp2 · Dec 2, 2005

Merkkaa nuo sulje selain ja paina Fix checked

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)

Kato sitte jos tuo löyty piilotiedostot näkyvillä niin poista se

C:\WINDOWS\SYSTEM32\msupdate32.dll

Kato myös varalta että Host file on ok..ei ylimääräisiä rivejä
Avaa Hijackki
Config... > Misc Tools > Open host file manager.

TD_13 · Dec 2, 2005

Tiedostoa ei löytynyt ja host file oli myös kunnossa. Ilmeisesti mitään muuta vikaa ei enää logissa ollut?

Kiitos paljon avusta! Pitää seurailla koneen käyttäytymistä, ainakin nyt kone toimii kunnolla.

Zipp2 · Dec 2, 2005

Joo ei logissa muuta näy.

Log in or Sign up

HJT logi tarkastettavaksi

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

Share This Page

Log in or Sign up

HJT logi tarkastettavaksi

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

TD_13 Member

Zipp2 Regular member

Share This Page

Useful Searches