hjt-logi(troja w32...)

miria · Aug 18, 2007

Ongelmana troijalainen, jota en saa poistetuksi Normannin karanteenista. Lisäksi jatkuva ilmoitus: Your computer is infected! Lisäksi keltainen kolmio ilmoituspalkissa,joka pumppaa hulluna jonnekkin huu haa sivuille.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:54, on 18.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\winavxx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\tuvsssq.dll
O2 - BHO: (no name) - {ABCDECF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Curb tool help dart] C:\Documents and Settings\All Users\Application Data\Move Bore Curb Tool\Show Safe.exe
O4 - HKLM\..\Run: [drv rdr tons dart] C:\Documents and Settings\All Users\Application Data\Base Loud Dart Move\User does deaf.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: system.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {6184E7A6-967A-489C-A26E-2417125B9983} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {7F1506D8-58DE-4975-AB8D-1B339B2BD598} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {7F8CC6BE-24E7-4167-AA9B-462222871466} - http://tuki.elisa.net/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O20 - Winlogon Notify: mllmn - C:\WINDOWS\
O20 - Winlogon Notify: tuvsssq - C:\WINDOWS\SYSTEM32\tuvsssq.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9482 bytes

Hujo · Aug 19, 2007

scannaa hjt:llä merkkaa paina Fix checked

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: (no name) - {ABCDECF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O20 - Winlogon Notify: mllmn - C:\WINDOWS\

===========================

Lataa VundoFix.exe työpöydällesi.

Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Remove Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

====================

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:
" Käynnistä tietokone
" Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
" Seuraavaksi pitäisi ilmestyä valikko
" Valitse valikosta vikasietotila.

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

================

Päivitä AVG Anti-Spyware 7.5 ja aja se vikasiedossa

================

Lataa SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi:

Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
Postita tämän tekstitiedoston sisältö viestiketjuusi.

Huomaa : process.exe filun tunnistaa jotkut Anti-virus ohjelmat (AntiVir, Dr.Web, Kaspersky) "Haittakaluna"; se ei ole virus, vaan ohjelma joka pysäyttää prosesseja. A/V ohjelmat eivät pysty tunnistamaan hyvän ja pahan käytön tälläisten ohjelmian väliltä, silloin ne saattavat varoittaa käyttäjää.

======================

Laita lokit ja uusi hjt:n loki

miria · Aug 19, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02:35, on 19.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\TEMP\winE1.tmp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mikki\Omat tiedostot\PopUpStopperFree.exe
C:\Norman\npm\bin\niu.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\mikki\UserData\Työpöytä\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Curb tool help dart] C:\Documents and Settings\All Users\Application Data\Move Bore Curb Tool\Show Safe.exe
O4 - HKLM\..\Run: [drv rdr tons dart] C:\Documents and Settings\All Users\Application Data\Base Loud Dart Move\User does deaf.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: system.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {6184E7A6-967A-489C-A26E-2417125B9983} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {7F1506D8-58DE-4975-AB8D-1B339B2BD598} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {7F8CC6BE-24E7-4167-AA9B-462222871466} - http://tuki.elisa.net/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O20 - Winlogon Notify: tuvsssq - tuvsssq.dll (file missing)
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\SYSTEM32\winkve32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9285 bytes
Tässä ois hjt. Vundo ilmoitti:ei tartuntoja

Hujo · Aug 19, 2007

scannaa hjt:llä merkkaa paina Fix checked

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O20 - Winlogon Notify: tuvsssq - tuvsssq.dll (file missing)

==============

laitas se vundofixsin loki

Nimeä uudeleen
C:\Program Files\Trend Micro\HijackThis\==> HijackThis.exe <== skanneri.exe

====================

miria · Aug 19, 2007

Sori, oon aika untuvikko näis hommis...
Tein sen Hjt homman, mutta vundofixistä en saanut mitään
lokia. No sit en ymmärtänyt sitä uudelleennimeämistä eli mihin ja mitä?

Hujo · Aug 19, 2007

ei se mitää mutta laita tuosta vielä

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

================
Mitäs ohjelmia oot nyt ajellut?
VundoFix.exe
SDFix
AVG Anti-Spyware 7.5
SmitfraudFix
combofix

================

ja scannaa myös uusi hjt:n loki

miria · Aug 20, 2007

ComboFix 07-08-17.2 - "mikki" 2007-08-20 12:13:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.107 [GMT 3:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Ohjelmat\KYNNIS~1.\autorun.exe
C:\DOCUME~1\mikki\APPLIC~1.\macromedia\Flash Player\#SharedObjects\HBBV6XZL\iforex.com
C:\DOCUME~1\mikki\APPLIC~1.\macromedia\Flash Player\#SharedObjects\HBBV6XZL\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\DOCUME~1\mikki\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\mikki\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\DOCUME~1\mikki\KYNNIS~1\Ohjelmat\KYNNIS~1.\system.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\winkve32.dll

((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))

2007-08-20 12:13 94,720 --a------ C:\WINDOWS\system32\drvjuj.dll
2007-08-20 12:13 15,360 --a------ C:\WINDOWS\system32\drvjujr.dll
2007-08-20 11:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 15:50 94,720 --a------ C:\WINDOWS\system32\drvzus.dll
2007-08-19 15:50 15,360 --a------ C:\WINDOWS\system32\drvzusr.dll
2007-08-19 13:27 <KANSIO> d-------- C:\Program Files\Panicware
2007-08-19 08:30 94,720 --a------ C:\WINDOWS\system32\drvsac.dll
2007-08-19 08:30 15,360 --a------ C:\WINDOWS\system32\drvsacr.dll
2007-08-18 22:39 95,232 --a------ C:\WINDOWS\system32\drvdac.dll
2007-08-18 22:39 15,360 --a------ C:\WINDOWS\system32\drvdacr.dll
2007-08-18 22:27 <KANSIO> d-------- C:\WINDOWS\system32\DRVSTORE
2007-08-18 22:27 <KANSIO> d-------- C:\DOCUME~1\mikki\APPLIC~1\PC Tools
2007-08-18 21:02 95,232 --a------ C:\WINDOWS\system32\drvtet.dll
2007-08-18 21:02 15,360 --a------ C:\WINDOWS\system32\drvtetr.dll
2007-08-18 20:48 <KANSIO> d-------- C:\DOCUME~1\mikki\APPLIC~1\TrojanHunter
2007-08-18 16:43 <KANSIO> d-------- C:\Program Files\Trend Micro
2007-08-18 16:08 <KANSIO> d-------- C:\VundoFix Backups
2007-08-18 12:41 <KANSIO> d-------- C:\Program Files\MSN Messenger
2007-08-17 19:33 <KANSIO> d-------- C:\Program Files\Spyware Doctor
2007-08-17 19:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-17 19:18 6,513 ---hs---- C:\WINDOWS\system32\nqtss.bak1
2007-08-17 18:41 <KANSIO> d-------- C:\Program Files\TrojanHunter 4.7
2007-08-17 18:21 6,612 ---hs---- C:\WINDOWS\system32\adeeg.ini2
2007-08-17 16:49 6,473 ---hs---- C:\WINDOWS\system32\oqstv.bak1
2007-08-17 15:50 <KANSIO> d-------- C:\Program Files\Windows Live Safety Center
2007-08-17 15:41 6,473 ---hs---- C:\WINDOWS\system32\svvwa.bak1
2007-08-17 14:32 6,513 ---hs---- C:\WINDOWS\system32\qtvwa.bak1
2007-08-17 14:28 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-17 13:18 6,513 ---hs---- C:\WINDOWS\system32\ijkmp.bak1
2007-08-17 11:37 6,513 ---hs---- C:\WINDOWS\system32\llnmp.bak1
2007-08-17 09:42 6,473 ---hs---- C:\WINDOWS\system32\qtutv.bak1
2007-08-17 08:27 6,473 ---hs---- C:\WINDOWS\system32\xyadd.bak1
2007-08-16 23:36 6,473 ---hs---- C:\WINDOWS\system32\npqss.bak1
2007-08-16 22:11 6,473 ---hs---- C:\WINDOWS\system32\nmllm.bak1
2007-08-16 20:03 6,473 ---hs---- C:\WINDOWS\system32\pqstv.bak1
2007-08-16 18:28 6,473 ---hs---- C:\WINDOWS\system32\dfhkj.bak1
2007-08-16 17:16 6,473 ---hs---- C:\WINDOWS\system32\orutv.bak1
2007-08-15 13:56 <KANSIO> d-------- C:\Program Files\Windows Defender
2007-08-14 09:12 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Move Bore Curb Tool
2007-08-14 09:12 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Base Loud Dart Move
2007-08-14 09:11 <KANSIO> d-------- C:\Program Files\MfcdLoud

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-18 14:53 --------- d-------- C:\DOCUME~1\mikki\APPLIC~1\Skype
2007-08-18 13:38 2650 --a------ C:\WINDOWS\pchealth\helpctr\Config\incstore.bin
2007-08-16 12:52 --------- d-------- C:\Program Files\Picasa2
2007-08-14 09:13 --------- d-------- C:\DOCUME~1\mikki\APPLIC~1\MfcdLoud
2007-07-19 09:55 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 02:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 17:06 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 17:06 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 17:06 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 17:06 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 17:06 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 17:06 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 17:05 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 17:05 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 17:05 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 17:05 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 17:05 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 17:05 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 17:05 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 17:05 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 17:04 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 17:04 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 17:04 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 17:04 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 17:04 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 17:04 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 11:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 11:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 11:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 10:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 09:09 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 09:09 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 10:21 19000 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys
2007-06-19 16:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 16:32 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 16:10 1033728 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 16:10 1033728 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2006-04-01 19:37 47510 --a------ C:\Program Files\dsymbols.zip

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-06-13 17:55 C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2005-06-13 17:54]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-13 17:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-13 17:40]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-30 16:52]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 02:15]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Curb tool help dart"="C:\Documents and Settings\All Users\Application Data\Move Bore Curb Tool\Show Safe.exe" [2007-08-20 12:05]
"drv rdr tons dart"="C:\Documents and Settings\All Users\Application Data\Base Loud Dart Move\User does deaf.exe" [2007-08-20 11:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-08-11 20:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 10:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-06-13 17:54]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

C:\Documents and Settings\mikki\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 01:03:20]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-06-29 10:50:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\tuvsssq.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hanonvt.ini

R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys
S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys
S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys
S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys
S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys

*Newly Created Service* - HTTPFILTER

Contents of the 'Scheduled Tasks' folder
2007-08-20 09:00:08 C:\WINDOWS\Tasks\A7400D25918BBD21.job - c:\docume~1\mikki\applic~1\mfcdloud\bibkeepiso.exe
2007-08-20 09:25:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 12:22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 12:30:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 12:30

--- E O F ---

miria · Aug 20, 2007

Moi! nyt oon ajanut combo-ja vundofixin, avg:n, sekä sknnannut trojan hunterilla. Tässä hjt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:01, on 20.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Norman\npm\bin\niu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Curb tool help dart] C:\Documents and Settings\All Users\Application Data\Move Bore Curb Tool\Show Safe.exe
O4 - HKLM\..\Run: [drv rdr tons dart] C:\Documents and Settings\All Users\Application Data\Base Loud Dart Move\User does deaf.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {6184E7A6-967A-489C-A26E-2417125B9983} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {7F1506D8-58DE-4975-AB8D-1B339B2BD598} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {7F8CC6BE-24E7-4167-AA9B-462222871466} - http://tuki.elisa.net/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8595 bytes

Hujo · Aug 21, 2007

scannaa hjt:llä merkkaa paina Fix checked

O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini

===================

Lataa KillBox http://www.killbox.net/downloads/KillBox.exe

Tallenna työpöydälle. Jolloin ilmestyy kuvake KillBox.exe

Avaa KillBox ja laita "täppi" kohtaan Delete on Reboot sekä paina kohdasta All Files niin ,että se alkaa "vilkkumaan" vihreänä.

Kopioi tuosta alta kaikki yhtäaikkaa

C:\WINDOWS\system32\hanonvt.ini

Valitse ylhäältä valikosta File ja sitten Paste from Clipboard.

Riville Full Path of File to Delete ilmestyy jokin annetuista poluista ja tiedosto näkyy rivin alapuolella sinisellä merkittynä jos se löytyy koneelta.Paina tämän jälkeen oikealla olevaa punaista ympyrää jossa on valkoinen rasti.

Haluatko buutata nyt ? Vastaa tähän Kyllä

Tämän jälkeen kone buuttaa itsensä. Jos ei buuttaa niin suorita toimenpide itse "käsin".

Hujo · Aug 21, 2007

Lataa SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi:

Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
Postita tämän tekstitiedoston sisältö viestiketjuusi.

Huomaa : process.exe filun tunnistaa jotkut Anti-virus ohjelmat (AntiVir, Dr.Web, Kaspersky) "Haittakaluna"; se ei ole virus, vaan ohjelma joka pysäyttää prosesseja. A/V ohjelmat eivät pysty tunnistamaan hyvän ja pahan käytön tälläisten ohjelmian väliltä, silloin ne saattavat varoittaa käyttäjää.

laita loki tästä

Log in or Sign up

hjt-logi(troja w32...)

miria Member

Hujo Guest

miria Member

Hujo Guest

miria Member

Hujo Guest

miria Member

miria Member

Hujo Guest

Hujo Guest

Share This Page

Log in or Sign up

hjt-logi(troja w32...)

miria Member

Hujo Guest

miria Member

Hujo Guest

miria Member

Hujo Guest

miria Member

miria Member

Hujo Guest

Hujo Guest

Share This Page

Useful Searches