Logfile of HijackThis v1.99.1 Scan saved at 10:08:21 PM, on 6/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Sampo\LOCALS~1\Temp\win8.tmp.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\HJT\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=0 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [379cb9f6.exe] C:\WINDOWS\system32\379cb9f6.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [379cb9f6.exe] C:\Documents and Settings\Sampo\Local Settings\Application Data\379cb9f6.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145002622670 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145003713218 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: qommllj - C:\WINDOWS\SYSTEM32\qommllj.dll O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\SYSTEM32\winmbj32.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe EDIT: en muista viirusten nimii mut troijalaisia oli sit oli jotain muuta sälää.. tarvitaanko smitfraudii ??? EDIT2: pistetääs ny ewidon lokiki tommosia löysi ewido ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 11:39:55 PM 6/26/2006 + Scan result: C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\Cache\F498AD79d01 -> Dialer.PluginAccess : No action taken. C:\Documents and Settings\Sampo\Local Settings\Application Data\379cb9f6.exe -> Downloader.Obfuscated.a : No action taken. C:\Documents and Settings\Sampo\Local Settings\Temp\win8.tmp.exe -> Downloader.Obfuscated.a : No action taken. C:\Documents and Settings\Sampo\Local Settings\Temporary Internet Files\Content.IE5\QNE1U1E3\wlzip32[1].exe -> Downloader.Obfuscated.a : No action taken. C:\WINDOWS\system32\379cb9f6.exe -> Downloader.Obfuscated.a : No action taken. C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\Cache\6AD3FF43d01 -> Dropper.Small.aqg : No action taken. C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\Cache\D5481C94d01 -> Dropper.Small.aqg : No action taken. C:\Documents and Settings\Sampo\Local Settings\Temporary Internet Files\Content.IE5\QNE1U1E3\wizip32[1].exe -> Hijacker.Small.kx : No action taken. :mozilla.179:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.31:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.25:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.26:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.54:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.55:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.56:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.57:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.58:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.59:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.123:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Atdmt : No action taken. :mozilla.162:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Burstnet : No action taken. :mozilla.163:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Burstnet : No action taken. :mozilla.164:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Burstnet : No action taken. :mozilla.211:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Clickhype : No action taken. :mozilla.212:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Clickhype : No action taken. :mozilla.138:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Com : No action taken. :mozilla.17:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken. :mozilla.40:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken. :mozilla.157:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Falkag : No action taken. :mozilla.158:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Falkag : No action taken. :mozilla.159:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Falkag : No action taken. :mozilla.160:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Falkag : No action taken. :mozilla.161:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Falkag : No action taken. :mozilla.226:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.227:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.228:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.33:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.24:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Hotlog : No action taken. :mozilla.127:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken. :mozilla.133:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Overture : No action taken. :mozilla.124:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.125:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.126:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.21:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Popuptraffic : No action taken. :mozilla.22:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Popuptraffic : No action taken. :mozilla.119:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.120:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.121:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.122:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.214:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Revenue : No action taken. :mozilla.28:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Revenue : No action taken. :mozilla.220:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Ru4 : No action taken. :mozilla.221:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Ru4 : No action taken. :mozilla.112:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.113:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.114:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.115:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.116:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.92:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Sitestat : No action taken. :mozilla.93:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Sitestat : No action taken. :mozilla.23:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Spylog : No action taken. :mozilla.71:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Statcounter : No action taken. :mozilla.72:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Statcounter : No action taken. :mozilla.185:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken. :mozilla.20:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken. :mozilla.225:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Trafic : No action taken. :mozilla.34:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.70:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.30:C:\Documents and Settings\Äiti\Application Data\Mozilla\Firefox\Profiles\0btfbw4d.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.60:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.61:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.62:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.63:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.66:C:\Documents and Settings\Sampo\Application Data\Mozilla\Firefox\Profiles\ed1eofhl.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. C:\Documents and Settings\Sampo\Local Settings\Temp\mst6.tmp -> Trojan.Agent.vg : No action taken. C:\Documents and Settings\Sampo\Local Settings\Temp\mstF.tmp -> Trojan.Agent.vg : No action taken. C:\WINDOWS\system32\winmbj32.dll -> Trojan.Agent.vg : No action taken. C:\WINDOWS\system32\1024 -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ld7424.tmp -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ld7DC9.tmp -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ldAB96.tmp -> Trojan.Small : No action taken. ::Report end eli cookiet poistin ja muut karanteeniin vaik tos ei niin luekka =)
Hyvin epäilyttäviä seuraavat: O4 - HKCU\..\Run: [379cb9f6.exe] C:\Documents and Settings\Sampo\Local Settings\Application Data\379cb9f6.exe O4 - HKLM\..\Run: [379cb9f6.exe] C:\WINDOWS\system32\379cb9f6.exe ja tuossahan ne troijalaiset ewidolla skannattuna: C:\WINDOWS\system32\winmbj32.dll -> Trojan.Agent.vg : No action taken. C:\WINDOWS\system32\1024 -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ld7424.tmp -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ld7DC9.tmp -> Trojan.Small : No action taken. C:\WINDOWS\system32\1024\ldAB96.tmp -> Trojan.Small : No action taken. kannattaa kuitenkin varmuuden vuoksi ajaa vielä kerran ja laittaa poistamaan, niin ei pitäisi jäädä enää koneelle esim. Bitdefender hälyttää viruksista jotka ovat karanteenissa. EDIT: typo
jepjep tehään näin ja kokeillaan toimiiko =) täs ois viä uus hjt logi: kaiken säädön jälkeen Logfile of HijackThis v1.99.1 Scan saved at 7:09:38 PM, on 6/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=0 O2 - BHO: (no name) - {705BA2F0-7D7F-4948-8BA0-EEA6B583FC94} - C:\WINDOWS\system32\ddayx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145002622670 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145003713218 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe kaiken maailman popuppeja tulee aina välillä esim. jotain winprovirus2006 mainoksia ja jotain tommotteita ja win32 zlob tahtoo tulla takasin melko usein tehdäänkös tuolla smitfraudil miittää ??
ja tonne start->all programs, on ilmestyny jotain security troubleshooting ja online security guard juttuja :/
@Afroninja Lataa SmitfraudFix © S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi: Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa). Postita tämän tekstitiedoston sisältö viestiketjuusi.
SmitFraudFix v2.65 Scan done at 19:45:29.62, Thu 06/29/2006 Run from C:\Documents and Settings\Sampo\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\regperf.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sampo\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sampo\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Käynnistä tietokoneesi vikasietotilaan näpyttämällä F8:a käynnistyksen yhteydessä Kun vikasietotilassa, avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot. Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet. Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter". Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin. Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi. Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt. Lataa VundoFix.exe työpöydällesi. http://www.atribune.org/ccount/click.php?id=4 Tupla-klikkaa VundoFix.exe ajaaksesi sen. Rastita boksi Run VundoFix as a task. Saat viestin joka sanoo "Vundofix will close and re-open in a minute or less". Klikkaa OK. Kun Vundofix uudelleenaukeaa, klikkaa Scan for Vundo valintaa. Kun skannaus on valmis, oikea-klikkaa kyseisen listaboksin sisällä (valkoinen laatikko jossa on löydetyt tiedostot listattu) ja valitse Add more files Kopioi ja liitä seuraavat 2 riviä kahteen ylimmäiseen boksiin C:\WINDOWS\system32\ddayx.dll C:\WINDOWS\system32\xyadd.* Klikkaa Add Files ja sitten klikkaa Close Window. Klikkaa Remove Vundo valintaa. Saat viestin jossa kysytään haluatko poistaa valitut tiedostot, klikkaa YES. Kun klikkaat yes, työpöytäsi tyhjenee kun työkalu alkaa poistamaan Vundoa. Kun valmis, saat viestin jossa pyydetään sammuttamaan tietokone, klikkaa OK. Käynnistä koneesi uudelleen. Postita C:\vundofix.txt lokin sisältö, C:\rapport.txt sisältö sekä uusi HijackThis loki EDIT: Pistin aluksi väärän ohjeen
okei, smitfraud: SmitFraudFix v2.65 Scan done at 19:06:23.79, Fri 06/30/2006 Run from C:\Documents and Settings\Sampo\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\regperf.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Vundofix: VundoFix V4.2.84 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.6 Scan started at 7:18:07 PM 6/30/2006 Listing files found while scanning.... C:\WINDOWS\system32\xyadd.bak1 C:\WINDOWS\system32\xyadd.bak2 C:\WINDOWS\system32\xyadd.ini C:\WINDOWS\system32\ddayx.dll VundoFix V4.2.84 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.6 Scan started at 7:22:46 PM 6/30/2006 Listing files found while scanning.... C:\WINDOWS\system32\xyadd.bak1 C:\WINDOWS\system32\xyadd.bak2 C:\WINDOWS\system32\xyadd.ini C:\WINDOWS\system32\ddayx.dll Attempting to delete C:\WINDOWS\system32\xyadd.bak1 C:\WINDOWS\system32\xyadd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\xyadd.bak2 C:\WINDOWS\system32\xyadd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\xyadd.ini C:\WINDOWS\system32\xyadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ddayx.dll C:\WINDOWS\system32\ddayx.dll Has been deleted! Performing Repairs to the registry. Done! HiJackThis: Logfile of HijackThis v1.99.1 Scan saved at 7:31:52 PM, on 6/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\devldr32.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=0 O2 - BHO: (no name) - {580FC72E-AB7D-4038-823B-40B22EA07C12} - C:\WINDOWS\system32\ddayx.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145002622670 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145003713218 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe onkos hjt kunnossa?
Jep, se onnistui ihan hyvin, nämä voi fiksata eli avaa HijackThis, paina do a system scan only ja merkkaa nämä: O2 - BHO: (no name) - {580FC72E-AB7D-4038-823B-40B22EA07C12} - C:\WINDOWS\system32\ddayx.dll (file missing) O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing) Sulje kaikki muut avoimet ikkunat ja paina fix cheked. Onko vielä ongelmia poppuppien kanssa?
jeps nyton tehty kaikki, ootellaan ja kattellaan jos ei huomenissa pop-uppei tuu ni sit on mission accomplished,, pistän viestiä jos ilmenee vielä ongelmia =) kiitos avusta Jurppis *kiittää ja kumartaa* EDIT: Pop-upit on poissa!!!!
