Logfile of HijackThis v1.99.1 Scan saved at 13:14:02, on 6.11.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe c:\windows\system32\cqgrqtc.exe C:\WINDOWS\System32\sdij.exe C:\WINDOWS\System32\hqfo.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe C:\WINDOWS\system32\steat1a2.exe C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\program files\valve\steam\steam.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\AceGain\LiveUpdate\aceagent.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\mIRC\mirc.exe C:\program files\internet explorer\iexplore.exe C:\program files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing) O2 - BHO: (no name) - {9A66BEDC-00C2-4678-AF87-BE09C83FD93C} - C:\Program Files\cdmweb\lmpbgaxrlq.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\sdij.exe O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\hqfo.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe" O4 - HKLM\..\Run: [steat1a2] C:\WINDOWS\system32\steat1a2.exe O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [wrijsrn] c:\windows\system32\cqgrqtc.exe r O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117903901953 O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus -ohjelman automaattinen suojaus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Hae ewido -> http://www.ewido.net/en/download Päivitä ewido, mut älä skannaa vielä Imuroi Cleanup http://www.stevengould.org/software/cleanup/download.html asenna se, käytetään sitä myöhemmin Hae nailfix -> http://www.noidea.us/easyfile/file.php?download=20050515010747824 Pura se työpöydälle, mutta älä aja sitä vielä. Imuroi AP -> http://www.diamondcs.com.au/index.php?page=apt pura zippi omaan kansionnsa työpöydälle avaa se kansio ja tuplaklikkaa apt.exe:ä apt: ikkunassa eti c:\windows\system32\cqgrqtc.exe Laita piilotiedostot näkyviin -> http://keskustelu.afterdawn.com/thread_view.cfm/248944, mee C:\Windows\system32 ja etsi c:\windows\system32\cqgrqtc.exe älä tee sille vielä mitään, mutta jätä kansio auki et kohta löydät sen helposti ja nopeasti mee takas APT:hen ja valitse c:\windows\system32\cqgrqtc.exe klikkaa nappia KILL 3 sitten heti poistat tuon -> c:\windows\system32\cqgrqtc.exe sieltä system 32-kansiosta Poista lisää/poista sovellus-kohdasta: 2Search Zango buuttaa kone vikasietoon (F8 käynnistyksen yhteydessä) aja nailfix skannaa ewidolla anna poistaa mitä löyty tallenna raportti Avaa hijackthis,klikkaa do a system scan only, laita rasti näiden kohdalle ja klikkaa fix checked F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing) O2 - BHO: (no name) - {9A66BEDC-00C2-4678-AF87-BE09C83FD93C} - C:\Program Files\cdmweb\lmpbgaxrlq.dll O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\sdij.exe O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\hqfo.exe O4 - HKLM\..\Run: [steat1a2] C:\WINDOWS\system32\steat1a2.exe O4 - HKLM\..\Run: [wrijsrn] c:\windows\system32\cqgrqtc.exe r O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Sitten käynnistä -> suorita -> services.msc -> ok -> etsi listalta System Startup Service (SvcProc) -> tuplaklikkaa sitä -> valitse käynnistymistavaksi "ei käytössä". aja CleanUp * paina nappia Options * siirrä nuoli kohtaan Custom CleanUp! * laita rastit seuraaviin kohtiin o Delete Cookies o Empty Recycle Bins o Delete Prefetch files o Cleanup! All Users * klikkaa OK * sitten klikkaa CleanUp nappia. kestää jonkin aikaa, anna sen tehä hommansa * kun se kysyy uudelleenkäynnistystä vastaa No * sulje CleanUp buuttaa takas normaalitilaan ja laita ewidon raportti ja uusi hjt-loki
