HJT loki/ command service

Sussu82 · Apr 25, 2006

Jos jälleen kerran joku osais auttaa..
Skannasin koneen Spybotilla --> löyty joku "command service", jota spybot ei pystynyt poistamaan.

Tässä siis HJT loki jos joku siitä osais jotain päätellä.

Logfile of HijackThis v1.99.1
Scan saved at 20:46:03, on 25.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{66EF7D4B-9801-4C2F-8A43-84BCDD36BBDC}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{B602088A-670F-47F8-8AEE-5BC00FEDF485}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

blade81 · Apr 25, 2006

Lataa fixwareout.exe täältä > http://downloads.subratam.org/Fixwareout.exe
tai täältä >
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
ja tallenna se työpöydälle. Tuplaklikkaa sitä ja seuraa ohjeita. Klikkaa Next, sitten Install ja varmistu, että "Run fixit" on valittu. Sinun pitää käynnistää kone uudelleen, kun niin käsketään.

Lähetä uusi HjT-loki ja c:\fixwareout\report.txt sisältö

Sussu82 · Apr 25, 2006

[bold]Logfile of HijackThis v1.99.1[/bold]
Scan saved at 21:27:46, on 25.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{66EF7D4B-9801-4C2F-8A43-84BCDD36BBDC}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{B602088A-670F-47F8-8AEE-5BC00FEDF485}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[bold]Fixwareout ver 1.003[/bold]
Last edited 04/09/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

blade81 · Apr 25, 2006

Käynnistä hjt, klikkaa do a system scan only, merkkaa:
O17 - HKLM\System\CCS\Services\Tcpip\..\{66EF7D4B-9801-4C2F-8A43-84BCDD36BBDC}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{B602088A-670F-47F8-8AEE-5BC00FEDF485}: NameServer = 85.255.116.100,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169

Sulje muut ikkunat ja klikkaa fix checked.

Hae Ewido (latausosoite & ohje ->http://keskustelu.afterdawn.com/thread_view.cfm/269186), asenna ja päivitä, mutta älä käytä vielä!

Käynnistä kone vikasietotilaan (F8ia koneen käynnistyessä). Tee full scan Ewidolla ja tallenna loki.

Käynnistä kone normaalitilaan. Lähetä Ewidon loki sekä uusi hjt-loki.

Sussu82 · Apr 25, 2006

[bold]---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------[/bold]

+ Created on: 22:31:23, 25.4.2006
+ Report-Checksum: 6887AE13

+ Scan result:

C:\WINDOWS\system32\rzspy.exe -> Adware.Raze : Cleaned with backup
C:\WINDOWS\system32\idownload.exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Alex\Local Settings\Temp\temp.frECFC -> Adware.CommAd : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.342:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.425:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.426:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.444:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.445:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.536:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.537:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.538:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.539:C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\x3p86yqp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Program Files\Motorama Preved\playerdata.bak -> Dropper.Small.ky : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP9\A0002884.exe -> Adware.Raze : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP9\A0002885.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP9\A0002886.exe -> Adware.Casino : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP27\A0009246.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP27\A0009247.dll -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{31868BF7-2DDD-4111-889D-23C2A74867E5}\RP34\A0009571.dll -> Adware.CommAd : Cleaned with backup
C:\Recycled\Dc2.exe -> Adware.Casino : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc.zip/ergopro@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\DoubleClick.zip/ergopro@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\HitBox.zip/ergopro@ehg-idg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\HitBox1.zip/ergopro@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom.zip/ergopro@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom1.zip/ergopro@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc1.zip/ergopro@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\BFast.zip/ergopro@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction.zip/ergopro@www.commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction1.zip/ergopro@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\DoubleClick1.zip/anyuser@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\DoubleClick2.zip/ergopro@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\FastClick.zip/ergopro@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\HitBox2.zip/ergopro@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\HitBox3.zip/ergopro@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\HitsLink.zip/ergopro@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\MediaPlex.zip/ergopro@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
F:\Ohjelmat\Spybot - Search & Destroy 1.1\Recovery\ValueClick.zip/anyuser@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup

::Report End

[bold]Logfile of HijackThis v1.99.1[/bold]
Scan saved at 22:34:24, on 25.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

blade81 · Apr 25, 2006

Fixasitko kaikki kolme pyytämääni 017-riviä? Lokissa on vielä yksi nimittäin jäljellä. Lisäksi kehoitan päivittämään Winkkarin tietoturvan ajan tasalle (=service packit kuntoon).

EDIT:
Lisätään vielä, että tuosta Spybotista on uudempi versio (1.4), jonka voi ladata mm. täältä -> http://www.spybot.info/en/download/index.html

-kemisti- · Apr 25, 2006

@blade81: Se rivi ei välttämättä aina lähde

@Sussu82:

Fixaa ensin tämä rivi:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169

Mene Ohjauspaneeli -> Verkkoyhteydet. Sitten klikkaa hiiren oikealla yhteyskuvaketta -> ominaisuudet. Valitse TCP/IP ja sitten ominaisuudet. Valitse "hae IP-osoite automaattisesti" ja klikkaa ok

Sitten käynnistä -> suorita
Kirjoita cmd ja klikkaa ok
Kirjoita ipconfig /flushdns , paina enter, kirjoita exit
ja paina enter

Jos ei toimi, mene käynnistä -> apuohjelmat -> komentorivi ja kirjoita ipconfig /flushdns sinne ja paina enter.

Käynnistä uudestaan ja lähetä uusi HjT-loki.

Sussu82 · Apr 25, 2006

No niin, tässä uutta HJT lokia:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:07, on 26.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

-kemisti- · Apr 25, 2006

Nyt on hyvä.

Seuraavaksi windows updateen ja hakemaan Service Pack 2:set sekä windowsiin että IE:hen:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Sussu82 · Apr 25, 2006

Jesss! Kiitokset jälleen kerran kaikesta avusta molemmille =)

-kemisti- · Apr 25, 2006

Ole hyvä

Sussu82 · Apr 25, 2006

Ou nou!
Ajoin vielä ihan huvikseen ton HJT:n ja se yks rivi (017) on tullu taas takasin..

Logfile of HijackThis v1.99.1
Scan saved at 10:45:55, on 26.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146032884670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146033045967
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Milläköhän sen sais lopullisesti pois?

Edit: Tai siis mikäköhän se rivi on? Onko joku haitallinen?

-kemisti- · Apr 26, 2006

Koitetaas tällasta.

Tulosta nämä ohjeet ja ota nettipiuha pois päältä!

Käynnistä -> apuohjelmat -> komentorivi
komentoriviin kirjoita ipconfig /flushdns ja paina enter

Sitten mene tänne:

Ohjauspaneeli -> Verkkoyhteydet. Sitten klikkaa hiiren oikealla yhteyskuvaketta -> ominaisuudet. Valitse TCP/IP ja sitten ominaisuudet. Ota rasti pois kohdasta "hae IP-osoite automaattisesti" ja klikkaa ok

Käyynistä uudelleen, laita nettipiuha takaisin päälle ja lähetä uusi HjT-loki.

EDIT: Se rivi tarkoittaa, että nettiyhteytesi tulee tällä hetkellä Ukrainasta eli on tapahtunut ns. nameserver-kaappaus.
Se on tuon koneella olleen wareoutin peruja.

Täällä tietoa -> http://www.dnsstuff.com/tools/whois.ch?ip=85.255.116.100

Sussu82 · Apr 26, 2006

Alotin tolla ohjeella, mutta kompastuin kohtaan "Ota rasti pois kohdasta "hae IP-osoite automaattisesti" ja klikkaa ok". Mulla on siinä kaksi vaihtoehtoa: hae ip-osoite automaattisesti tai käytä seuraavaa ip-osoitetta (ja siihen on siis laitettava joku ip-osoite).

-kemisti- · Apr 26, 2006

Ok, anna sen sit olla siinä kohdassa "hae IP-osoite automaattisesti"

Tehdään sitten tämä:

Lataa ja tallenna Blacklight työpöydällesi http://www.f-secure.com/blacklight/try.shtml

Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa > Scan, sitten > Next

Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita).

Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe".

Lähetä sen lisäksi uusi HjT-loki.

Sussu82 · Apr 26, 2006

04/26/06 11:33:43 [Info]: BlackLight Engine 1.0.36 initialized
04/26/06 11:33:43 [Info]: OS: 5.1 build 2600 ()
04/26/06 11:33:44 [Note]: 7019 4
04/26/06 11:33:44 [Note]: 7005 0
04/26/06 11:33:46 [Note]: 7006 0
04/26/06 11:33:46 [Note]: 7011 1296
04/26/06 11:33:46 [Note]: 7026 0
04/26/06 11:33:46 [Note]: 7026 0
04/26/06 11:33:48 [Note]: FSRAW library version 1.7.1015
04/26/06 11:33:55 [Note]: 2000 1006
04/26/06 11:33:55 [Note]: 2000 1006
04/26/06 11:33:55 [Note]: 2000 1006
04/26/06 11:34:24 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 11:35:10, on 26.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146032884670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146033045967
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

-kemisti- · Apr 26, 2006

Erittäin sitkeä tapaus

Seuraava yritys:

Lataa winpfind täältä:
http://www.bleepingcomputer.com/files/winpfind.php
pura zippi c:\WinPFind-kansioon
Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä)
Tuplaklikkaa WinPFind.exe
Paina nappia start scan
Odota, kunnes se kertoo olevansa valmis ja sen loki aukee
Sitten käynnistä takas normaalitilaan ja laita tänne c:\WinPFind\WinPFind.txt:n sisältö

Sussu82 · Apr 26, 2006

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PECompact2 6.4.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6.4.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 9.10.2001 12:00:00 41113 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 9.10.2001 12:00:00 634368 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9.10.2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PEC2 26.1.2006 20:36:02 574976 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 26.1.2006 20:36:02 574976 C:\WINDOWS\SYSTEM32\DivX.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 21.3.2006 13:45:16 1022432 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 21.3.2006 13:45:16 1022432 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
21.3.2006 13:02:02 RH 749 C:\WINDOWS\WindowsShell.Manifest
26.4.2006 11:50:04 S 2048 C:\WINDOWS\bootstat.dat
21.3.2006 13:02:02 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
21.3.2006 13:02:02 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
21.3.2006 13:02:02 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
21.3.2006 13:02:02 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
21.3.2006 13:02:08 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
21.3.2006 13:02:08 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
21.3.2006 13:02:02 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
26.4.2006 11:47:52 H 806912 C:\WINDOWS\system32\config\system.LOG
26.4.2006 11:47:52 H 114688 C:\WINDOWS\system32\config\software.LOG
26.4.2006 11:47:52 H 8192 C:\WINDOWS\system32\config\default.LOG
21.3.2006 12:54:02 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
21.3.2006 12:54:00 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
26.4.2006 11:50:12 H 1024 C:\WINDOWS\system32\config\SAM.LOG
26.4.2006 11:50:04 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
26.4.2006 9:51:22 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
21.3.2006 12:55:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
21.3.2006 13:02:24 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\Sivuhistoria\desktop.ini
21.3.2006 13:02:24 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L2QG5MRD\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5IVOSFTH\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EEPWJWW8\desktop.ini
21.3.2006 13:02:24 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SLYJG12V\desktop.ini
21.3.2006 12:55:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\desktop.ini
21.3.2006 13:02:58 HS 196 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\Ohjelmat\desktop.ini
21.3.2006 13:02:58 HS 506 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\Ohjelmat\Apuohjelmat\desktop.ini
21.3.2006 13:02:58 HS 84 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\Ohjelmat\Apuohjelmat\Viihde\desktop.ini
21.3.2006 13:02:58 HS 303 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\Ohjelmat\Apuohjelmat\Helppokäyttötoiminnot\desktop.ini
21.3.2006 13:02:58 HS 84 C:\WINDOWS\system32\config\systemprofile\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini
21.3.2006 13:02:08 HS 180 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
21.3.2006 12:55:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
26.4.2006 9:29:18 RHS 13695 C:\WINDOWS\system32\Restore\filelist.xml
24.3.2006 17:53:28 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8928b755-88c9-49be-ab8b-89fee28b31a2
24.3.2006 17:53:28 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
25.3.2006 17:43:52 H 69 C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
21.3.2006 13:03:00 H 237568 C:\WINDOWS\repair\ntuser.dat
26.4.2006 9:29:14 H 0 C:\WINDOWS\inf\oem13.inf
21.3.2006 13:02:40 HS 67 C:\WINDOWS\Fonts\desktop.ini
26.4.2006 11:47:52 H 6 C:\WINDOWS\Tasks\SA.DAT
21.3.2006 13:02:22 RHS 243324 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
21.3.2006 13:02:22 RHS 20149 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
21.3.2006 13:02:22 RHS 751 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
21.3.2006 13:02:08 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
21.3.2006 13:02:08 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini

Checking for CPL files...
Microsoft Corporation 9.10.2001 12:00:00 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9.10.2001 12:00:00 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 9.10.2001 12:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9.10.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9.10.2001 12:00:00 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 9.10.2001 12:00:00 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 9.10.2001 12:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9.10.2001 12:00:00 561152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9.10.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9.10.2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9.10.2001 12:00:00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 9.10.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9.10.2001 12:00:00 109568 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 9.10.2001 12:00:00 271360 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9.10.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9.10.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 9.10.2001 14:00:00 67584 C:\WINDOWS\SYSTEM32\access.cpl
Trend Micro Inc. 27.10.2003 15:38:54 106496 C:\WINDOWS\SYSTEM32\PCCSet.cpl
Sun Microsystems, Inc. 10.11.2005 13:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 26.5.2005 4:16:30 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9.10.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9.10.2001 14:00:00 67584 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9.10.2001 12:00:00 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9.10.2001 12:00:00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9.10.2001 12:00:00 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9.10.2001 12:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9.10.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9.10.2001 12:00:00 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 9.10.2001 12:00:00 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9.10.2001 12:00:00 561152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9.10.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9.10.2001 12:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9.10.2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9.10.2001 14:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9.10.2001 12:00:00 109568 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9.10.2001 12:00:00 271360 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9.10.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9.10.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
21.3.2006 13:02:58 HS 84 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21.3.2006 12:55:20 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
21.3.2006 13:02:58 HS 84 C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
21.3.2006 12:55:20 HS 62 C:\Documents and Settings\Järjestelmänvalvoja\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\moveonboot_delete
{12B23346-6BD8-4812-BF8C-75E7C386ACB8} = C:\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Käynnistä-valikon nasta = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Päivän vihje = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media-palkki = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Lähiosoite : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
VTTimer VTTimer.exe
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
RaidTool C:\Program Files\VIA\RAID\raid_tool.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 26.4.2006 11:55:56

Ja nyt on pakko lähteä töitäkin tekemään.. Illalla jatkuu =)

-kemisti- · Apr 26, 2006

Tuossakaan ei näy mitään

Yritetään näin:

Fixaa tämä rivi:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169

Sitten hae ccleaner -> http://www.ccleaner.com ja asenna se

Käynnistä ccleaner

Puhdistaja-välilehti ja sieltä Windows-välilehti

Merkkaa nämä(kaikki kohdat):

Internet Explorer-selain
Käyttöjärjestelmä

Sovellukset-välilehti:

Merkkaa (kaikki kohdat)

Firefox/Mozilla

Klikkaa Tutki ja sitten kun valmis niin klikkaa Aja Ccleaner.

Ota nettipiuha pois päältä.

Käynnistä -> apuohjelmat -> komentorivi
komentoriviin kirjoita ipconfig /flushdns ja paina enter

Käynnistä uudelleen.

Laita nettipiuha takaisin ja lähetä uusi HjT-loki.

Sussu82 · Apr 26, 2006

No niin, tässä taas lokia:

Logfile of HijackThis v1.99.1
Scan saved at 20:26:57, on 26.4.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146032884670
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146033045967
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C05E90-78BC-463F-BB2F-E79D9FD5CB29}: NameServer = 85.255.116.100 85.255.112.169
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Log in or Sign up

HJT loki/ command service

Sussu82 Member

blade81 Active member

Sussu82 Member

blade81 Active member

Sussu82 Member

blade81 Active member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

Share This Page

Log in or Sign up

HJT loki/ command service

Sussu82 Member

blade81 Active member

Sussu82 Member

blade81 Active member

Sussu82 Member

blade81 Active member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

Share This Page

Useful Searches