HJT-loki

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by Reaktiivi, Nov 7, 2008.

  1. Reaktiivi

    Reaktiivi Member

    Joined:
    Nov 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Elikkäs terve vaan kaikille näin aluksi!

    Latasin tossa joku aika sitten jotain sekundaa koneelleni ja sain kaupanpäälle pari troijalaista, rpcnet.exe ja rpcnet.dll, minulla on Avira joka löysi ne ja luulin että poistikin, latasin eilen comodon koneeseen ja se löysi ne taas ja luulin taas että nyt ne lähti, mutta siellä ne jököttää missä ennenkin.

    Kummatkin noista on nyt comodon karanteeni-osastolla, tuolla lokissa näkyy ainakin tuo exe vissii, siellä lukee että (file missing), mitä se sitten meinaa? Sitäkö että se on karanteenissa.

    HjT herjasi jotain tämmöistä että se ei pääse, Hosts fileen ja alhaalla oli ohje Vistan käyttäjälle, että suorita järjestelmänvalvojana ja tein sen, tuo on nyt uusin loki.

    Tässä loki ja ajattelin että löytyisikö mitään muuta kiinnostavaa:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:57:05, on 7.11.2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Users\Make\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mobile Partner\Mobile Partner.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
    O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Make\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: &AOL-työkalurivi Haku - C:\ProgramData\AOL\ieToolbar\resources\fi-FI\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BA589AD1-A4F7-47CB-BC19-DB3D9A5CD508}: NameServer = 193.229.0.40 193.229.0.42
    O20 - AppInit_DLLs: C:\windows\system32\guard32.dll
    O20 - Winlogon Notify: DeviceNP - C:\windows\SYSTEM32\DeviceNP.dll
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Unknown owner - C:\windows\system32\rpcnet.exe (file missing)
    O23 - Service: rpcnetp - Unknown owner - C:\windows\System32\rpcnetp.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 8438 bytes
     
    Reaktiivi, Nov 7, 2008
    #1
  2. Reaktiivi

    Reaktiivi Member

    Joined:
    Nov 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Mikä tuo Gopher prefix on? Eikö gopher ole joku elukka?
    Tuo 023 on vissiin se onglma kohta, onko muuta?
    Ja miten fixata?
    Korjaako tuo HijackThis tuon ongelman?

    Kiitoksia kovasti jos joku vaivautuu auttamaan!

    Edit.
    Sitten huomasin että tuo comodo defense+ on blokannut tuon rcpnet.exen ja .dll:n yrityksiä joku 50kpl, tosin en ole varma onko se blokannut sen kun jos tuo Hjt on yritänyt tutkia niitä, siellä lukee, Application ja siinä se Hjt:n polku ja sitten Block File ja Target:na noita kahta edellä mainittua??

    Sitten näkyy, dllhost.exe, svchost.exe, explorer.exe ja samat lopputekstit, tarkoittaa tuo sitä että ne yrittää luikerrella koneelta ulos eri ohjelmien kautta?
    Vai onko mulla ruuvit löysällä?

    Ei nuo mitään kovin dramaattista ole aiheuttanut koneelle tietääkseni mutta kuokkavieraita kumminkin... :)
     
    Last edited: Nov 7, 2008
    Reaktiivi, Nov 7, 2008
    #2
  3. Reaktiivi

    Reaktiivi Member

    Joined:
    Nov 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Tein F-securen online scannerilla, skannauksen kahteen kertaan, ekalla kerralla löyty 5spywarea ja tokalla kiekalla 2 mitkä näkyy tuossa raportissa.

    Alempana on uusin Hjt-rapsa.

    Scanning Report
    Friday, November 07, 2008 18:44:50 - 20:03:07

    Computer name: MAKES
    Scanning type: Scan target for malware, rootkits
    Target: C:\Windows
    Result: 2 malware found
    TrackingCookie.Adtech (spyware)

    * System

    TrackingCookie.Advertising (spyware)

    * System

    Statistics
    Scanned:

    * Files: 63982
    * System: 3670
    * Not scanned: 64

    Actions:

    * Disinfected: 0
    * Renamed: 0
    * Deleted: 0
    * None: 2
    * Submitted: 0

    Files not scanned:

    �

    Options
    Scanning engines:

    * F-Secure USS: 2.40.0
    * F-Secure Hydra: 2.8.8110, 2008-11-07
    * F-Secure AVP: 7.0.171, 2008-11-07
    * F-Secure Pegasus: 1.20.0, 2008-09-22

    Scanning options:

    * Scan all files
    * Scan inside archives
    * Use Advanced heuristics


    Hjt-rapsa:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:20:29, on 7.11.2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Users\Make\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mobile Partner\Mobile Partner.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fi_fi&c=83&bd=all&pf=cmnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
    O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Make\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: &AOL-työkalurivi Haku - C:\ProgramData\AOL\ieToolbar\resources\fi-FI\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BA589AD1-A4F7-47CB-BC19-DB3D9A5CD508}: NameServer = 193.229.0.40 193.229.0.42
    O20 - AppInit_DLLs: C:\windows\system32\guard32.dll
    O20 - Winlogon Notify: DeviceNP - C:\windows\SYSTEM32\DeviceNP.dll
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Unknown owner - C:\windows\system32\rpcnet.exe (file missing)
    O23 - Service: rpcnetp - Unknown owner - C:\windows\System32\rpcnetp.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 8513 bytes
     
    Reaktiivi, Nov 7, 2008
    #3
  4. Reaktiivi

    Reaktiivi Member

    Joined:
    Nov 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

    Onko tämä siis troijalainen vai ei, tuon löysin eräästä toisesta threadista, vai onko mulla tuo "saastunut", vaikka muuten olisi normaali file?

    Antivir skannaus, scannasin nuo tietyt tiedostot, onkohan se vaihtanut nimeään kun noissa kahdessa on "p" ilmestynyt lisäksi, muita tiedostoja voin kyllä skannailla ihan normisti mutta nämä eivät suostu:

    Begin scan in 'C:\Windows\System32\rpcnetp.dll'
    C:\Windows\System32\rpcnetp.dll
    [WARNING] The file could not be opened!

    Begin scan in 'C:\Windows\System32\rpcnetp.exe'
    C:\Windows\System32\rpcnetp.exe
    [WARNING] The file could not be opened!

    Begin scan in 'C:\Windows\System32\rpcnet.exe'
    C:\Windows\System32\rpcnet.exe
    [WARNING] The file could not be opened!

    Begin scan in 'C:\Windows\System32\rpcnet.dll'
    C:\Windows\System32\rpcnet.dll
    [WARNING] The file could not be opened!


    Edit. Latasin tuon malware ohjelman mitä mainostetaan monessa postauksessa ja tulokset ovat puhtaat sen osalta...

    Malwarebytes' Anti-Malware 1.30
    Tietokantaversio: 1373
    Windows 6.0.6001 Service Pack 1

    8.11.2008 1:45:21
    mbam-log-2008-11-08 (01-45-21).txt

    Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
    Tarkistetut kohteet: 167242
    Kulunut aika: 28 minute(s), 56 second(s)

    Saastuneita muistiprosesseja: 0
    Saastuneita muistimoduuleja: 0
    Saastuneita rekisteriavaimia: 0
    Saastuneita rekisteriarvoja: 0
    Saastuneita rekisterikohteita: 0
    Saastuneita hakemistoja: 0
    Saastuneita tiedostoja: 0

    Saastuneita muistiprosesseja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita muistimoduuleja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita rekisteriavaimia:
    (Haitallisia kohteita ei löydetty)

    Saastuneita rekisteriarvoja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita rekisterikohteita:
    (Haitallisia kohteita ei löydetty)

    Saastuneita hakemistoja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita tiedostoja:
    (Haitallisia kohteita ei löydetty)
     
    Last edited: Nov 7, 2008
    Reaktiivi, Nov 7, 2008
    #4
  5. Reaktiivi

    Reaktiivi Member

    Joined:
    Nov 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    http://www.security-forums.com/viewtopic.php?t=46452&sid=cb7ffa53d920f1b0f7b16cc95eb04c8b

    Tuolla on tuollainen juttu tuosta rcpnet.exe/.dll:stä.
    Tuo malware ohjelman skanneri pystyy avaamaan nuo fileet, toisin kuin avira, ja se sanoo että ei ole saastuneita.

    Voisiko joku enemmän tietävä kertoa, että onko mulla syytä olla huolissaan vai ei?

    Olisin erittäin kiitollinen avusta.

    Edit.

    Lähetin mailia sinne Absolute Software Corp. runkuille, saa nähdä mitä vastaavat, jos vastaavat.
     
    Last edited: Nov 8, 2008
    Reaktiivi, Nov 8, 2008
    #5

Share This Page