hjt loki

Discussion in 'Virukset ja haittaohjelmat' started by pygmi, Oct 18, 2005.

  1. pygmi

    pygmi Member

    Joined:
    Dec 2, 2004
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    viittiskö joku vielä tarkistaa porukoitteni lokin
    Logfile of HijackThis v1.99.1
    Scan saved at 18:47:23, on 18.10.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://elisa.net/paketti/haku.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://elisa.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int102647.exe -auto
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Palvelut - {1A5312BE-1C79-4394-978F-D3BC67626AB8} - http://service.kolumbus.fi/ (file missing) (HKCU)
    O9 - Extra button: Tuki - {B842D918-B52B-4E24-91D1-C480A91F03AF} - http://tuki.elisa.net/ (file missing) (HKCU)
    O9 - Extra button: SMS-viesti - {D7F029CF-2D58-4628-B213-EDBCEE417706} - http://sms.kolumbus.fi/ (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O10 - Unknown file in Winsock LSP: c:\norman\nvc\bin\normanpf.dll
    O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
     
    pygmi, Oct 18, 2005
    #1
  2. Zipp2

    Zipp2 Regular member

    Joined:
    Sep 30, 2005
    Messages:
    376
    Likes Received:
    0
    Trophy Points:
    26
    Merkkaa ja Fix:saa

    O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int102647.exe -auto

    Käynnistä sitte vikasietotilassa ja poista jos löytyy

    C:\Program Files\websx\ < kansio


     
    Zipp2, Oct 18, 2005
    #2
  3. pygmi

    pygmi Member

    Joined:
    Dec 2, 2004
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    nonniin. pääsin vihdoin taas tänne porukoitteni luo fixailemaan niiden konetta. tein tarvittavat muutokset lokiin(kiitos kovasti) ja sain kaikki turhat pois.

    koneessa on alkanut kuitenkin oikeassa alareunassa vilkutteleen palkki mihin tulee seuraava teksti.
    An application named NT Ydin & järjestelmä (file name ntoskrnl.exe) has been blocked from accessing the network.

    palomuurina on sygate. avastilla tarkistin kyseisen tiedoston ja muunkin koneen eikä se oikein mitään löytänyt. vaikka sallisinkin sygatesta ton nt ydin &järjestemän pääsevän nettiin niin silti tonne alareunaan tulee tommonen ilmoitus. ilmoitus tulee ehkä kerran puolessa tunnissa-kerran tunnissa.

    en oo itseasiassa varma tuleeko toi ilmoitus widowsin omasta palomuurista sillä se on myös rinnalla päällä.

    mikähän toi nt ydin & järjestelmä oikein on ja miten ton vilkutuksen saa pois. onko kellään hajua. luotan teihin pojat ;)
     
    pygmi, Oct 28, 2005
    #3
  4. Disa-

    Disa- Regular member

    Joined:
    Sep 6, 2005
    Messages:
    860
    Likes Received:
    0
    Trophy Points:
    26
    Disa-, Oct 28, 2005
    #4
  5. pygmi

    pygmi Member

    Joined:
    Dec 2, 2004
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    ei löytänyt mitään. en itse asiassa tiedä oonko edes oikeassa tiedostossa kun se tiedosto mikä yrittää nettii on ntoskrnl.exe ja ainut vähänkin samaan suuntaan oleva tinkä löydän on ntoskrnl.ex_

    eli tommasta tiedostoa en löydä koko koneelta
     
    pygmi, Oct 28, 2005
    #5

Share This Page