HJT-loki

tässäpä tämä, apuva:

Logfile of HijackThis v1.99.1
Scan saved at 20:11:56, on 4.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mfcgh32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\mfcex32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {00DD6309-C35E-7ACF-CE4F-6C92538A0A8D} - C:\WINDOWS\crzs.dll
O2 - BHO: Class - {2CA0B67D-538E-0F30-8CD3-19E8BA8A6ED7} - C:\WINDOWS\d3pd32.dll (file missing)
O2 - BHO: Class - {34A8C882-0B85-48F6-9143-61D261C5D1D1} - C:\WINDOWS\d3bt32.dll
O2 - BHO: Class - {4CBB3371-E1F0-A8EF-E2A5-EB195BB5D345} - C:\WINDOWS\atlcf32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {5E68547D-3521-2E5F-8F99-405AAF02E50F} - C:\WINDOWS\system32\mszx32.dll
O2 - BHO: Class - {6E15F4D5-4588-FA6E-9B33-7152B249E5A0} - C:\WINDOWS\system32\sysnk.dll
O2 - BHO: Class - {73676454-A932-7669-B377-AC3A0147A262} - C:\WINDOWS\addvq32.dll
O2 - BHO: Class - {74F3A188-8A46-3C99-8A0F-007ABA7079D6} - C:\WINDOWS\system32\d3qq32.dll
O2 - BHO: Class - {8A3B9E3A-2086-802E-5A0D-4D19B46D64E0} - C:\WINDOWS\system32\netne.dll
O2 - BHO: Class - {C266F854-DEAC-B9CC-2125-49FEDCDC42B2} - C:\WINDOWS\winwz.dll
O2 - BHO: Class - {D3B84570-2079-8EDD-541C-21F6A4481CA3} - C:\WINDOWS\system32\ipas.dll
O2 - BHO: Class - {D75899FB-CB87-FC4D-A477-72074618F72C} - C:\WINDOWS\system32\javaxc32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [mfcex32.exe] C:\WINDOWS\system32\mfcex32.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [sdklz32.exe] C:\WINDOWS\sdklz32.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcgh32.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\JAMPPA\LOCALS~1\TEMP\_VWUPSRV.EXE

 

Laita piilotiedostot näkyviin -> http://keskustelu.afterdawn.com/thread_view.cfm/248944

Hae CWShredder täältä -> http://www.intermute.com/spysubtract/cwshredder_download.html

Päivitä, mutta älä käytä sitä vielä

Hae aboutbuster -> http://koti.mbnet.fi/pattaya1/aboutbuster.htm , päivitä se, mutta älä käytä sitäkään vielä.

Hae varoiksi Registrar Lite -> http://www.resplendence.com/reglite/ ja asenna se hakemistoon C:\Program Files\RegLite\ .

Lataa ja asenna Ewido -> http://www.ewido.net/en/download/
Päivitä se, mutta älä käytä vielä.

Hae HSfix ->
http://users.telenet.be/marcvn/regfiles/HSfix.zip .
Tuplaklikkaa HSfix.zip ja se purkaa itsensä työpöydälle kansioon HSfix
Älä käytä sitäkään vielä.


Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä)

Sammuta prosessit tiedostojenhallinnasta:

mfcgh32.exe
mfcex32.exe

Poista seuraavat tiedostot:

C:\WINDOWS\szpbq.dll
C:\WINDOWS\d3pd32.dll
C:\WINDOWS\atlcf32.dll
C:\WINDOWS\crzs.dll
C:\WINDOWS\system32\mszx32.dll
C:\WINDOWS\system32\sysnk.dll
C:\WINDOWS\addvq32.dll
C:\WINDOWS\system32\d3qq32.dll
C:\WINDOWS\system32\netne.dll
C:\WINDOWS\winwz.dll
C:\WINDOWS\system32\ipas.dll
C:\WINDOWS\system32\javaxc32.dll
C:\WINDOWS\system32\mfcex32.exe
C:\WINDOWS\sdklz32.exe
C:\WINDOWS\mfcgh32.exe

Sitten sulje kaikki ohjelmat ja käynnistä hijackthis. Merkkaa nämä ja klikkaa fix checked:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\szpbq.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {00DD6309-C35E-7ACF-CE4F-6C92538A0A8D} - C:\WINDOWS\crzs.dll
O2 - BHO: Class - {2CA0B67D-538E-0F30-8CD3-19E8BA8A6ED7} - C:\WINDOWS\d3pd32.dll (file missing)
O2 - BHO: Class - {34A8C882-0B85-48F6-9143-61D261C5D1D1} - C:\WINDOWS\d3bt32.dll
O2 - BHO: Class - {4CBB3371-E1F0-A8EF-E2A5-EB195BB5D345} - C:\WINDOWS\atlcf32.dll
O2 - BHO: Class - {5E68547D-3521-2E5F-8F99-405AAF02E50F} - C:\WINDOWS\system32\mszx32.dll
O2 - BHO: Class - {6E15F4D5-4588-FA6E-9B33-7152B249E5A0} - C:\WINDOWS\system32\sysnk.dll
O2 - BHO: Class - {73676454-A932-7669-B377-AC3A0147A262} - C:\WINDOWS\addvq32.dll
O2 - BHO: Class - {74F3A188-8A46-3C99-8A0F-007ABA7079D6} - C:\WINDOWS\system32\d3qq32.dll
O2 - BHO: Class - {8A3B9E3A-2086-802E-5A0D-4D19B46D64E0} - C:\WINDOWS\system32\netne.dll
O2 - BHO: Class - {C266F854-DEAC-B9CC-2125-49FEDCDC42B2} - C:\WINDOWS\winwz.dll
O2 - BHO: Class - {D3B84570-2079-8EDD-541C-21F6A4481CA3} - C:\WINDOWS\system32\ipas.dll
O2 - BHO: Class - {D75899FB-CB87-FC4D-A477-72074618F72C} - C:\WINDOWS\system32\javaxc32.dll (file missing)
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 - HKLM\..\Run: [mfcex32.exe] C:\WINDOWS\system32\mfcex32.exe
O4 - HKLM\..\Run: [sdklz32.exe] C:\WINDOWS\sdklz32.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcgh32.exe

Sitten käynnistä -> suorita -> services.msc -> ok -> etsi listalta
Network Security Service -> tuplaklikkaa ja valitse käynnistymistavaksi "ei käytössä"

Mene HSfix-kansioon
Tuplaklikkaa HSfix.reg ja paina Yes.


SULJE KAIKKI IKKUNAT paitsi CWShredder

Aja ohjelma painamalla fix ja anna korjata kaikki mitä löytää.

Skannaa aboutbusterilla kaks kertaa ja säästä loki.

Skannaa ewidolla ja anna poistaa, mitä löytyy. Tallenna loki ja postita se tänne.

Käynnistä kone normaalisti

Postita hijackthisin, aboutbusterin ja ewidon lokit.

Sulla on muutakin lokissa (smithfraud), mutta toi about:blank-juttu täytyy saada eka pois.

 

Ja tämän jälkeen windows updateen. (sitten vasta kun nuo on saatu pois 8)