Asentelin Daemon toolin ja muutaman videon katselu ohjelman, niin ewido ja a-square löysi aika paljon haittaohjelmia. Tässä olis nsiksi ewidon loki --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:56:02, 3.3.2006 + Report-Checksum: 32D42332 + Scan result: D:\Ohjelmat\CrackSearcher.exe -> Not-A-Virus.HackTool.Win32.CrackSearch.a : Ignored D:\Ohjelmat\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Ignored D:\Ohjelmat+Pelit\CrackSearcher.exe -> Not-A-Virus.HackTool.Win32.CrackSearch.a : Ignored HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg -> Adware.SaveNow : Cleaned with backup HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup HKLM\SOFTWARE\WhenUSave\Partners\BSPL -> Adware.SaveNow : Cleaned with backup [3704] C:\Program Files\Save\Save.exe -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\sammakko\Käynnistä-valikko\Ohjelmat\WhenU -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\sammakko\Käynnistä-valikko\Ohjelmat\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\sammakko\Käynnistä-valikko\Ohjelmat\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\sammakko\Käynnistä-valikko\Ohjelmat\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\sammakko\Käynnistä-valikko\Ohjelmat\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\ACM.dll -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\save.cch -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\save.db -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\Save.exe -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\save.htm -> Adware.SaveNow : Cleaned with backup C:\Program Files\Save\SaveUninst.exe -> Adware.SaveNow : Cleaned with backup ::Report End Tässä a-squaren loki C:\Program Files\save Trace.Directory.WhenUSave C:\Program Files\save\save.db Trace.File.WhenUSave C:\Program Files\save\save.exe Trace.File.WhenUSave C:\Program Files\save\save.htm Trace.File.WhenUSave C:\Program Files\save\saveuninst.exe Trace.File.WhenUSave Key: HKEY_CLASSES_ROOT\wusn.1 Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\whenusavemsg Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\whenusave Trace.Registry.WhenUSave C:\Program Files\save Trace.Directory.WhenUSave Key: HKEY_CLASSES_ROOT\acm.acmfactory.1 Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\acm.acmfactory Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\appid\acm.dll Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{43382522-a846-46f4-ac57-1f71ae6e1086} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{72a836d1-bc00-43c0-a941-17960e4fb842} Trace.Registry.WhenU.SaveNow Value: HKEY_CLASSES_ROOT\wusn.1 --> wusn_id Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\wusn.1 Trace.Registry.WhenUSave Value: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run --> whenusave Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\whenusavemsg Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\whenusave Trace.Registry.WhenUSave Value: HKEY_LOCAL_MACHINE\software\whenusave --> zip Trace.Registry.WhenUSave Key: HKEY_CLASSES_ROOT\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} Trace.Registry.WhenUSearch C:\Program Files\save Trace.Directory.WhenUSave Key: HKEY_CLASSES_ROOT\acm.acmfactory.1 Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\acm.acmfactory Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\appid\acm.dll Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{43382522-a846-46f4-ac57-1f71ae6e1086} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\interface\{72a836d1-bc00-43c0-a941-17960e4fb842} Trace.Registry.WhenU.SaveNow Value: HKEY_CLASSES_ROOT\wusn.1 --> wusn_id Trace.Registry.WhenU.SaveNow Key: HKEY_CLASSES_ROOT\wusn.1 Trace.Registry.WhenUSave Value: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run --> whenusave Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\whenusavemsg Trace.Registry.WhenUSave Key: HKEY_LOCAL_MACHINE\software\whenusave Trace.Registry.WhenUSave Value: HKEY_LOCAL_MACHINE\software\whenusave --> zip Trace.Registry.WhenUSave Key: HKEY_CLASSES_ROOT\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} Trace.Registry.WhenUSearch C:\Program Files\Save\SaveUninst.exe Adware.Win32.SaveNow.bt D:\Ohjelmat\CrackSearcher.exe HackTool.Win32.CrackSearch.a D:\Ohjelmat\DAEMON Tools\SetupDTSB.exe Adware.SaveNow.bo D:\Ohjelmat+Pelit\CrackSearcher.exe HackTool.Win32.CrackSearch.a ja lopuksi HJT loki Logfile of HijackThis v1.99.1 Scan saved at 2:57:58, on 3.3.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\Ohjelmat\security suite\ewidoctrl.exe C:\WINDOWS\system32\nvsvc32.exe D:\Ohjelmat\SpywareGuard\sgmain.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\Ohjelmat\SpywareGuard\sgbhp.exe D:\Ohjelmat\BitComet\BitComet.exe D:\Ohjelmat\EVEREST Home Edition\everest.bin D:\Ohjelmat\Hide IP Platinum\hideippla.exe D:\Ohjelmat\DAEMON Tools\daemon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe D:\Ohjelmat\iTunes\iTunesHelper.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Ohjelmat\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.174.106:553 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Ohjelmat\SpywareGuard\dlprotect.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Ohjelmat\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /S O4 - HKLM\..\Run: [DAEMON Tools] "D:\Ohjelmat\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [iTunesHelper] "D:\Ohjelmat\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction O4 - Startup: SpywareGuard.lnk = D:\Ohjelmat\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139245601871 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139246669029 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ewido security suite control - ewido networks - D:\Ohjelmat\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
WhenUSave örkkihän se näyttää koneellasi vierailleen. Hjt-lokissa ei näy mitään kummempaa (oletan, että olet itse asettanut proxypalvelimen osoitteeksi 219.93.174.106:553). Tarkista vielä Lisää/poista -työkalulla, löytyykö WhenUSave ohjelmalistasta. Jos löytyy, poista. Poista myös seuraavat hakemistot, jos löytyvät: C:\Program Files\[bold]Save[/bold] C:\Program Files\Common Files\[bold]WhenU[/bold]
Toivottavasti se kaikki lähti noilla ewidolla a-squarella. Proxyn olen laittanut tuollain (luulisin). Mittenkäs toi yahoo toolbar? Kannattaako se poistaa? Sitä ei muistaakseni ennen mulla ole ollut.
Löytyikö noita hakemistoja, jotka aiemmassa postauksessa laitoin? Yahoon toolbar ei sisällä örkkejä, joten se on harmiton.
Eipä kestä. Ewido ja A-squarehan olivat tehny homman meikäläisen puolesta melkein kokonaan. Joo, mitäpä noita palkkeja turhaan asentelee, jos ei niitä tarvitse.
