hjt lokin tarkastus

MORO!

Mitäs tuumailette tästä? Ongelmia uuden virustorjunnan asennuksessa ja vanhan poistossa. Kone kaatuu vähän väliä.

Täytyykö formatoida vai löytyykö jokin muu ratkaisu?

Logfile of HijackThis v1.99.1
Scan saved at 22:25:01, on 13.2.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS.1\System32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uku.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS.1\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google-haku - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Käännä englanninkielinen sana - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Linkit taaksepäin - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Samankaltaisia sivuja - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Välimuistissa oleva kuvakaappaus sivusta - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138050198703
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.1\system32\NavLogon.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: hpdj - HP - C:\DOCUME~1\JARNO~1.JAR\LOCALS~1\Temp\hpdj.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (file missing)

 

Nuo 020-rivit vaikuttavat pahiksilta, mutta eipäs tehdä yhtään mitään ennekuin asiantuntija saa tarkistettua login

Nähdään osaanko edes vähän tulkita noita logeja nykyään, kun on jonkin verran niitä nähnyt

Eli älä vielä tee mitään. Odota experttia!

 

Jep.

Koneelta löytyy vaikka mitä "örkkejä" mm. Trojan horse IRC/Backdoor.Sdbot.72.AC, mutta en saa poistettua niitä ennen koneen kaatumista. PRKL!

 

Tuo Sockspy.dll olisi tämän mukaan osa BitDefender virustorjujaa:

http://www.neuber.com/taskmanager/process/sockspy.dll.html

ja Navlogon.dll olisi taas Nortonia:

http://www.processlibrary.com/directory/files/NavLogon/

Itsekin kyllä osui nuo heti silmään, mutta eivät siis taida pahiksia olla noiden linkkien mukaan. Aika paljon tuolla oli noita "file missing"-kohtia jotka varmaankin saisi poistaa, mutta odota tosiaan että joku expertti vielä varmistaa. Oletko muuten kokeillut Ewido-nimistä ohjelmaa, josko se osaisi noille viruksille jotain tehdä? Tuossa Online-versio jonka pitäisi vielä osata puhdistaakin:

http://www.ewido.net/en/onlinescan/

Tämä on todennäköisesti ainakin se yksi esiintyvä troijalainen:

O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe

http://www.greatis.com/appdata/d/w/winmon32.exe.htm

 

EWIDO:n avulla sain pois kasan TrackingCookie:ja. Scannaus piti kuitenkin välillä pysäyttää, sillä kone kaatui aina "loppumetreillä".

Tarkoituksena olisi saada asennettua Symantec Client Security (virustorjunta+palomuuri) ja muut hässäkät pois.

 

Fixaa tämä HjT:lla

O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe

Ja skannaa tosiaan Ewidolla
http://keskustelu.afterdawn.com/thread_view.cfm/269186
Tee ohjeiden mukaan ja lähetä sen raportti tänne.

 

Aja se eWido vikasietotilassa, jos se ei muuten meinaa toimia.

 

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:36:19, 14.2.2006
+ Report-Checksum: E0A98410

+ Scan result:

No infected objects found.


::Report End

 

Kiitokset kaikille

Täytynee kokeilla Symantecin asennusta uudemman kerran.

 

Laita piilotiedostot näkyviin, ohje ->
http://keskustelu.afterdawn.com/thread_view.cfm/248944

Katso jos löytäisit tuon "winmon32.exe:n" Tuosta kansiosta:

C:\WINDOWS.1\system32\

Jos löytyy poista se. Saattaa vaatia poiston vikasietotilassa, jos ei muuten lähde. ( vikasietotilaan pääset naputtelemalla F8 käynnistyksen yhteydessä, kunnes aukeaa valikko josta valitset vikasietotilan )

Jos tuo filu ei sijaitse tuossa kansiossa käytä Windowsin omaa etsi toimintoa paikantaaksesi sen.

 

winmon32.exeä ei löydy tuosta kansiosta eikä windowsin etsi toiminnolla...

 

No sitten sitä ei kai ole koneella....
Skannaa kuitenkin vielä eScanilla > http://koti.mbnet.fi/pattaya1/escanmwav.htm
Asenna ja päivitä ja laita asetukset ohjeiden mukaan.
Kopioi ne alalaatikon örkkilöydökset tänne ( ohje sivuilla )

 

Kone kaatuu reilun tunnin scannauksen jälkeen vikasietotilassa

Siihen mennessä Total number of errors = 30

Ylälaatikosta löytyy tällaisia erroreja:

Tue Feb 14 21:02:10 2006 => ***** Scanning Service Files *****
Tue Feb 14 21:02:10 2006 => Scanning HKLM\SYSTEM\CurrentControlSet\Services
Tue Feb 14 21:02:11 2006 => ERROR!!! Invalid Entry "C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" in SYSTEM\CurrentControlSet\Services\AvSynMgr...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" in SYSTEM\CurrentControlSet\Services\ccEvtMgr...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" in SYSTEM\CurrentControlSet\Services\ccProxy...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" in SYSTEM\CurrentControlSet\Services\ccPwdSvc...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" in SYSTEM\CurrentControlSet\Services\ccSetMgr...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe" in SYSTEM\CurrentControlSet\Services\CfgWzSvc...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry %SystemRoot%\system32\svchost -k DcomLaunch in SYSTEM\CurrentControlSet\Services\DcomLaunch...
Tue Feb 14 21:02:12 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe" in SYSTEM\CurrentControlSet\Services\DefWatch...
Tue Feb 14 21:02:13 2006 => ERROR!!! Invalid Entry \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys in SYSTEM\CurrentControlSet\Services\eeCtrl...
Tue Feb 14 21:02:15 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe" in SYSTEM\CurrentControlSet\Services\ISSVC...
Tue Feb 14 21:02:15 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe" in SYSTEM\CurrentControlSet\Services\McShield...
Tue Feb 14 21:02:16 2006 => ERROR!!! Invalid Entry \??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys in SYSTEM\CurrentControlSet\Services\NaiFiltr...
Tue Feb 14 21:02:16 2006 => ERROR!!! Invalid Entry System32\drivers\NaiFsRec.sys in SYSTEM\CurrentControlSet\Services\NaiFsRec...
Tue Feb 14 21:02:16 2006 => ERROR!!! Invalid Entry \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060207.006\naveng.sys in SYSTEM\CurrentControlSet\Services\NAVENG...
Tue Feb 14 21:02:17 2006 => ERROR!!! Invalid Entry \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060207.006\navex15.sys in SYSTEM\CurrentControlSet\Services\NAVEX15...
Tue Feb 14 21:02:17 2006 => ERROR!!! Invalid Entry C:\Norman\Nvc\BIN\nipsvc.exe in SYSTEM\CurrentControlSet\Services\NipSvc...
Tue Feb 14 21:02:19 2006 => ERROR!!! Invalid Entry %SystemRoot%\system32\svchost -k rpcss in SYSTEM\CurrentControlSet\Services\RpcSs...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" in SYSTEM\CurrentControlSet\Services\SavRoam...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry \??\C:\??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys in SYSTEM\CurrentControlSet\Services\SAVRT...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry \??\C:\??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys in SYSTEM\CurrentControlSet\Services\SAVRTPEL...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" in SYSTEM\CurrentControlSet\Services\SNDSrvc...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys in SYSTEM\CurrentControlSet\Services\SPBBCDrv...
Tue Feb 14 21:02:20 2006 => ERROR!!! Invalid Entry "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" in SYSTEM\CurrentControlSet\Services\SPBBCSvc...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe" in SYSTEM\CurrentControlSet\Services\Symantec AntiVirus...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry \??\C:\Program Files\Symantec\SYMEVENT.SYS in SYSTEM\CurrentControlSet\Services\SymEvent...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry \SystemRoot\System32\Drivers\SYMREDRV.SYS in SYSTEM\CurrentControlSet\Services\SYMREDRV...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry "C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe" in SYSTEM\CurrentControlSet\Services\SymSecurePort...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry \SystemRoot\System32\Drivers\SYMTDI.SYS in SYSTEM\CurrentControlSet\Services\SYMTDI...
Tue Feb 14 21:02:21 2006 => ERROR!!! Invalid Entry %SystemRoot%\System32\svchost -k DComLaunch in SYSTEM\CurrentControlSet\Services\TermService...

Onko noista jotain apua?

 

Saattaa olla noista kaikista antivirus jämistä jumissa. AVG:ta haluat vissiin käyttää vai mitä? Lataa Symnrt eka ja poista sillä Norton totaalisesti. Elä yritä asentaa vielä mitään uusia softia vaan bootta välissä ja laita uusi logi.

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Oon sitäkin nähnyt että lämpöjen takia kaatuu kesken skannin. Kone imuroitu?


Tuolta saat sitten filun jolla putsaat mcafeen rekisteristä jos on vvaan oikea versio:
http://ts.mcafeehelp.com/faq.asp?frames=1&docid=68717&CategoryId=245&chat


Olethan järjestelmän valvojana logannut sisään.

EDIT: Lisäsin tuon mcafeen.

 

Logfile of HijackThis v1.99.1
Scan saved at 18:41:22, on 15.2.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uku.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uku.fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS.1\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google-haku - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Käännä englanninkielinen sana - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Linkit taaksepäin - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Samankaltaisia sivuja - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Välimuistissa oleva kuvakaappaus sivusta - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138050198703
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.1\system32\NavLogon.dll (file missing)
O23 - Service: Symantec Client Firewall Configuration (CfgWzSvc) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\CfgWzSvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\JARNO~1.JAR\LOCALS~1\Temp\hpdj.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Symantec SecurePort (SymSecurePort) - Unknown owner - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (file missing)

Koneen historian 1.imurointi auttoi
Tarkoituksena olisi käyttää Symanteciä.

 

Mcafeeta sieltä jo lähtikin. Tuota symantecia jo poisteltiinkin, mutta jäi vielä näkymään. avg:kin näyttää lähteneen.


Kokeileppa nyt asentaa se Symantec, ja mieluummin nopsaa kun ei ole mitään suojausta. Onhan siinä Palomuuri samassa?


Tuoommonen ainakin näkyy vielä. Korjataan myöhemmin.
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

Laita uusi logi kun saat sen symantecin asentumaan.

 

JIIHAA! Suuret kiitokset kaikille loistavista neuvoista ja vaivan näöstä ))))))))

Logfile of HijackThis v1.99.1
Scan saved at 21:01:58, on 15.2.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS.1\system32\WISPTIS.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uku.fi/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uku.fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS.1\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google-haku - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Käännä englanninkielinen sana - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Linkit taaksepäin - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Samankaltaisia sivuja - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Välimuistissa oleva kuvakaappaus sivusta - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138050198703
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.1\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\JARNO~1.JAR\LOCALS~1\Temp\hpdj.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Vieläkös tossa on jotain ihmeellistä???

 

Nyt näyttää hyvältä


Tee vielä tämä:
Klikkaa Käynnistä-> Suorita -> services.msc
Etsit sellaisen palvelun kuin: Norman API-hooking helper
Klikkaat hiiren oikealla napilla, valitset Pysäytä.


Käynnistä Hijackthis, klikkaa: Open Misc Tool Section, Delete NT Service, kirjoita riville:[bold] Norman API-hooking helper [/bold]
Klikkaa ok ja käynnistä kone uudelleen.

Voit vielä hjt:lla tarkastaa että tuo rivi on lähtenyt:
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)


Nyt voit vielä skannata eScannilla Spertin ohjeen mukaan ja ilmoituksia tänne vaan jos jotain löytyy.

 

Palvelussa Norman API-hooking helper oli valittavissa vain käynnistä.

HiJackThis ilmoitti seuraavaa: Service ´Norman API-hooking helper´ was not found in the registry. Make sure you entered the short name of the service., vbExclamation.

Hjt-lokissa on edelleen rivi:

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

 

Kokeile uudestaan vielä näin:

Käynnistä Hijackthis, klikkaa: Open Misc Tool Section, Delete NT Service, kirjoita riville: NipSvc
Klikkaa ok ja käynnistä kone uudelleen.

Jos ei lähde niin laita vaan hjt:ssä rasti kohdalle ja fix checked.
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

Tuon kansion voit myös poistaa jos löytyy:
C:\--> Norman <--