htj-logi

rikhardo · Feb 8, 2006

Voiskos joku ystävällisesti katsastaa tämän läpi:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:34, on 2/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\F-Secure\Common\FSM32.EXE
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\System32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\System32\sysmon.exe
C:\windows\winsysban6.exe
E:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
E:\Program Files\Conceptronic\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\dmVzc2E\command.exe
E:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
E:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
E:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
E:\Program Files\F-Secure\Common\FSMA32.EXE
E:\Program Files\F-Secure\Anti-Virus\fssm32.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\F-Secure\Common\FSMB32.EXE
E:\Program Files\Network Monitor\netmon.exe
E:\Program Files\Logitech\Video\FxSvr2.exe
E:\Program Files\F-Secure\Common\FCH32.EXE
E:\WINDOWS\System32\svchost.exe
E:\Program Files\F-Secure\Common\FAMEH32.EXE
E:\Program Files\F-Secure\Common\FNRB32.EXE
E:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
E:\Program Files\F-Secure\Common\FIH32.EXE
E:\Program Files\F-Secure\Anti-Virus\fsav32.exe
E:\WINDOWS\System32\Cgecliqg.exe
E:\rikun jutut\ohjelmat\Opera\Opera.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\System32\devldr32.exe
E:\WINDOWS\System32\rundll32.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\DOCUME~1\RIKU~1.VES\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\DOCUME~1\RIKU~1.VES\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {864905AE-7E10-4AA3-B474-358E3C9E82A5} - E:\WINDOWS\System32\khka.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "E:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "E:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sp] rundll32 E:\DOCUME~1\vesa\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Systems] E:\WINDOWS\System32\sysmon.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd6.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban6.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - E:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\Conceptronic\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\Conceptronic\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75DDEF1A-ADF9-4974-A74B-8A91584EE9D1}: NameServer = 85.255.114.24,85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BD3227E-C90C-4870-A9F8-A29ACBE9FAD3}: NameServer = 85.255.114.24,85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\..\{C22F795C-956E-4A9B-86E9-423C6FE4E7DE}: NameServer = 85.255.114.24,85.255.112.235
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - E:\WINDOWS\System32\btxppanel.dll
O18 - Filter: text/html - {FF3012A6-7201-4F65-AB92-980E1161FB59} - E:\WINDOWS\System32\khka.dll
O18 - Filter: text/plain - {FF3012A6-7201-4F65-AB92-980E1161FB59} - E:\WINDOWS\System32\khka.dll
O20 - Winlogon Notify: Applets - E:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Themes - E:\WINDOWS\system32\k662lgjo16oc.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - E:\WINDOWS\System32\dcom_13.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - E:\WINDOWS\System32\dcom_13.dll
O21 - SSODL: XuhjfutzEXg - {29441411-83EE-BEBB-FCF6-97F25E380CDA} - E:\WINDOWS\System32\ym.dll
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - E:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Program Files\Conceptronic\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\dmVzc2E\command.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - E:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - E:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - E:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - E:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - E:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Network Monitor - Unknown owner - E:\Program Files\Network Monitor\netmon.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - E:\WINDOWS\System32\perfont.exe

blade81 · Feb 8, 2006

Kyllähän tuolla näyttäisi jotain örkkejä oleilevan. Skannaa aluksi kone Ewidolla. Ohjeet ja linkki lataukseen löytyy http://keskustelu.afterdawn.com/thread_view.cfm/269186 . Laita syntynyttä lokia sitten tänne, niin katsotaan sitten vähän tarkemmin.

mawdrgn · Feb 9, 2006

Örkkejä taitaa olla:

Nuo 017 rivien IP osoitteet treissaantuvat Valko-Venäjälle. Eli sieltä käsin kone varmaan kaapattu. Sen tiedän että spertti ainakin tietää mitä tehdä.

Odotellaas, jos joku pro kerkiää tsiigaamaan lokia.

spertti · Feb 9, 2006

Teit juuri ennätyksen palstan törkyisimmän lokin kilpailussa....
Ja jos tämän jälkeen kun ollaan saatu örkit pois et hae Service Pack 2:sta koneesi on viikon päästä taas samassa kunnossa.

Lataa fixwareout.exe täältä > http://downloads.subratam.org/Fixwareout.exe
tai täältä > http://swandog46.geekstogo.com/Fixwareout.exe
ja tallenna se työpöydälle. Tuplaklikkaa sitä ja seuraa ohjeita. Sinun pitää käynnistää kone uudelleen kun niin käsketään.
Myöhemmin kun HijackThis aukeaa fixaa nämä rivit:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\DOCUME~1\RIKU~1.VES\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\DOCUME~1\RIKU~1.VES\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {864905AE-7E10-4AA3-B474-358E3C9E82A5} - E:\WINDOWS\System32\khka.dll
O4 - HKLM\..\Run: [sp] rundll32 E:\DOCUME~1\vesa\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Systems] E:\WINDOWS\System32\sysmon.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd6.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban6.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{75DDEF1A-ADF9-4974-A74B-8A91584EE9D1}: NameServer = 85.255.114.24,85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BD3227E-C90C-4870-A9F8-A29ACBE9FAD3}: NameServer = 85.255.114.24,85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\..\{C22F795C-956E-4A9B-86E9-423C6FE4E7DE}: NameServer = 85.255.114.24,85.255.112.235
O18 - Filter: text/html - {FF3012A6-7201-4F65-AB92-980E1161FB59} - E:\WINDOWS\System32\khka.dll
O18 - Filter: text/plain - {FF3012A6-7201-4F65-AB92-980E1161FB59} - E:\WINDOWS\System32\khka.dll
O20 - Winlogon Notify: Applets - E:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Themes - E:\WINDOWS\system32\k662lgjo16oc.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - E:\WINDOWS\System32\dcom_13.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - E:\WINDOWS\System32\dcom_13.dll
O21 - SSODL: XuhjfutzEXg - {29441411-83EE-BEBB-FCF6-97F25E380CDA} - E:\WINDOWS\System32\ym.dll
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\dmVzc2E\command.exe
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - E:\WINDOWS\System32\perfont.exe

Laita piilotiedostot näkyviin, ohje ->
http://keskustelu.afterdawn.com/thread_view.cfm/248944

Hae Ewido http://keskustelu.afterdawn.com/thread_view.cfm/269186
Asenna ja päivitä se. Älä tee muuta!

Lataa CWShredder
http://cwshredder.net/bin/CWShredder.exe
Ja tallenna se työpöydälle

Lataa SpSehjfix tuolta >
http://www.derbilk.de/SpSeHjfix112.zip
Pura zippi työpöydälle omaan kansioonsa

Avaa kansio ja tuplaklikkaa SpSeHjfix.exeä
paina nappia start disinfection

Aja cwshredder, paina nappia fix

Käynnistä vikasietotilaan ( F8 käynnistyksen yhteydessä )

Skannaa Ewidolla vikasietotilassa. Muista laittaa asetukset kuten linkissä!

Poista nämä jos löytyy:

E:\DOCUME~1\RIKU~1.VES\LOCALS~1\Temp\ < tyhjennä tämän kansion sisältö
c:\secure32.html
E:\WINDOWS\System32\khka.dll
E:\WINDOWS\System32\sysmon.exe
C:\windows\winsysupd6.exe
C:\windows\gimmygames.exe
C:\windows\winsysban6.exe
E:\WINDOWS\system32\guard.tmp
E:\WINDOWS\system32\k662lgjo16oc.dll
E:\WINDOWS\System32\dcom_13.dll
E:\WINDOWS\System32\ym.dll
E:\WINDOWS\System32\perfont.exe
E:\WINDOWS\dmVzc2E\ < kansio

Käynnistä > suorita > services.msc > etsi listalta Performance True Type Fonts ja tuplaklikkaa sitä. Valitse seis, ja käynnistymistavaksi ei käytössä. Tee sama Command Servicelle

Laita uusi loki + C:\fixwareout\report.txt sisältö + Ewidon loki

blade81 · Feb 9, 2006

Teit juuri ennätyksen palstan törkyisimmän lokin kilpailussa....
Click to expand...

Tuossa tosiaan oli niin paljon örrimörriäisiä, etten töiden lomassa ehtinyt mitenkään syventyä ohjeistamaan poistossa. Oli sen verran montaa sorttia. SP2 ei tosiaankaan ole turhaa tarjolla. Se tässä on ainakin tullut taas todistetuksi.

Log in or Sign up

htj-logi

rikhardo Regular member

blade81 Active member

mawdrgn Regular member

spertti Active member

blade81 Active member

Share This Page

Log in or Sign up

htj-logi

rikhardo Regular member

blade81 Active member

mawdrgn Regular member

spertti Active member

blade81 Active member

Share This Page

Useful Searches