Kone bugaa

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by Copone, Jan 12, 2007.

  1. Copone

    Copone Guest

    Kone on yllättävän hidas ja winamppi kaatuilee ja sen myötä koko kone ja BF 2142 ei enää lähe käy ntiin niinku påitäis eli kestaa sika kauan kunnes avaa...
    Täs on toi HTJ:
    Logfile of HijackThis v1.99.1
    Scan saved at 14:19:54, on 12.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Profiler\lwemon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Opera\Opera.exe
    C:\HJT\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1035
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
    F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [] C:\WINDOWS\scvhost.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
    Copone, Jan 12, 2007
    #1
  2. Hujo

    Hujo Guest

    escan
    Ohjeet tuolla sivulla.
    http://koti.mbnet.fi/pattaya1/escanmwav.htm
    lataa tuosta
    http://www.spywareinfo.dk/download/mwav.exe
    päivitä tuosta
    http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat
    laita täpit merkkauksien mukaan
    http://koti.mbnet.fi/pattaya1/eScan6.jpg

    scannaa

    jos ala luukkuun tulee jotain niin kopioi se näin:
    Käytä komentoa Ctrl+A.
    Kopioi rivit komennolla Ctrl+C.
    Liitä rivit komennolla Ctrl+V.

    Laita virus log tänne.

    avg vikasiedossa ajo

    1.Lataa combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe
    tiedosto työpöydällesi.
    2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
    3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
    Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.


    Uusi hjt loki
     
    Last edited by a moderator: Jan 12, 2007
    Hujo, Jan 12, 2007
    #2
  3. Copone

    Copone Guest

    Täs on nyt tää eSacn:

    File C:\Documents and Settings\Copone\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\Copone\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\Mr. Coponé\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\Mr. Coponé\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\System Volume Information\_restore{604041ED-AF86-4489-8EC9-6535245541F7}\RP114\A0026094.exe tagged as not-a-virus:AdTool.Win32.WhenU.a. No Action Taken.
    File C:\System Volume Information\_restore{DB383D0A-3745-48FA-9407-F9FAA008C63D}\RP16\A0001500.exe tagged as not-a-virus:AdWare.Win32.SaveNow.by. No Action Taken.
    File C:\System Volume Information\_restore{DB383D0A-3745-48FA-9407-F9FAA008C63D}\RP89\A0017253.exe tagged as not-a-virus:AdWare.Win32.SaveNow.by. No Action Taken.
     
    Copone, Jan 12, 2007
    #3
  4. Hujo

    Hujo Guest

    1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
    2. Valitse ominaisuudet
    3. Valitse järjestelmän palauttaminen välilehti
    4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
    5. Paina Käytä
    6. Paina ok
    7. Sammuta ja käynnistä
    8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
    9. Käytä ja OK
     
    Hujo, Jan 14, 2007
    #4
  5. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @Hujo: jos vaikka sen järjestelmänpalautuksen annetaan olla rauhassa :)

    @Copone:

    Fixiin:

    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [] C:\WINDOWS\scvhost.exe

    Käynnistä vikasietotilaan ja poista jos löytyy:

    C:\WINDOWS\scvhost.exe

    Tyhjennä roskis

    Käynnistä uudelleen ja lähetä uusi HjT-loki.
     
    -kemisti-, Jan 14, 2007
    #5
  6. Hujo

    Hujo Guest

    jos nyt tämän kerran ;) jäipä nuo taas unholaan.
     
    Last edited by a moderator: Jan 14, 2007
    Hujo, Jan 14, 2007
    #6

Share This Page