kone täynnä pöpöjä

Shadows13 · Apr 15, 2006

käynnistin koneen ja huomasin ensimmäisenä c: aulassa jonkun ylimääräisen tiedoston yritin poistaa sitä mutta se sainoi että se on salattu ja sitten tuhosin sen muistion kautta mutta sitten niitä alkoi näkyä enemmän ja en

ja explorer alkoi kaatuilla koko ajan

kone on kokonaan suojaamaton sp1 koska formatoin koneen.

no kun en pääse nettiin nyt niin en saa tuota Hjt logia

Shadows13 · Apr 15, 2006

C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\paytime.exe
C:\Program Files\paytime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Joonas\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [c126066d.exe] C:\WINDOWS\System32\c126066d.exe
O4 - HKLM\..\Run: [588d4e55.exe] C:\WINDOWS\System32\588d4e55.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [c126066d.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\c126066d.exe
O4 - HKCU\..\Run: [bc92e575.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\bc92e575.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-kemisti- · Apr 15, 2006

Lähetä koko loki, tuosta puuttuu ainakin yläosa. Siirrä myös HjT omaan kansioonsa -> c:\hjt

Jurppis · Apr 15, 2006

Heti asentamaan palomuuri koneelle, jos ei oo mitään rautamuuriakaan, tässä pari esimerkkiä
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Comodo --> http://www.personalfirewall.trustix.com/
Jetico --> http://www.jetico.com/index.htm#/jpfirewall.htm

Tässä pari ilmasta virustorjuntaohjelmaa vielä:
AntiVir --> http://www.free-av.com/
Avast --> http://www.avast.com

Huom! vain yksi palomuuri ja virustorjunta per kone aktiivisena

Tämän jälkeen tee tämä:

Lataa SmitfraudFix (c) S!Ri
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi:

Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
Postita tämän tekstitiedoston sisältö viestiketjuusi.

Shadows13 · Apr 15, 2006

Löysin tuon paytime.exe ja yritin poistaa aikaisemmin mutta se ei poistunut ja se näyttäyty world asiakirjan muodossa vaikkei world ole asennettu

SmitFraudFix v2.31

Scan done at 19:51:17,54, la 15.04.2006
Run from C:\Documents and Settings\Joonas\Ty”p”yt„\SmitfraudFix
OS: Microsoft Windows XP [versio 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\uninstDsk.exe FOUND !
C:\WINDOWS\warnhp.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\bin29a.log FOUND !
C:\WINDOWS\system32\lich.exe FOUND !
C:\WINDOWS\system32\oleext.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joonas\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\paytime.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Jurppis · Apr 15, 2006

Voisitko vielä lähettää sen koko HijackThis lokin niinkuin kemisti pyysi ja muista laittaa HijackThis omaan kansioon

Shadows13 · Apr 15, 2006

Logfile of HijackThis v1.99.1
Scan saved at 20:38:14, on 15.4.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\System32\lich.exe
C:\WINDOWS\System32\c126066d.exe
C:\WINDOWS\System32\588d4e55.exe
C:\PROGRA~1\paytime.exe
C:\WINDOWS\System32\eventwvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\BitComet\BitComet.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [c126066d.exe] C:\WINDOWS\System32\c126066d.exe
O4 - HKLM\..\Run: [588d4e55.exe] C:\WINDOWS\System32\588d4e55.exe
O4 - HKLM\..\Run: [SysTray] C:\PROGRA~1\paytime.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [c126066d.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\c126066d.exe
O4 - HKCU\..\Run: [bc92e575.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\bc92e575.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145116412625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Jurppis · Apr 15, 2006

Lataa Ewido
http://keskustelu.afterdawn.com/thread_view.cfm/269186
asenna ja päivitä, ei tartte skannata vielä.

Seuraavaksi sulje kaikki ikkunat, avaa HijackThis, paina do a system scan only ja merkkaa nämä:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [c126066d.exe] C:\WINDOWS\System32\c126066d.exe
O4 - HKLM\..\Run: [588d4e55.exe] C:\WINDOWS\System32\588d4e55.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [c126066d.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\c126066d.exe
O4 - HKCU\..\Run: [bc92e575.exe] C:\Documents and Settings\Joonas\Local Settings\Application Data\bc92e575.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Ja paina Fix cheked

Seuraavaksi käynnistä kone vikasietotilaan näpyttämällä F8 käynnistyksen yhteydessä
http://www.pchell.com/support/safemode.shtml

Laita vikasietotilassa piilotiedostot näkyviin:

* Klikkaa Käynnistä.
* Avaa Oma Tietokone.
* Valitse Työkalut ylämenusta ja klikkaa Kansion asetukset.
* Valitse Näytä välilehti.
* Piilotiedostot/kansiot kohdalla valitse Näytä piilotetut tiedostot ja kansiot.
* Poista rasti ruudusta -> Piilota suojatut käyttöjärjestelmätiedostot
* Klikkaa Kyllä varmistaaksesi muutokset.
* Klikkaa OK.

Tämän jälkeen edelleenkin vikasietotilassa poista seuraavat tiedostot:

C:\->secure32.html
C:\Program Files\Common Files\Microsoft Shared\Web Folders\->ibm00001.exe
C:\WINDOWS\system32\->winbrume.dll
C:\WINDOWS\System32\->c126066d.exe
C:\WINDOWS\System32\->588d4e55.exe
C:\WINDOWS\System32\->eventwvr.exe
C:\Documents and Settings\Joonas\Local Settings\Application Data\->c126066d.exe
C:\Documents and Settings\Joonas\Local Settings\Application Data\->bc92e575.exe
C:\WINDOWS\System32\->lich.exe
C:\->winstall.exe
C:\WINDOWS\web\->related.htm

Poistojen jälkeen piilota piilotiedostot, aja ewidolla full system scan ohjeiden mukaisesti ja tallenna sen raportti.

Lopuksi avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd
Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot.

Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet.

Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter".

Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin.
Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi.
Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt.

Jos smitfraudfix ei käynnistänyt konettasi uudelleen, käynnistä se itse jotta pääsisit takaisin normaalitilaan.

Normaalitilassa lähetä uusi HijackThis loki, Ewidon raportti sekä C:\rapport.txt

Shadows13 · Apr 15, 2006

Logfile of HijackThis v1.99.1
Scan saved at 21:06:50, on 15.4.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\BitComet\BitComet.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145116412625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

nyt se on tollanen

Jurppis · Apr 15, 2006

Koitetaanpa vielä uusiks tota smitfraudfixiä eli ekaksi fiksaa nämä Hjt:llä:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

Ja sitten mene vikasietotilaan ja poista C:\secure32.html ja aja se smitfraudfixi uusiks niinkun mä viimesessä viestissäni neuvoin.
Sen jälkeen käynnistä taas koneesi normaalitilaan ja lähetä uusi HijackThis loki, se ewidon raportti ja raportti siitä smitfraudfixistä.

Shadows13 · Apr 15, 2006

ja työpöytä on niinku sivuna miten sen saa pois mä postin sen URL mutta nyt se on vaa valkoinen

rkl82 · Apr 15, 2006

Scannaa kone http://koti.mbnet.fi/pattaya1/escanmwav.htm ja sen jälkeen http://www.ewido.net/en/

Puhdista windows turhista tempeistä ja kekseistä http://www.ccleaner.com/

Scannausten jälkeen päivitä windows

Logissa en näe palomuuria enkä virustorjunta ohjelmaa
Vinkki http://members.surfeu.fi/laivamaa/aboutme.htm

Shadows13 · Apr 16, 2006

File C:\WINDOWS\uninstDsk.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\588d4e55.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\c126066d.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\eventwvr.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\lich.exe infected by "Trojan.Win32.LowZones.dm" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\oleext.dll infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\winbrume.dll tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Documents and Settings\Joonas\.jpi_cache\jar\1.0\jar.jar-77e22aef-25a31a09.zip infected by "Trojan.Java.Femad" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Joonas\Local Settings\Application Data\bc92e575.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Joonas\Local Settings\Application Data\c126066d.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Joonas\Local Settings\Temp\setup.exe infected by "Trojan-Downloader.Win32.Harnig.bd" Virus. Action Taken: File Deleted.
File C:\HJT\backups\backup-20060415-210610-987.dll tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll infected by "Trojan-PSW.Win32.Sinowal.b" Virus. Action Taken: File Deleted.
File C:\Program Files\DAEMON Tools\SetupDTSB.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bo. No Action Taken.
File C:\Program Files\Internet Explorer\update.exe tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc20.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc22.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc25.exe infected by "Trojan-Downloader.Win32.Tiny.bz" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc28.exe infected by "Trojan.Win32.LowZones.dm" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc30.html infected by "Trojan.Win32.Harnig.k" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc31.exe infected by "not-virus:Hoax.Win32.Renos.cn" Virus. Action Taken: File Renamed.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc32.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc33.exe tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc34.exe infected by "Trojan-Clicker.Win32.Small.kr" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc37.exe infected by "not-virus:Hoax.Win32.Renos.cn" Virus. Action Taken: File Renamed.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc39.html infected by "Trojan.Win32.Harnig.k" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc40.html infected by "Trojan.Win32.Harnig.k" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc41.html infected by "Trojan.Win32.Harnig.k" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-515967899-1708537768-839522115-1004\Dc43.exe infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP15\A0011824.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP15\A0011825.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP16\snapshot\MFEX-1.DAT infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP17\snapshot\MFEX-1.DAT infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP18\A0011855.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP18\A0011859.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP18\A0011860.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP18\A0011922.exe infected by "not-virus:Hoax.Win32.Renos.bb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP18\snapshot\MFEX-1.DAT infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP58\A0012426.dll infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0012508.dll infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0012512.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0012513.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0012523.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0012524.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014544.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014545.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014546.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014547.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014548.exe infected by "Trojan.Win32.LowZones.dm" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014549.dll infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014550.exe infected by "Trojan.Win32.Agent.ql" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014551.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014552.dll infected by "Trojan-PSW.Win32.Sinowal.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014553.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014554.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014555.exe infected by "Trojan-Downloader.Win32.Tiny.bz" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014556.exe infected by "Trojan.Win32.LowZones.dm" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014557.exe infected by "not-virus:Hoax.Win32.Renos.cn" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014558.exe infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014559.exe infected by "Trojan-Clicker.Win32.Small.kr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014560.exe infected by "not-virus:Hoax.Win32.Renos.cn" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{A1D07379-7C52-405B-AC81-838995AAF853}\RP59\A0014561.exe infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\WINDOWS\$NtUninstallKB912812-IE6SP1-20060322.182418$\wininet.dll infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\WINDOWS\system32\winbrume.dll tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.

tuolla sivulla luki parisen tuntia pääsi 30 minuutissa

Shadows13 · Apr 16, 2006

nyt päivitin sen sp2 mutta windows palomuuri ei suostu menemään päälle

-kemisti- · Apr 16, 2006

Se riippuu aina kaikesta se aika.

Poista nämä:

C:\WINDOWS\system32\winbrume.dll
C:\Program Files\Internet Explorer\update.exe

Ota ensin rekisteristä näin varmuuskopio:

Suorita -> regedit -> ok. Sitten Tiedosto -> Vie. Kirjoita sille joku nimi ja sitten Tallenna(ja laita muistiin, mihin tallensit sen).

Sitten tallenna tämä alla oleva tekstinpätkä nimellä fix.reg vaikka muistiossa ja vaikka työpöydälle (tallennusmuoto kaikki tiedostot)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Tuplaklikkaa ja paina kyllä ja ok. Käynnistä kone uudelleen. Auttoiko?

Lähetä uusi HjT-loki, ewidon raportti ja se smitfraudfixin raportti.

Log in or Sign up

kone täynnä pöpöjä

Shadows13 Regular member

Shadows13 Regular member

-kemisti- Active member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

rkl82 Guest

Shadows13 Regular member

Shadows13 Regular member

-kemisti- Active member

Share This Page

Log in or Sign up

kone täynnä pöpöjä

Shadows13 Regular member

Shadows13 Regular member

-kemisti- Active member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

Jurppis Regular member

Shadows13 Regular member

rkl82 Guest

Shadows13 Regular member

Shadows13 Regular member

-kemisti- Active member

Share This Page

Useful Searches