mikä on?

hommasin kiinteän netin, sen jälkeen on ie ja mozilla firefox ruvennu aukeilemaan iha ittekseen parille oudolle sivulle, mutta sitte sivulla kumminki lukee että mulla ei ole oikeutta kirjautua serveriin.
ad-aware ei löydä mitään?
millä tuon erittäin ärsyttävän tapauksen saa pois!
olen kiitollinen mahdollisimman nopeasta avusta!!!

luin toiselta sivulta että tehä tallane!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:30, on 12.6.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\bugmgr.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\oem\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saastopankki.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SmartBee] C:\Program Files\SmartBee\SmartBee.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\j0j60a1sed.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Window Debug Manager - Unknown owner - C:\WINDOWS\bugmgr.exe

 

Nämä fixiin

O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

 

[bold]O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Tätä ei fixata!!! Voi aiheuttaa messengerin toimintakyvyttömyyden![/bold]

 

@Jansku68: Näille on ihan oma fixinsä, noin vaan tiedoksi Tuota samaa on nääs lisää melko varmasti koneella, vaikka ne eivät näy lokissa. Lisäksi fixaaminen ei poista ko. tiedostoja, ainoastaan rekisterimerkinnät. Se, että noita ei näy Running Processes-kohdassa ei todista sitä, että niitä ei olisi. Örkit osaavat piilottaa myös itsensä (esim. monet ns. botit tekevät sen).

O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe

Ja lokissa on muutakin roskaa.

Kysynkin sulta, että mikä tämä esim. on ja jos on örkki,niin miten poistetaan?

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\j0j60a1sed.dll

Tämäkin näyttää epäilyttävältä?

O23 - Service: Window Debug Manager - Unknown owner - C:\WINDOWS\bugmgr.exe

Ja se O18-asia tuli jo käsiteltyä, vaan ei mennyt näköjään perille
Annoin sulle siitä viimeksi ihan linkin. Tässä se uusintana:

http://castlecops.com/o18list-83.html

Huomaa:

often incorrectly listed by HijackThis as missing

Eli tuota ei tietenkään fixata! Ainakaan ennen kuin käyttäjältä kysytään että onko sitä filua oikeasti vai ei. Castlecops on netin luotettavin sivusto HjT-asioissa.

 

fixasin noi kolme tiedostoa hijackthis jutulla mutta ilmeisesti mun kannattaa vielä poistaa roskiksesta noi tiedostot, jotka olin kerenny poistaa jo enne ku ne näytti sen verran epäilyttäviltä.

miltä nyt näyttää???

Logfile of HijackThis v1.99.1
Scan saved at 12:50:24, on 12.6.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\bugmgr.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\oem\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saastopankki.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SmartBee] C:\Program Files\SmartBee\SmartBee.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\j0j60a1sed.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Window Debug Manager - Unknown owner - C:\WINDOWS\bugmgr.exe

 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

mitä tolle vois tehä, pitäskö mun ettiä tommone filu ja korjata se?

 

@Rommi

Sille ei tartte tehdä mitään, se on vaan hjt:n bugi eli se ei oikeasti ole hukassa vaikka hjt niin väittää

 

mulle herjaa aina tota kun käynnistää koneen! alko tekemään sitä kun asensin mediaplayer10

itse ongelma ei ole vielä poistunut netti sivut pomppii vieläki minne sattuu.

 

sori ei se ollukka toi filu vaa se oli rundll

poikkeus yritettäessä suorittaa ohjelmaa
"C:\WINDOWS\system32\ksdhela2.dll",DllGetVersion.

 

Jatketaan:

Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked):

O23 - Service: Window Debug Manager - Unknown owner - C:\WINDOWS\bugmgr.exe

Sitten käynnistä -> suorita
kirjoita sc stop Window Debug Manager ja ok
sitten sc delete Window Debug Manager ja ok

Poista:

C:\WINDOWS\bugmgr.exe

Lataa http://www.atribune.org/ccount/click.php?id=7 Look2Me-Destroyer.exe työpöydällesi.

TÄRKEÄÄ: Ennen fixin jatkamista, sinun täytyy tehdä seuraavat:


* Tulosta tämä, tai tallenna tekstitiedostona sopivaan sijaintiin.
* Klikkaa käynnistä -> Suorita ja kirjoita: services.msc
* Klikkaa OK.
* Tarkista että tämä palvelu on käynnissä tai sen käynnistymistapa on automaattinen:
* Toissijainen kirjautuminen
* Seuraavaksi tietokoneesi on oltava offlinessa, vedä nettipiuha seinästä jos tarpeen.
* Virustorjuntasi, ja kaikkien muiden turvaohjelmistojen TÄYTYY olla suljettuja.
[*]Sulje kaikki ikkunat ennen jatkamista.
[*]Tuplaklikkaa Look2Me-Destroyer.exe ajaaksesi ohjelman.
[*]Rastita Run this program as a task.
[*]Saat viestin joka sanoo; "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Klikkaa OK
[*]Kun Look2Me-Destroyer uudelleen avautuu, klikkaa Scan for L2M-valintaa, työpöytäsi pikakuvakkeet katoavat hetkeksi, tämä on normaalia.
[*]Kun skannaus on valmis, klikkaa Remove L2M-valintaa.
[*]Saat Done Scanning viestin, klikkaa OK.
[*]Kun valmis, saat tämän viestin: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, klikkaa OK.
[*]Tietokoneesi sammuttaa itsensä.
[*]Käynnistä koneesi uudelleen.
[*]Postita C:\Look2Me-Destroyer.txt tiedoston sisältö uuden HijackThis login kera postiisi.
Jos palomuurisi varoittaa nettiyhteyksistä tähän ohjelmaan - salli ne.

Jos saat runtime error '339', lataa MSWINSCK.OCX seuraavasta linkistä ja sijoita se C:\Windows\System32 kansioosi.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Koeta uudelleen.

 

mikä tuolla palveluissa pitää tarkistaa että se on automaattinen?

antiviria ei saa pois päältä mutta kerion saan!

 

Toissijainen kirjautuminen. Sammuta AntiVirin Guard tehtäväpalkista, pitäisi onnistua

 

joo nyt hokasin mitä tarkotit tolla se juttu siinä rivin alussa vähän hämäs.

 

Logfile of HijackThis v1.99.1
Scan saved at 14:38:16, on 12.6.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\oem\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saastopankki.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SmartBee] C:\Program Files\SmartBee\SmartBee.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

 

Tuon sisältö vielä, kiitos -> C:\Look2Me-Destroyer.txt

 

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 12.6.2006 14:33:11

Infected! C:\WINDOWS\system32\dnn2015oe.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100202.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100251.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100258.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100265.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100272.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100279.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100289.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100295.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100437.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100447.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP186\A0100481.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100489.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100496.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100500.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100510.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100813.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100910.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101024.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101089.dll
Infected! C:\WINDOWS\system32\j44o0eh3eh4.dll
Infected! C:\WINDOWS\system32\mkuni11.dll
Infected! C:\WINDOWS\system32\mlcpx32r.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\dnn2015oe.dll
C:\WINDOWS\system32\dnn2015oe.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100202.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100202.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100251.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100251.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100258.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100258.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100265.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100265.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100272.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP183\A0100272.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100279.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100279.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100289.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100289.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100295.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP184\A0100295.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100437.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100437.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100447.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP185\A0100447.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP186\A0100481.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP186\A0100481.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100489.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100489.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100496.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP187\A0100496.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100500.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100500.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100510.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP188\A0100510.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100813.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100813.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100910.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0100910.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101024.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101024.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101089.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101089.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\j44o0eh3eh4.dll
C:\WINDOWS\system32\j44o0eh3eh4.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\mkuni11.dll
C:\WINDOWS\system32\mkuni11.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\mlcpx32r.dll
C:\WINDOWS\system32\mlcpx32r.dll could not be deleted!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{61B55382-35C4-40DD-86C7-985C31B78CD2}"
HKCR\Clsid\{61B55382-35C4-40DD-86C7-985C31B78CD2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0730A7ED-4FB8-4A96-9DC4-11A3E4E078EF}"
HKCR\Clsid\{0730A7ED-4FB8-4A96-9DC4-11A3E4E078EF}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Järjestelmänvalvojat - Succeeded

 

Ajapa se l2mdestroyer uudestaan, lähetä sen loki ja uusi HjT-loki. Ei lähtenyt ekalla kerralla

 

Newbies can't post more than one post every 3 minutes. This is done to prevent spambots to pollute our site. Apologies for inconvenience.

 

Logfile of HijackThis v1.99.1
Scan saved at 15:05:18, on 12.6.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\oem\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saastopankki.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SmartBee] C:\Program Files\SmartBee\SmartBee.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

 

nyt näyttää paremmalta!!


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 12.6.2006 14:59:11

Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101096.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101097.dll
Infected! C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101098.dll
Infected! C:\WINDOWS\system32\dnn2015oe.dll
Infected! C:\WINDOWS\system32\o8lu0i39e8.dll
Infected! C:\WINDOWS\system32\pLqsp.dll
Infected! C:\WINDOWS\system32\whaudsdk.dll
Infected! C:\WINDOWS\system32\wuwfax.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101096.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101096.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101097.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101097.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101098.dll
C:\System Volume Information\_restore{A56188C4-51A0-4A50-9274-8177F4D61676}\RP190\A0101098.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnn2015oe.dll
C:\WINDOWS\system32\dnn2015oe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o8lu0i39e8.dll
C:\WINDOWS\system32\o8lu0i39e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pLqsp.dll
C:\WINDOWS\system32\pLqsp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\whaudsdk.dll
C:\WINDOWS\system32\whaudsdk.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wuwfax.dll
C:\WINDOWS\system32\wuwfax.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Järjestelmänvalvojat - Succeeded