Elikkäs, sain vihjeen et täältä vois löytyy apua mun ongelmiin... Eli mun koneessa on nyt kolme ongelmaa.. 1) Kone on toiminu tosi huonosti ja siitä syystä ajoin viiruksentorjuntaohjelman läpi ja sieltä löyty seuraavaa: the file C:\WINDOWS\system32\rdriv.sys is infected with the Trojan.Cachecachekit virus. eikä viiruksentorjuntaohjelma saanu sitä poistettua... 2) näytölle läpsähtää vähän päästä laatikko, jonka pohja on musta ja se omaa otsikon C:\windows\system32\cmd.exe tai jotain sellasta.. en ole kerenny lukea sitä kunnolla, koska se laatikko on ehkä sekunnin näytöllä ja katoaa samantien.. 3) kun mä laitan koneen kiinni, tulee laatikko jossa lukee et rundll32.exe on käynnissä ja sitä pitää sit moneen otteeseen lopetella ennenku kone menee kiinni... Onkohan tää nyt ihan toivoton tilanne vai tuleeko mun koneesta vielä käyttö kelponen..? Olisin tosi kiitollinen jos joku vois neuvoo... niin ja mun käskettiin laittaa myös tämmönen tänne... Logfile of HijackThis v1.99.1 Scan saved at 12:24:08, on 12.1.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\TBPanel.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\rundll32.exe C:\windows\banmanpro.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\SXJra3U\command.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\axdcfasb.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\cmd.exe C:\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\efeee.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\wvusp.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Microsoft sdDDE Control] lladik.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinDLL (kky32.dll)] rundll32.exe C:\WINDOWS\System32\kky32.dll,start O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] lladik.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: efeee - C:\WINDOWS\System32\efeee.dll O20 - Winlogon Notify: wvusp - C:\WINDOWS\SYSTEM32\wvusp.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SXJra3U\command.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\axdcfasb.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
niin ja jos apuja löytyy, ne avut sais sit vääntää rautalangasta et osaan tehä jotain tälle koneelle... =)
On siellä örkkejä rdriv.sys-rootkit, vundo ym., mutta eiköhän se saada kuntoon Ensiksi kopioi tämä ohje, ja tallenna se työpöydälle tekstitiedostona tai vaikka tulosta, sillä fixin aikana sinulla ei ole välttämättä nettiyhteyttä käytössä. Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com O4 - HKLM\..\Run: [WinDLL (kky32.dll)] rundll32.exe C:\WINDOWS\System32\kky32.dll,start O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] lladik.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SXJra3U\command.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\axdcfasb.exe Sitten sammuta nuo servicet näin: Käynnistä -> suorita -> services.msc -> ok Etsi listalta: Command Service Network Monitor sdktemp Tuplaklikkaa niitä, paina seis ja valitse käynnistymistavaksi "ei käytössä". Hae rdrivrem -> http://www.atribune.org/downloads/rdrivrem.zip Pura se työpöydälle Hae ewido -> http://www.ewido.net/en/download/ Asenna ja päivitä se. Hae VundoFix -> http://www.atribune.org/downloads/VundoFix.exe Tallenna se työpöydälle Tuplaklikkaa VundoFix.exe ,jolloin se tekee Vundofix kansion työpöydälle Hae cleanup -> http://www.stevengould.org/software/cleanup/download.html ja asenna se Laita piilotiedostot näkyviin, ohje -> http://keskustelu.afterdawn.com/thread_view.cfm/248944 Käynnistä vikasietotilaan ( paina F8 käynnistyksen yhteydessä, kunnes tulee valikko. Valitse siitä vikasietotila ) Poista nämä, jos löytyy: C:\WINDOWS\System32\==>kky32.dll<== C:\windows\==>enewsletterpro.exe<== C:\windows\==>banmanpro.exe<== c:\==>drsmartloadb.exe<== C:\WINDOWS\System32\==>jbi32.dll<== C:\WINDOWS\web\==>related.htm<== C:\WINDOWS\==>SXJra3U<== C:\Program Files\==>Network Monitor<== C:\WINDOWS\==>axdcfasb.exe<== Mene rdrivrem-kansioon ja tuplaklikkaa rdrivRem.bat Seuraa ohjeita. Kun fixi on valmis, rdriv.txt löytyy rdrivRem-kansiosta. Seuraavaksi avaa Vundofix- kansio ja tuplaklikkaa KillVundo.bat Ruutuun pitäisi ilmestyä varoitus, joka näyttää tältä. Paina Enter. Seuraavaksi pitäisi näkyä: Seuraavaksi kirjoita tiedoston sijainti. Ole tarkkana, että kirjoitat sen varmasti oikein C:\WINDOWS\SYSTEM32\wvusp.dll Paina Enter. Seuraavaksi pitäisi näkyä: Seuraavaksi kirjoita tiedoston sijainti. Ole tarkkana, että kirjoitat sen varmasti oikein C:\WINDOWS\system32\psuvw.* Paina Enter Nyt pitäisi aueta HijackThis, jos ei aukea, niin avaa se itse ( do a system scan only) HjT:ssä Fixaa seuraavat: O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\efeee.dll O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\wvusp.dll O20 - Winlogon Notify: efeee - C:\WINDOWS\System32\efeee.dll O20 - Winlogon Notify: wvusp - C:\WINDOWS\SYSTEM32\wvusp.dll Kun olet fixannut nämä, sulje HijackThis. Paina Enter poistuaksesi ohjelmasta. Skannaa ewidolla (complete system scan), anna poistaa mitä löytää ja tallenna raportti. Avaa Cleanup! Klikkaa "Options..." Mene kohtaan "Custom CleanUp!" Merkkaa nämä Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click OK Paina CleanUp!-nappulaa **Jos se haluaa kirjautua ulos tai käynnistää koneen, paina NO. Käynnistä kone uudestaan. Lähetä uusi HijackThis loki, vundofix.txt- sisältö ( sen löydät vundofix kansiosta ), ewidon raportti ja rdriv.txt-sisältö (löytyy rdrivRem-kansiosta).
no niin... nyt mä olen koittanu säätää jotain (mä olen oikeesti aika käsi tän koneen kans)... kaikki ei menny ihan niinku olis pitäny =) esim. Command Servicen palvelun tila oli "käynnissä" kun mä sen viimeksi näin, mut Network Monitor:n ja sdktemp:n tila oli pysäytetty.. mut Command Servicen tilaa en saanu muutettua... toivottavasti mä olen edes jotain osannu tehä oikein. Koneelle tulvii koko ajan viiruksia norton ja ewido nakkelee koko ajan laatikoita... mut tässä olis nyt se hijackthis loki: Logfile of HijackThis v1.99.1 Scan saved at 19:24:41, on 12.1.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\TBPanel.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\cmd.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\efeee.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\wvusp.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Microsoft sdDDE Control] lladik.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: efeee - C:\WINDOWS\System32\efeee.dll O20 - Winlogon Notify: wvusp - C:\WINDOWS\SYSTEM32\wvusp.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe vundofix.txt-sisältö VundoFix V2.15 by Atri -------------------------------------------------------------------------------------- Listing files contained in the vundofix folder. -------------------------------------------------------------------------------------- killvundo.bat process.exe ReadMe.txt vundo.reg vundofix.txt -------------------------------------------------------------------------------------- Filepaths entered -------------------------------------------------------------------------------------- The filepath entered was C:\WINDOWS\SYSTEM32\wvusp.dll The second filepath entered was C:\WINDOWS\system32\psuvw.* -------------------------------------------------------------------------------------- Log from Process -------------------------------------------------------------------------------------- Killing PID 440 'smss.exe' Killing PID 1192 'explorer.exe' Killing PID 1192 'explorer.exe' Killing PID 1816 'rundll32.exe' Killing PID 524 'winlogon.exe' Killing PID 524 'winlogon.exe' -------------------------------------------------------------------------------------- Could not delete C:\WINDOWS\SYSTEM32\wvusp.dll. C:\WINDOWS\system32\psuvw.* Deleted sucessfully. Fixing Registry -------------------------------------------------------------------------------------- ewidon -raportti --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 19:12:12, 12.1.2006 + Report-Checksum: 4A7284E7 + Scan result: C:\backups\backup-20060112-184047-602.dll -> Adware.Virtumonde : Cleaned with backup C:\backups\backup-20060112-184157-153.dll -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\c32.exe/rm32.dll -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\c32.exe/dr32.exe -> Downloader.Adload.j : Cleaned with backup C:\Documents and Settings\Irina\Cookies\irina@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Irina\Cookies\irina@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Irina\Cookies\irina@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Irina\Cookies\irina@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup C:\Documents and Settings\Irina\Cookies\irina@web2.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup C:\Documents and Settings\Irina\dr32.exe -> Downloader.Adload.j : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0000fb24 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00013581 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00014d68 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0001b8a2 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0001c2b9 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp000209c4 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0008110a -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp000c23a1 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp000dbc4e -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0018c7d9 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp001a7d46 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp001dfeb2 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp002122c8 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp002d5335 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp002fe1dc -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp004aa06c -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp004ef1a5 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00503102 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0051fbcb -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00563b38 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp005d21b4 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp005d445d -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp006a6156 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00704188 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00746ec4 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0076e0a0 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp007ad3f6 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp007ba355 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0082f73b -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0084bce4 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00857127 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0086dc36 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0089c15b -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00951f20 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0095bdc0 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp0095e48f -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00ab1514 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00acbeb0 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00bf07fd -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00cb450d -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00cf855f -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00d88c5a -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00e97cbe -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00ef1397 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temp\tmp00ef4595 -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temporary Internet Files\Content.IE5\UUH3CM25\c32[1].zip/rm32.dll -> Adware.Virtumonde : Cleaned with backup C:\Documents and Settings\Irina\Local Settings\Temporary Internet Files\Content.IE5\UUH3CM25\c32[1].zip/dr32.exe -> Downloader.Adload.j : Cleaned with backup C:\drsmartload1.exe -> Downloader.Adload.l : Cleaned with backup C:\drsmartloadb.exe -> Downloader.Adload.l : Cleaned with backup C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup C:\Program Files\Common Files\Download\mc32.exe -> Spyware.Maxifiles : Cleaned with backup C:\RECYCLER\S-1-5-21-790525478-1383384898-1060284298-1003\Dc4\command.exe -> Adware.CommAd : Cleaned with backup C:\RECYCLER\S-1-5-21-790525478-1383384898-1060284298-1003\Dc5\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup C:\WINDOWS\system32\awtut.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\awvsp.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\awvvw.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\byvur.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\byvvu.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\c32.exe/mc32.exe -> Spyware.Maxifiles : Cleaned with backup C:\WINDOWS\system32\cbxur.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\cbxyw.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OP6VWLMB\c32[1].zip/mc32.exe -> Spyware.Maxifiles : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QR0PIF\drsmartload[1].exe -> Downloader.Adload.l : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QR0PIF\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLQZ0XIR\drsmartloadb[1].exe -> Downloader.Adload.l : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLQZ0XIR\launcher[1].exe -> Spyware.Maxifiles : Cleaned with backup C:\WINDOWS\system32\ddabc.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\dr32.exe -> Downloader.Adload.j : Cleaned with backup C:\WINDOWS\system32\efcaa.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\efcde.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\fcyyx.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\gebcd.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\geecd.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\hgghf.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\iifcc.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\iifeb.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\iiijk.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\jkkli.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\khfed.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\khfff.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\ljhih.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\ljjkh.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\mc32.exe -> Spyware.Maxifiles : Cleaned with backup C:\WINDOWS\system32\mljkj.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\mllkh.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\mlllj.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\nnnmm.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\oppoo.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\pmkig.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\qomnl.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\qopml.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\rqrop.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\ssqon.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\ssqqq.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\sstrr.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\tuvss.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\urqol.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\urspp.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\urssp.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\vtsro.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\vtsrq.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\wvusp.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\wvuuu.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\xxyvu.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\yabxu.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\yayax.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\system32\yaywx.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\Temp\tmp0002309c -> Adware.Virtumonde : Cleaned with backup ::Report End ja sen rdriv.txt-sisältö ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ rdriv.sys present! ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ toivottavasti noi systeemit mitä nakkelin tuohon oli oikeita... =)
Parempi jo Ajoithan rdrivremin ja vundofixin nimenomaan vikasietotilassa? Kumpikaan ei auta mitään, jos ne ajaa normaalitilassa. Laitan nyt ohjeen, jolla kone on ainakin 100% varmasti vikasietotilassa Syy niihin viruksiin on tässä: Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Eli sitten tämän prosessin jälkeen sinne windows updateen niinkun olis jo Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked): O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\wvusp.dll O4 - HKLM\..\Run: [Microsoft sdDDE Control] lladik.exe O20 - Winlogon Notify: wvusp - C:\WINDOWS\SYSTEM32\wvusp.dll O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe Sitten sammuta tuo service -> MicroSoft Media Tools kuten aiemmatkin sieltä services.msc:n kautta Käynnistä vikasietotilaan (ohje alla): * Sulje kaikki ohjelmat. * Klikkaa käynnistä -> suorita -> msconfig ja OK * Valitse BOOT.INI-välilehti, merkkaa "/SAFEBOOT"-valinta, ja sitten klikkaa OK ja käynnistä kone uudelleen sitä pyydettäessä * Tietokone käynnistyy vikasietotilaan * Tee vikasietotilassa pyydetyt toimenpiteet (eli poista tiedosto ja aja KillVundo.bat). * Kun olet valmis, mene uudelleen msconfigiin kuten edellä ja ota valinta pois BOOT.INI-välilehdeltä "/SAFEBOOT"-kohdasta ja paina OK, jolloin koneesi käynnistyy normaalisti. Poista, jos on: C:\WINDOWS\==>MSmedia.exe<== Seuraavaksi avaa Vundofix- kansio ja tuplaklikkaa KillVundo.bat Ruutuun pitäisi ilmestyä varoitus, joka näyttää tältä. Paina Enter. Seuraavaksi pitäisi näkyä: Seuraavaksi kirjoita tiedoston sijainti. Ole tarkkana, että kirjoitat sen varmasti oikein C:\WINDOWS\System32\efeee.dll Paina Enter. Seuraavaksi pitäisi näkyä: Seuraavaksi kirjoita tiedoston sijainti. Ole tarkkana, että kirjoitat sen varmasti oikein C:\WINDOWS\System32\eeefe.* Paina Enter Nyt pitäisi aueta HijackThis, jos ei aukea, niin avaa se itse. HjT:ssä Fixaa (do a system scan only, merkkaa ja paina fix checked O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\efeee.dll O20 - Winlogon Notify: efeee - C:\WINDOWS\System32\efeee.dll Kun olet fixannut nämä, sulje HijackThis. Paina Enter poistuaksesi ohjelmasta. Käynnistä uudelleen. Katso löydätkö tämän: C:\WINDOWS\system32\rdriv.sys Jos löytyy, tee näin: Hae KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip Pura,avaa ja täppi kohtaan Delete on Reboot Sitte kopioi rivi tosta alapuolelta C:\WINDOWS\system32\rdriv.sys Sitten KillBoxissa ylhäältä File > Paste from Clipboard Sen jälkeen paina Delete (punainen, jossa on valkonen X) Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se. Lähetä uusi HjT-loki ja vundofix.txt- sisältö ( sen löydät vundofix kansiosta )
no niin.. taas olis pientä hieno säätöä tehty... C:\WINDOWS\system32\rdriv.sys -> ei löydy, onko paha? vundofix.txt- sisältö VundoFix V2.15 by Atri -------------------------------------------------------------------------------------- Listing files contained in the vundofix folder. -------------------------------------------------------------------------------------- killvundo.bat process.exe ReadMe.txt vundo.reg vundofix.txt -------------------------------------------------------------------------------------- Filepaths entered -------------------------------------------------------------------------------------- The filepath entered was C:\WINDOWS\System32\efeee.dll The second filepath entered was C:\WINDOWS\System32\eeefe.* -------------------------------------------------------------------------------------- Log from Process -------------------------------------------------------------------------------------- Killing PID 448 'smss.exe' Killing PID 1176 'explorer.exe' Killing PID 1176 'explorer.exe' Killing PID 1832 'rundll32.exe' Killing PID 528 'winlogon.exe' -------------------------------------------------------------------------------------- C:\WINDOWS\System32\efeee.dll Deleted sucessfully. C:\WINDOWS\System32\eeefe.* Deleted sucessfully. Fixing Registry -------------------------------------------------------------------------------------- ja uusin HjT-loki Logfile of HijackThis v1.99.1 Scan saved at 21:18:22, on 12.1.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\TBPanel.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\wvusp.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Microsoft sdDDE Control] lladik.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: wvusp - wvusp.dll (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe selviäiskö noista vielä jotain... niin ja mä hain ne automaattiset päivitykset, mut kannattaako koneen ite antaa laata ja asentaa ne vai annanko sen laata ja asennan ne sitte ite?
Se on hyvä, jos ei löydy Käynnistä kone vikasietotilaan kuten edellä neuvoin (eli sieltä msconfigin kautta) Fixaa nämä HjT:llä(do a system scan only, merkkaa ja paina fix checked): O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\wvusp.dll (file missing) O4 - HKLM\..\Run: [Microsoft sdDDE Control] lladik.exe O20 - Winlogon Notify: wvusp - wvusp.dll (file missing) Käynnistä kone uudelleen ja lähetä uusi HjT-loki. Anna vaan itse ladata ja asentaa ne päivitykset.
no niin... uus päivä ja uudet kujeet =) tässä olis se HjT-loki.. Logfile of HijackThis v1.99.1 Scan saved at 17:58:17, on 13.1.2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\TBPanel.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\hjt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137098706787 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe minähän reippaana tyttönä latailin niitä päivityksiä, mut sit sekin ilo tyssäs siihen, kun kone ei voinu asentaa service pack 2:sta, koska product key:ssä oli jotain vikaa tai se ei kelvannu tai jotain, mut kuitenkaa mä en sitä saanu asennettua...oonko mä nyt huutavassa pulassa? =)
Ja jos se on laillinen, niin kannattaa soittaa Microsoftin tukeen, ja vaatia product keyn uudelleenaktivointia.
Oon mä ainakin maksanu kauppaan siitä käyttiksestä..pitänee alkaa rimpautteleen sinne tukeen.. Eli pitäskö mun koneen olla nyt sit kunnossa? Jos mä en ole tehny niitä kaikkia juttuja siellä vikasietotilassa, mitä olis pitäny, niin olisko se tässä vaiheessa jo huomattu? =)
Norton Antivirus ilmoittaa että koneella on virus "Trojan.Vundo" enkä saa sitä millään pois... Norton ei osaa poistaa eikä symantekin sivulta saatava poistotyökalu. Objectin nimi C:\WINDOWS\syste32\ljhif.dll
@pAy Lähetä HjT-loki, ohjelman saat täältä -> http://koti.mbnet.fi/pattaya1/HijackThis.exe . Tallenna hakemistoon c:\hjt\, käynnistä, klikkaa do a system scan and save a logfile ja lähetä loki tänne. Tee oma uusi viestiketju jonne laitat tämän oman lokisi.
