ongelmia; windows firewall ym. HJT

kara · May 16, 2006

Hei
Kotikone meni sekaisin, kaapatuksi luulen.
Safemodessa spy-bot ja ad-ware löytävät ja poistavat vaikka mitä, mutta heti kun avaan normaalitilassa on kone taas tukossa. Osa ongelmaa on se etten saa windowsin palomuuria päälle; antaa ilmoituksen: "Virhe 1060; Palvelua ei asennettu"/ (error 1060: The specified service does not exist as an installed service). Aiemmin palomuuri ollut kyllä päällä.

Asensin ja hijackthis-ohjelman. Ohessa logi. En onnistunut poistamaan (tulivat takaisi)O1-kohdan vieraita (?) hosteja. Pystyisikö kukaan antamaan hyviä vinkkejä mitä tehdä?
MS Internet Exploreria en onnistunut päivittämään (SP2).

___________________________________
Logfile of HijackThis v1.99.1
Scan saved at 18:23:28, on 16.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\WINDOWS\System32\7da9422e.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Windows\xpupdate.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv3.fi/uutiset/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mxjut.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: Class - {569F191B-24D3-6830-313D-6EC509405F3B} - C:\WINDOWS\system32\appxq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [netss.exe] C:\WINDOWS\netss.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp" /m
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\syswp.exe
O4 - HKLM\..\Run: [sdkom32.exe] C:\WINDOWS\system32\sdkom32.exe
O4 - HKLM\..\Run: [iexh32.exe] C:\WINDOWS\iexh32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [atlti32.exe] C:\WINDOWS\atlti32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch08.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

-kemisti- · May 17, 2006

Siinä on aika paljonkin vikaa.

Kokeillaas tätä:

Tulosta ensin nämä ohjeet. Internet Explorer täytyy olla suljettuna koko prosessin ajan.

Lataa Intermuten CWShredder:
http://cwshredder.net/bin/CWShredder.exe
Tallenna se työpöydälle, mutta ÄLÄ aja sitä vielä.

Lataa About:Buster:
http://www.malwarebytes.org/AboutBuster.zip
Pura se työpöydälle, käynnistä, klikkaa Check for Updates, ja päivitä, mutta ÄLÄ skannaa vielä.

Päivitä ewido, mutta ÄLÄ skannaa vielä.

Lataa Hoster http://www.funkytoad.com/download/hoster.zip
[*]Pura Hoster sopivaan kansioon, kuten C:\Hoster
Älä käytä sitä vielä.

Lataa Atribunen ATF Cleanerhttp://www.atribune.org/ccount/click.php?id=1 ja tallenna työpöydälle
Älä käytä sitä vielä.

Käynnistä kone vikasietotilaan seuraavien ohjeiden mukaisesti:
1) Käynnistä tietokone
2) Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
3) Seuraavaksi pitäisi ilmestyä valikko
4) Valitse valikosta vikasietotila.

Vikasietotilassa käynnistä CWShredder ja paina Fix.

Käynnistä About:Buster ja paina Start. Jos kysytään, haluatko lopettaa Explorer.exe-prosessin, paina Yes. Työpöytä voi hävitä, se on normaalia. . Skannaa kahdesti ja kun valmis, klikkaa "Save Log". Tämä luo lokin "AB Logfile.txt" siihen kansioon, mihin about:buster on tallennettu.

Poista, jos löytyy:

C:\WINDOWS\nsjxt.dll
C:\WINDOWS\system32\mxjut.dll
c:\secure32.html
C:\WINDOWS\inet20001
C:\WINDOWS\system32\winbrume.dll
C:\WINDOWS\netss.exe
C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp
C:\WINDOWS\syswp.exe
C:\WINDOWS\system32\sdkom32.exe
C:\WINDOWS\iexh32.exe
C:\WINDOWS\atlti32.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\svch08.dll
C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll

Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.

Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasi
Klikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.

Aja ewido linkin ohjeiden mukaisesti ja tallenna raportti.

Lopuksi, käynnistä HijackThis, klikkaa do a system scan only ja merkkaa nämä rivit:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mxjut.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsjxt.dll/sp.html#63796
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [netss.exe] C:\WINDOWS\netss.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\Karri\LOCALS~1\Temp\3.tmp" /m
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\syswp.exe
O4 - HKLM\..\Run: [sdkom32.exe] C:\WINDOWS\system32\sdkom32.exe
O4 - HKLM\..\Run: [iexh32.exe] C:\WINDOWS\iexh32.exe
O4 - HKLM\..\Run: [atlti32.exe] C:\WINDOWS\atlti32.exee
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch08.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll

Sulje kaikki muut ohjelmat ja ikkunat paitsi HijackThis ja paina Fix Checked.

[*]Aja Hoster.exe sen uudesta kansiosta
[*]Klikkaa "Make Hosts Writable?" oikeassa yläkulmassa (jos toiminnassa)
[*]Klikkaa "Restore Original Hosts" ja sitten klikkaa OK
[*]Sulje Hoster
Huomaa; JOS käytit mukautettuja Hosts-filuja, sinun täytyy laittaa yksikin niistä riveistä itse takaisin.

Käynnistä kone normaalisti, lähetä HijackThis-logi ja AboutBusterin ja Ewidon lokit.

kara · May 17, 2006

Ok. Tein työtä käskettyä.
Ohessa logeja (HJT x2, AboutBuster ja ewido);

HJT #1 (ajettu safemodessa ko. järjetyksessä):
_____________________________________
Logfile of HijackThis v1.99.1
Scan saved at 15:44:24, on 17.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv3.fi/uutiset/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147795263703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147795247984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

*************************
AboutBuster:
___________________
AboutBuster 6.01
Scan started on [17.5.2006] at [15:08:19]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:08:58

AboutBuster 6.01
Scan started on [17.5.2006] at [15:09:39]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:10:11

********************
Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:34:41, 17.5.2006
+ Report-Checksum: A7E10F00

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2A7363DF-C45A-5954-477D-0C78AF4A207C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{569F191B-24D3-6830-313D-6EC509405F3B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} -> Downloader.Fugif : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{569F191B-24D3-6830-313D-6EC509405F3B} -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Anna\Cookies\anna@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\Cookies\lina@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\maxdd1.game -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temp\vxt2.game -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\2PXEJ6XO\install[1].js -> Downloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\BDM64ZDK\zAKgUL1qb9E3o[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Lina\Local Settings\Temporary Internet Files\Content.IE5\PRNF194E\xpl[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Sari\Local Settings\Temp\B.tmp -> Dropper.Small.na : Cleaned with backup
C:\Documents and Settings\Sari\Local Settings\Temp\vxt2.game -> Trojan.Small : Cleaned with backup
C:\ms32.tmp -> Downloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\cpebopjk.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINDOWS\system32\dmpiiccm.dll -> Proxy.Wopla.s : Cleaned with backup
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\srshost.exe -> Proxy.Agent.hy : Cleaned with backup
C:\WINDOWS\winexec.exe -> Downloader.Agent.ts : Cleaned with backup

::Report End

****************************

ja vielä uusi HJT logi (ajettu rebootin jälkeen normaalitilassa). Jotain ilmeisesti vielä jäänyt, kun nuo vieraat hostit ilmaantui takaisin O1-kohtaan??
_____________
Logfile of HijackThis v1.99.1
Scan saved at 16:03:59, on 17.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\cmd.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\7da9422e.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147795263703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147795247984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

-kemisti- · May 17, 2006

Sitten katotaan vähän tarkemmin:

Lataa ja tallenna http://www.f-secure.com/blacklight/try.shtml Blacklight työpöydällesi;

Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa > Scan, sitten > Next

Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita).

Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe".

kara · May 17, 2006

Tässä blbeta logi:

05/17/06 17:10:52 [Info]: BlackLight Engine 1.0.36 initialized
05/17/06 17:10:52 [Info]: OS: 5.1 build 2600 (Service Pack 1)
05/17/06 17:10:52 [Note]: 7019 4
05/17/06 17:10:52 [Note]: 7005 0
05/17/06 17:11:00 [Note]: 7006 0
05/17/06 17:11:00 [Note]: 7011 1304
05/17/06 17:11:00 [Note]: 7026 0
05/17/06 17:11:00 [Note]: 7026 0
05/17/06 17:11:00 [Note]: 7024 3
05/17/06 17:11:00 [Info]: Hidden process: C:\WINDOWS\System32\prsvc.exe
05/17/06 17:11:01 [Note]: FSRAW library version 1.7.1015
05/17/06 17:15:15 [Info]: Hidden file: c:\WINDOWS\system32\dfcpr.dll
05/17/06 17:15:15 [Note]: 10002 1
05/17/06 17:15:28 [Info]: Hidden file: C:\WINDOWS\System32\prsvc.exe
05/17/06 17:15:28 [Note]: 10002 1
05/17/06 17:15:32 [Info]: Hidden file: c:\WINDOWS\system32\hksrv.dll
05/17/06 17:15:32 [Note]: 10002 1

-kemisti- · May 17, 2006

No niin, jotain oli piilossa

Tarkista nämä:

C:\WINDOWS\System32\prsvc.exe
c:\WINDOWS\system32\dfcpr.dll
c:\WINDOWS\system32\hksrv.dll

täällä -> http://www.virustotal.com/flash/index_en.html

ja lähetä tulokset tänne.

Jos et löydä niitä selaamalla, niin syötä tuo polku siihen kenttään, joka on Selaa...-painikkeen vasemmalla puolella.

kara · May 18, 2006

Moi
Ei suostu avaamaan www.virustotal.com -sivustoa; työntää vaan puppua:

‹ÍYënÛ8þÝ}Ž˜¤X[’/I›Äö M²ÓI;˜d:;¿Z¢-62©Š”Ï¢´�·o°ç�ÔÅ·\°;ƒMQ[æå\xnß¡ß�:»ùýç ’èYJ~þõÝå‡3âµƒà·ÞYœßœ“¼¿¹º$?$79Šk.Mƒàâ£G¼Dëì8‹…¿èù2Ÿ7¿÷H«ƒ›Ýc[7vú±Ž½Ñ«—Ã1¥b:ô˜òÈý,j¸…bçèèÈÂmd�0ãh®S6úüá—_¯o>Ýœ^’6ù{Îù$R.ùÌóB*brEÓÍ¹Ž¨vÛ«—¯^¾

Päivällä virustotal-sivut näytti hieman toiselta, kun katsoin työkoneelta.

-kemisti- · May 18, 2006

Kokeile sitten tätä palvelua -> http://virusscan.jotti.org/
ja lähetä tulokset.

kara · May 18, 2006

No niin, ohessa tulokset. Kaikista 3 tiedostosta löytyi jotakin.

***************************
File: prsvc.exe
Status: INFECTED/MALWARE
MD5 930fdb6f69363e14c2873b303135fe2a
Packers detected: UPX
Scanner results
AntiVir Found Heuristic/Hijacker (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found W32/Cvsr.A!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* Decompressing UPX.
* Accesses executable file from resource section.
* File length: 35840 bytes.

[ Changes to filesystem ]
* Creates file C:\Windows\system32\prsvc.exe.
* Creates file C:\WINDOWS\SYSTEM32\dfcpr.dll.
* Creates file C:\WINDOWS\SYSTEM32\hksrv.dll.
* Deletes file .

[ Changes to registry ]
* Sets value "MBRunFrom"="C:\SAMPLE.EXE " in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Sets value "hksrv.dll"="{000000-0000-000000" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad".
* Creates key "HKCR\CLSID\{000000-0000-000000\InProcServer32".
* Sets value "default"="hksrv.dll" in key "HKCR\CLSID\{000000-0000-000000\InProcServer32".
* Sets value "MBVersion"="6.9" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Deletes value "MBRunFrom" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".
* Creates key "HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".

[ Process/window information ]
* Creates a mutex T-55C75D8-93V3-429R-E13E-566C206D898A.
* Enumerates running processes.
* Modifies other process memory.
* Creates a remote thread.
* Creates a mutex R-45G75B8-93K3-429F-H13E-730C206D898A.
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Spambot

*************************

File: dfcpr.dll
Status: INFECTED/MALWARE
MD5 1a5e917c49c3463605572bd9fdbd8174
Packers detected: PE-CRYPT.XORPE, UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

****************************

File: hksrv.dll
Status: INFECTED/MALWARE
MD5 74538e6232d3ca0959cdec42e5c9413f
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Agent.Hp.A27
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

************************************

-kemisti- · May 18, 2006

Jep, kaikki ovat örkkejä

Nyt ne lähtee pois:

Sammuta ensin Microsoft Antispyware ettei se estä fixejä:

1. Klikkaa Microsoft Anti-Spyware-kuvaketta tehtäväpalkissa [se on punainen, jossa keltainen häränsilmä].
2. Klikkaa "Security Agents Status".
3. Klikkaa "Disable real-time protection".

Klikkaa Microsoft Anti-Spyware-kuvaketta tehtäväpalkissa hiiren oikealla

1. Klikkaa Options -> Settings.
2. Vasemmalla klikkaa "Real Time Protection".
3. Startup Options-kohdassa, ota rasti pois "Enable (MSAS) Security Agents on startup (recommended)"-kohdasta.
4. Real-time spyware threat protection-kohdassa ota rasti pois "Enable real-time spyware threat protection" (recommended)-kohdasta.
5. Klikkaa Save ja sulje Microsoft AntiSpyware.

Lopuksi klikkaa MSAS-kuvaketta tehtäväpalkissa hiiren oikealla ja valitse "Shutdown Microsoft Antispyware"

Käynnistä HijackThis, klikkaa do a system scan only ja merkkaa nämä rivit:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\System32\brmfrsmq.exe
O4 - HKCU\..\Run: [7da9422e.exe] C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\lhoalgai.dll

Hae KillBox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Pura,avaa ja täppi kohtaan Delete on Reboot
Sitte kopioi rivit tosta alapuolelta yhellä kertaa

C:\WINDOWS\System32\prsvc.exe
c:\WINDOWS\system32\dfcpr.dll
c:\WINDOWS\system32\hksrv.dll
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\Documents and Settings\Karri\Local Settings\Application Data\7da9422e.exe
C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll
C:\WINDOWS\System32\lhoalgai.dll
c:\secure32.html

Sitten KillBoxissa ylhäältä File > Paste from Clipboard
Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X)
Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se.

Lähetä sen jälkeen uus HijackThis-logi.

kara · May 18, 2006

Tässä uusi hjt-log. Ainakin nuo 01:n vieraat hostit tuli takaisin, vaikka poistin hjt:lla.

**************************************
Logfile of HijackThis v1.99.1
Scan saved at 18:35:29, on 18.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147795263703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147795247984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll (file missing)
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

-kemisti- · May 18, 2006

Suurin osa lähti, hyvä.

Tarkista tämä -> C:\WINDOWS\System32\winrnt.exe
täällä -> http://virusscan.jotti.org/ tai täällä ->
http://www.virustotal.com/flash/index_en.html
ja lähetä tulokset

kara · May 18, 2006

jotti.org ilmoittaa winrnt.exe:stä (13kt):
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Virustotal.com ei vieläkään aukea.

-kemisti- · May 18, 2006

Jatketaan.

Fixaa nämä:

O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Tiedostot\Settings\20242402.dll (file missing)
O21 - SSODL: hksrv.dll - {ECF668FE-6AC2-437A-9E36-2168EA8A36C0} - hksrv.dll (file missing)

Avaa KillBox ja täppi kohtaan Delete on Reboot
Sitte kopioi rivi tosta alapuolelta

C:\WINDOWS\System32\winrnt.exe

Sitten KillBoxissa ylhäältä File > Paste from Clipboard
Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X)
Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se.

Lähetä sen jälkeen uus HijackThis-logi.

kara · May 18, 2006

Tässä tuore logi. Sitkeässä tuntuu olevan...

***********************************
Logfile of HijackThis v1.99.1
Scan saved at 21:02:04, on 18.5.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Norman\NVC\BIN\ZANDA.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 66.180.173.39 www.google.ie www.google.co.uk google.co.jp search.msn.be www.google.gm www.google.tm www.google.pt
O1 - Hosts: 66.180.173.39 google.rw google.com search.msn.dk google.com.sg www.google.lu beta.search.msn.co.uk au.search.yahoo.com
O1 - Hosts: 66.180.173.39 google.co.ug beta.search.msn.no beta.search.msn.co.za beta.search.sympatico.msn.ca www.google.pl google.com.ar google.com.cu
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com beta.search.msn.be www.google.com.ec www.google.com.au www.google.co.ve www.google.sh www.google.vg
O1 - Hosts: 66.180.173.39 www.google.com.ni search.msn.ch google.ro uk.search.msn.com google.com.sa beta.search.xtramsn.co.nz google.sk
O1 - Hosts: 66.180.173.39 google.co.ls www.google.com.py google.gg google.it google.com.nf www.google.li google.com.mx
O1 - Hosts: 66.180.173.39 google.com.np www.google.com.np www.google.gl google.fm www.google.am www.google.com.ag google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pr google.com.ni beta.search.msn.it google.se google.pt search.msn.de google.sm
O1 - Hosts: 66.180.173.39 www.google.com.pa google.fi google.com.fj www.google.ru beta.search.msn.dk ca.search.yahoo.com google.cg
O1 - Hosts: 66.180.173.39 www.google.com.nf google.co.uk www.google.com.tw www.google.co.kr google.com.ua www.google.co.hu google.com.na
O1 - Hosts: 66.180.173.39 www.google.com beta.search.msn.fr www.google.ci search.msn.it search.sympatico.msn.ca google.com.tw mx.search.yahoo.com
O1 - Hosts: 66.180.173.39 search.msn.no www.google.com.mt www.google.fr www.google.com.fj google.tm beta.search.msn.de beta.search.msn.se
O1 - Hosts: 66.180.173.39 www.google.com.sa www.google.cd google.ms google.lu www.google.co.cr google.co.hu google.lt
O1 - Hosts: 66.180.173.39 www.google.com.ly www.google.com.uy google.co.kr beta.search.msn.es www.google.sm toolbar.search.msn.com google.com.pk
O1 - Hosts: 66.180.173.39 google.de google.com.gr google.nl www.google.it beta.search.msn.com.sg www.google.com.vc search.msn.fi
O1 - Hosts: 66.180.173.39 google.az search.msn.nl google.com.ly google.com.au google.ae www.google.com.sg www.google.rw
O1 - Hosts: 66.180.173.39 search.msn.co.uk www.google.com.tr google.co.nz search.msn.at google.dj google.com.mt www.google.com.co
O1 - Hosts: 66.180.173.39 google.dk www.google.com.gi google.cd google.gl www.google.lv google.ci ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 beta.search.msn.at google.co.ve search.msn.fr www.google.com.my google.com.sv www.google.as www.google.co.ug
O1 - Hosts: 66.180.173.39 search.msn.com www.google.at www.google.ca www.google.com.ua beta.search.msn.co.in google.com.hk google.com.co
O1 - Hosts: 66.180.173.39 google.cl www.google.com.vn www.google.co.in google.lv www.google.fi google.ch www.google.az
O1 - Hosts: 66.180.173.39 www.google.nl google.com.py google.com.gt search.ninemsn.com.au search.yahoo.com google.bi www.google.mn
O1 - Hosts: 66.180.173.39 www.google.com.sv google.at www.google.ch google.ru www.google.com.ph www.google.be google.as
O1 - Hosts: 66.180.173.39 google.tt google.gm www.google.bi www.google.com.do google.ie google.hn www.google.ae
O1 - Hosts: 66.180.173.39 search.msn.se ct.search.yahoo.com www.google.sk beta.search.ninemsn.com.au google.com.ag www.google.td google.vg
O1 - Hosts: 66.180.173.39 www.google.off.ai www.google.com.gr www.google.ms google.com.tr google.sh google.co.ke google.com.br
O1 - Hosts: 66.180.173.39 google.co.cr www.google.com.na www.google.hn google.es uk.search.yahoo.com google.am beta.search.msn.com
O1 - Hosts: 66.180.173.39 google.pn google.co.je www.google.de www.google.com.hk br.search.yahoo.com www.google.com.mx www.google.ro
O1 - Hosts: 66.180.173.39 search.msn.com.sg www.google.tt google.ca google.be google.com.do search.msn.co.in www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.cu google.td www.google.cg google.co.in google.fr google.com.vn www.google.co.th
O1 - Hosts: 66.180.173.39 google.com.vc google.no www.google.uz search.xtramsn.co.nz www.google.mu google.com.pr it.search.yahoo.com
O1 - Hosts: 66.180.173.39 www.google.fm www.google.com.ar www.google.es google.li google.co.il de.search.yahoo.com search.msn.co.za
O1 - Hosts: 66.180.173.39 google.com.gi google.uz www.google.com.pe google.kz google.mw www.google.co.il www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.dk google.off.ai google.com.ec www.google.co.ke www.google.pn www.google.se google.com.ph
O1 - Hosts: 66.180.173.39 www.google.dj beta.search.msn.ch beta.search.msn.nl www.google.co.ls google.mu cf.search.yahoo.com google.mn
O1 - Hosts: 66.180.173.39 www.google.co.nz beta.search.msn.fi google.com.uy www.google.cl google.co.th www.google.kz www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.mw www.google.com.br google.pl google.com.my www.google.gg espanol.search.yahoo.com search.msn.es
O1 - Hosts: 66.180.173.39 www.google.no google.com.pe www.google.com.gt www.google.lt auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147795263703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147795247984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

-kemisti- · May 18, 2006

Hyvin sitkeässä. Nimittäin tuo tiedosto ei lähtenyt -> joku muu örkki pidättelee sitä.

Ajapa ensi alkuun tuo Blacklight uudestaan ja lähetä sen loki tänne.

kara · May 18, 2006

Eilen illalla ajoin mm. blacklightin, eikä se löytänyt mitään.

Cwshredder sen sijaan löytää toistuvasti CWS.Bootconf (variant 2) ja CWS.Svchost32 (variant 7) örkit; tulevat heti takaisin vaikka shredder ne poistaakin.

Lisäksi ajoin ewidon (normaalitilassa) ja se löysi n. 60 (!) örkkiä.

-kemisti- · May 19, 2006

Seuraavaksi sitten tämä:

Imuroi winpfind täältä:
http://www.bleepingcomputer.com/files/winpfind.php
Pura zippi c:\WinPFind-kansioon
Buuttaa vikasietoon ja tuplaklikkaa WinPFind.exe
Paina nappia start scan
Odota kunnes se kertoo olevansa valmis ja sen loki aukee
Sitte buuttaa takas normaalitilaan ja laita tänne c:\WinPFind\WinPFind.txt:n sisältö

EDIT: Ja jos tallensit sen ewidon raportin, niin lähetä se ihmeessä tänne.

kara · May 19, 2006

Ohessa winpfind-logi.

Eilistä ewido logia ei ole. Ajoin ewidon äsken uudelleen; ei löytänyt mitään.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 16.9.2002 15:00:00 41113 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 12.5.2006 14:40:08 64492 C:\WINDOWS\SYSTEM32\ipod.raw.exe
PTech 14.2.2006 9:20:14 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6.7.2005 19:26:32 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6.7.2005 19:26:32 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 16.9.2002 15:00:00 635392 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 16.9.2002 15:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 11.5.2006 17:21:12 RH 10301 C:\WINDOWS\SYSTEM32\win_lcb.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
19.5.2006 15:54:26 S 2048 C:\WINDOWS\bootstat.dat
11.5.2006 9:20:50 H 0 C:\WINDOWS\inf\oem13.inf
16.5.2006 19:01:44 H 0 C:\WINDOWS\inf\oem14.inf
11.5.2006 17:21:12 RH 10301 C:\WINDOWS\system32\win_lcb.exe
19.5.2006 15:54:22 H 8192 C:\WINDOWS\system32\config\default.LOG
19.5.2006 15:54:36 H 1024 C:\WINDOWS\system32\config\SAM.LOG
19.5.2006 15:54:28 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
19.5.2006 15:54:50 H 143360 C:\WINDOWS\system32\config\software.LOG
19.5.2006 15:54:50 H 966656 C:\WINDOWS\system32\config\system.LOG
11.5.2006 9:20:56 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
19.5.2006 15:53:46 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 16.9.2002 15:00:00 67584 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 18.6.2003 15:14:48 8605696 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 16.9.2002 15:00:00 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Conexant Systems 16.7.2001 4:37:46 316416 C:\WINDOWS\SYSTEM32\csacpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 16.9.2002 15:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.8.2002 13:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 10.10.2005 17:29:28 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 16.9.2002 15:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 16.9.2002 15:00:00 561152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 16.9.2002 15:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 16.9.2002 15:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 16.9.2002 15:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 16.9.2002 15:00:00 109568 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 30.3.2000 20:00:32 250880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 16.9.2002 15:00:00 268800 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 16.9.2002 15:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 16.9.2002 15:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26.5.2005 4:16:30 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 67584 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 16.9.2002 15:00:00 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 16.9.2002 15:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 16.9.2002 15:00:00 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 16.9.2002 15:00:00 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29.8.2002 13:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 16.9.2002 15:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 16.9.2002 15:00:00 561152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 16.9.2002 15:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 16.9.2002 15:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 16.9.2002 15:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 16.9.2002 15:00:00 109568 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 16.9.2002 15:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 16.9.2002 15:00:00 268800 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 16.9.2002 15:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 16.9.2002 15:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6.9.2003 3:36:56 HS 84 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini
16.12.2003 5:52:22 1791 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\InterVideo WinCinema Manager.lnk
10.11.2005 19:23:10 763 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Picture Package Menu.lnk
10.11.2005 19:23:04 813 C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Picture Package VCD Maker.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5.9.2003 18:30:58 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
6.9.2003 3:36:56 HS 84 C:\Documents and Settings\Karri\Käynnistä-valikko\Ohjelmat\Käynnistys\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5.9.2003 18:30:58 HS 62 C:\Documents and Settings\Karri\Application Data\desktop.ini
7.2.2006 15:16:10 560 C:\Documents and Settings\Karri\Application Data\ViewerApp.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
E3003 FI = IEAKElisa Internet

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Käynnistä-valikon nasta = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\NVC
{D5507020-DB45-11d1-A5F0-00600872F78D} = C:\NORMAN\Nvc\BIN\NVCSE.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Yahoo! Toolbar Helper = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Päivän vihje = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Etsintäpalkki = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media-palkki = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Tiedostojen etsintä -Explorer-palkki = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Lähiosoite : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Linkit : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIModeChange Ati2mdxx.exe
Wizard
ATIPTA C:\ATI-CPanel\atiptaxx.exe
SoundMan SOUNDMAN.EXE
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
HP Software Update C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
InCD C:\Program Files\Ahead\InCD\InCD.exe
Norman ZANDA C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 a
winrnt.exe C:\Program Files\Common Files\System\winrnt.exe
brmfrsmq C:\WINDOWS\System32\brmfrsmq.exe
ZPoint C:\WINDOWS\System32\winmuse.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
ClassicShell 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
Muumit4 {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} = C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
ewidosecuritysuite {FFDAFC46-4058-DB0E-7576-A470BB733BED} = C:\Program Files\ewido\security suite\german.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = C:\WINDOWS\System32\idbg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 19.5.2006 15:58:51

-kemisti- · May 19, 2006

Tästä olikin apua

Tehdään näin:

Ota nettipiuha pois päältä
Fixaa ne O1-rivit HjT:llä.

Sitten:

1. Lataa http://swandog46.geekstogo.com/avenger.zip
The Avenger (c)työpöydällesi.
[*]Klikkaa Avenger.zip filua avataksesi sen.
[*]Pura Avenger.exe työpöydällesi.

2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle(alkaen files to delete):

Files to delete:
C:\Program Files\Common Files\System\winrnt.exe
C:\WINDOWS\System32\winrnt.exe
C:\WINDOWS\System32\brmfrsmq.exe
C:\WINDOWS\System32\winmuse.exe

Click to expand...

Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.]

3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.
[*]"Script file to execute" alapuolelta valitse "Input Script Manually".
[*]Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script".
[*] Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.
[*] Klikkaa Done.
[*] Nyt klikkaa vihreää valoa aloittaaksesi skriptin.
[*] Klikkaa "Yes" kun tulee kaksi varoitusboksia.

Avenger tekee automaattisesti seuraavat:

Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)

Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.

Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt

Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.

5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.

Log in or Sign up

ongelmia; windows firewall ym. HJT

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

Share This Page

Log in or Sign up

ongelmia; windows firewall ym. HJT

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

kara Member

-kemisti- Active member

Share This Page

Useful Searches