1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ongelmia; windows firewall ym. HJT

Discussion in 'Virukset ja haittaohjelmat' started by kara, May 16, 2006.

Page 2 of 2
  1. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11
    Ok, tehty. O1-rivit tulevat takaisin vaikka hjt:lla ne poistaakin; cwshredder löytää toistuvasti em. CWS.Bootconf (variant 2) ja CWS.Svchost32 (variant 7) örkit.
    Ohessa avenger ja hjt logi:

    AVENGER:
    ***************************
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\muwpekxk

    *******************

    Script file located at: \??\C:\pbcvhinj.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\Program Files\Common Files\System\winrnt.exe deleted successfully.
    File C:\WINDOWS\System32\winrnt.exe deleted successfully.


    File C:\WINDOWS\System32\brmfrsmq.exe not found!
    Deletion of file C:\WINDOWS\System32\brmfrsmq.exe failed!

    Could not process line:
    C:\WINDOWS\System32\brmfrsmq.exe
    Status: 0xc0000034



    File C:\WINDOWS\System32\winmuse.exe not found!
    Deletion of file C:\WINDOWS\System32\winmuse.exe failed!

    Could not process line:
    C:\WINDOWS\System32\winmuse.exe
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.

    **************************************
    HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:36:32, on 20.5.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    C:\Norman\NVC\BIN\ZANDA.EXE
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\ATI-CPanel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Karri\Työpöytä\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://elisa.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 69.61.45.227 search.msn.com beta.search.msn.es uk.search.yahoo.com www.google.pl www.google.com.br google.sk google.co.je
    O1 - Hosts: 69.61.45.227 google.pl www.google.co.nz www.google.se google.com.co google.it google.ie google.no
    O1 - Hosts: 69.61.45.227 www.google.ie google.es google.td www.google.com.do mx.search.yahoo.com google.com.pe google.com.uy
    O1 - Hosts: 69.61.45.227 www.google.ro search.msn.se www.google.com.ly beta.search.msn.com.sg google.cd www.google.gg google.mn
    O1 - Hosts: 69.61.45.227 google.mu beta.search.msn.co.za google.com.ni www.google.co.th google.co.nz www.google.com.nf www.google.com.ua
    O1 - Hosts: 69.61.45.227 www.google.kz www.google.ch google.lv google.gl www.google.es www.google.com.sv search.msn.ch
    O1 - Hosts: 69.61.45.227 search.msn.de google.co.ls google.com.au google.de google.com.sv www.google.dj www.google.no
    O1 - Hosts: 69.61.45.227 www.google.co.uk google.com.ar www.google.co.cr google.nl www.google.de google.com.nf www.google.td
    O1 - Hosts: 69.61.45.227 google.com.ly google.uz google.az google.com.br www.google.li www.google.co.kr google.ru
    O1 - Hosts: 69.61.45.227 google.co.th www.google.com.cu www.google.ci toolbar.search.msn.com www.google.com.py google.com.gt www.google.com.ni
    O1 - Hosts: 69.61.45.227 au.search.yahoo.com beta.search.ninemsn.com.au de.search.yahoo.com google.com.sa www.google.off.ai www.google.sh www.google.cg
    O1 - Hosts: 69.61.45.227 www.google.com.ag www.google.am beta.search.msn.it www.google.uz google.off.ai google.pn google.fr
    O1 - Hosts: 69.61.45.227 www.google.co.ug google.se www.google.ca it.search.yahoo.com www.google.co.jp google.tt www.google.dk
    O1 - Hosts: 69.61.45.227 google.com google.com.np www.google.at google.rw google.com.pr google.cl google.com.fj
    O1 - Hosts: 69.61.45.227 google.ci google.com.gr www.google.tt google.com.pk www.google.as www.google.co.je ct.search.yahoo.com
    O1 - Hosts: 69.61.45.227 beta.search.msn.at google.am search.ninemsn.com.au google.com.ph www.google.fr google.hn google.co.uk
    O1 - Hosts: 69.61.45.227 search.msn.fi www.google.az www.google.com.pr google.com.vc www.google.sk www.google.com.gt www.google.com.np
    O1 - Hosts: 69.61.45.227 search.msn.at google.dk google.bi www.google.co.il google.be www.google.hn www.google.co.ls
    O1 - Hosts: 69.61.45.227 google.pt beta.search.msn.co.in www.google.com google.ch www.google.com.tw google.co.ve www.google.com.pe
    O1 - Hosts: 69.61.45.227 google.com.vn google.ms google.com.tw www.google.cl beta.search.sympatico.msn.ca search.msn.be www.google.com.sa
    O1 - Hosts: 69.61.45.227 www.google.vg search.msn.dk google.co.jp www.google.nl google.li br.search.yahoo.com www.google.rw
    O1 - Hosts: 69.61.45.227 cf.search.yahoo.com google.ro www.google.mw beta.search.xtramsn.co.nz google.com.na google.tm search.msn.com.sg
    O1 - Hosts: 69.61.45.227 beta.search.msn.no google.as search.msn.it www.google.co.ve espanol.search.yahoo.com search.msn.no google.co.il
    O1 - Hosts: 69.61.45.227 google.com.do beta.search.msn.co.uk www.google.co.in www.google.tm google.co.kr uk.search.msn.com beta.search.msn.com
    O1 - Hosts: 69.61.45.227 beta.search.msn.nl google.co.in beta.search.msn.dk www.google.com.mx www.google.lv beta.search.msn.be www.google.com.vc
    O1 - Hosts: 69.61.45.227 www.google.com.co www.google.com.sg www.google.be search.msn.nl www.google.com.pk www.google.com.ar www.google.com.gi
    O1 - Hosts: 69.61.45.227 google.gg google.com.ec www.google.com.ec google.com.pa google.sh www.google.mu www.google.pt
    O1 - Hosts: 69.61.45.227 google.lu www.google.ae search.msn.es google.mw google.sm beta.search.msn.se www.google.it
    O1 - Hosts: 69.61.45.227 google.vg www.google.pn google.com.ag www.google.ms google.at google.com.tr www.google.gm
    O1 - Hosts: 69.61.45.227 ar.search.yahoo.com google.com.my www.google.com.au google.fi www.google.co.hu search.msn.fr google.gm
    O1 - Hosts: 69.61.45.227 google.co.hu www.google.lu beta.search.msn.ch www.google.mn beta.search.msn.fi www.google.com.vn www.google.com.na
    O1 - Hosts: 69.61.45.227 google.com.mt www.google.com.gr google.co.ug www.google.com.my www.google.gl google.ca www.google.sm
    O1 - Hosts: 69.61.45.227 google.com.gi google.ae www.google.com.tr google.com.hk search.sympatico.msn.ca search.xtramsn.co.nz google.dj
    O1 - Hosts: 69.61.45.227 www.google.lt google.cg www.google.bi google.com.cu www.google.com.ph www.google.com.hk google.kz
    O1 - Hosts: 69.61.45.227 google.com.ua search.msn.co.uk www.google.com.fj www.google.com.mt www.google.co.ke www.google.fm www.google.com.pa
    O1 - Hosts: 69.61.45.227 google.com.sg fr.search.yahoo.com search.yahoo.com www.google.cd search.msn.co.za www.google.ru ca.search.yahoo.com
    O1 - Hosts: 69.61.45.227 www.google.fi beta.search.msn.de google.com.mx beta.search.msn.fr google.fm google.co.ke google.com.py
    O1 - Hosts: 69.61.45.227 google.co.cr search.msn.co.in google.lt www.google.com.uy auto.search.msn.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Palvelut - {55520F0D-7DDC-4614-BF11-E635E5DF7203} - http://service.kolumbus.fi/ (file missing) (HKCU)
    O9 - Extra button: Tuki - {67E28115-4248-4F22-A1D3-A5D35EA1F924} - http://tuki.elisa.net/ (file missing) (HKCU)
    O9 - Extra button: SMS-viesti - {CC6266B1-45EB-4813-8AB7-99CA3ED395E3} - http://sms.kolumbus.fi/ (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147795263703
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147795247984
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://wupd.fotokioski.net/download/XUpload.ocx
    O21 - SSODL: Muumit4 - {B6CF7B11-617E-151C-7CF3-FFE5E678D6FB} - C:\Program Files\Norsk Strek AS\Muumit4\dress8.dll
    O21 - SSODL: ewidosecuritysuite - {FFDAFC46-4058-DB0E-7576-A470BB733BED} - C:\Program Files\ewido\security suite\german.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\ZANDA.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE


     
    kara, May 20, 2006
    #21
  2. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Noita cws-variantteja ei ole lokin mukaan kylläkään.

    Siellä on jotain piilossa, mikä tuo ne takaisin. Nyt vaan selvitetään mitä.

    Luo uusi kansio C:\ - levylle, anna sille nimeksi blacklight

    Seuraavaksi,

    Lataa http://www.f-secure.com/blacklight/try.shtml F-Secure Blacklight työpöydällesi ja siirrä blbeta.exe uuteen kansioosi.
    Sulje BlackLight jos se on auki. Klikkaa Käynnistä -> Suorita ja kirjoita sisään: cmd

    Paina Enter. Kun komentorivi aukeaa, kirjoita sisään: c:\blacklight\blbeta.exe /expert (Huomaa että ennen c:\blacklight\blbeta.exe riviä on yksi tyhjä väli kuten myös blbeta.exe rivin jälkeenkin, ennen /expert komentoa)

    Jos ei onnistu mene Käynnistä -> Ohjelmat -> Apuohjelmat -> komentorivi ja tee tuo sama siellä.

    BlackLightin pitäisi nyt aueta Expert-tilassa. Aja skannaus. Näet listan löytyneistä filuista. Työpöydällesi myös ilmestyy fsbl.xxxxxxx.log (xxxxxxx on numeroita).

    Kopioi ja liitä tämä loki seuraavaan vastaukseesi.

    EDIT: Ja tarkista tämä -> C:\WINDOWS\System32\idbg32.exe
    täällä -> http://virusscan.jotti.org
     
    Last edited: May 20, 2006
    -kemisti-, May 20, 2006
    #22
  3. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11
    Ok, done.

    Blacklight ei löytänyt mitään, ohessa logi,

    Samoin idbg32.exe on jotti.orgin mukaan puhdas.

    ******************************
    05/20/06 13:12:59 [Info]: BlackLight Engine 1.0.36 initialized
    05/20/06 13:12:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    05/20/06 13:12:59 [Note]: 7019 4
    05/20/06 13:12:59 [Note]: 7005 0
    05/20/06 13:13:16 [Note]: 7006 0
    05/20/06 13:13:16 [Note]: 7022 0
    05/20/06 13:13:16 [Note]: 7011 1820
    05/20/06 13:13:16 [Note]: 7026 0
    05/20/06 13:13:16 [Note]: 7026 0
    05/20/06 13:13:16 [Note]: FSRAW library version 1.7.1015
    05/20/06 13:36:16 [Note]: 7007 0
    **************************************
     
    kara, May 20, 2006
    #23
  4. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    -kemisti-, May 20, 2006
    #24
  5. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11

    Taas mennään. Ohessa rootkit-logi.
    idbg32.exe oli puhdas myös virustotalin mukaan.


    RootkitRevealer:
    *******************************
    HKLM\S-1-5-21-3209661291-2546901333-765719832-1005\RemoteAccess\InternetProfile 2.3.2004 23:35 5 bytes Data mismatch between Windows API and raw hive data.
    HKLM\\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 2.5.1697 1:03 4 bytes Hidden from Windows API.
    SOFTWARE 1.1.1601 3:00 0 bytes Error dumping hive: Internal error.
    C:\Documents and Settings\Karri\Cookies\karri@microsoft[1].txt 19.5.2006 17:23 347 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Karri\Cookies\karri@microsoft[2].txt 20.5.2006 14:05 347 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Cookies\karri@www.sysinternals[1].txt 20.5.2006 14:01 103 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\1_star_rating[1].gif 20.5.2006 14:02 1.45 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\4_star_rating[1].gif 20.5.2006 14:04 1.58 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\broker[1].js 19.5.2006 16:11 42.88 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\CAU30167.htm 20.5.2006 14:05 35.03 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\closed_topic_icon[1].gif 20.5.2006 14:02 280 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\hot_topic_no_new_posts_icon[1].gif 20.5.2006 14:01 190 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\listener[1].aspx 19.5.2006 17:23 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\listener[1].htm 20.5.2006 14:05 0 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\ms_masthead_ltr[2].htm 20.5.2006 14:05 181 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-events-7142[1].js 20.5.2006 14:07 43.64 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-simplePopover-26705[1].js 20.5.2006 14:07 22.69 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-staticPopover-29432[1].js 20.5.2006 14:07 20.22 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\n2CoreLibs-utilities-737[1].js 20.5.2006 14:07 41.88 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\post_reply[1].gif 20.5.2006 14:02 785 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\quote_icon[1].gif 20.5.2006 14:02 1.06 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\rdttdl15or[1].png 20.5.2006 14:03 4.99 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\right_arrow[1].gif 20.5.2006 14:01 163 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\search[1].gif 20.5.2006 14:01 408 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\subject_folder[1].gif 20.5.2006 14:02 336 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\43OLCR2T\tabs-line[1].gif 20.5.2006 14:07 61 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\2006-05-18_140819_2001stargate[1].jpg 20.5.2006 14:04 11.20 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\broker[1].js 20.5.2006 14:05 42.88 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\default_javascript[1].js 20.5.2006 14:01 990 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\help_icon[1].gif 20.5.2006 14:01 394 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\mask[1].jpg 20.5.2006 14:03 1.85 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\moved_icon[1].gif 20.5.2006 14:01 207 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\n2CoreLibs-n2v1-57804[1].css 20.5.2006 14:07 6.34 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\open_folder_icon[1].gif 20.5.2006 14:01 165 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\pinned_topic_icon[1].gif 20.5.2006 14:01 235 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\pl[1].htm 20.5.2006 13:46 28 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\priority_post_icon[1].gif 20.5.2006 14:02 253 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\profile_icon[1].gif 20.5.2006 14:02 636 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\RootkitRevealer[1].htm 20.5.2006 14:04 28.67 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\876XEJ2H\search_sm[1].gif 20.5.2006 14:02 506 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\0000053432_000000000000000289007[1].htm 20.5.2006 14:05 181 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\3_star_rating[1].gif 20.5.2006 14:02 1.54 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\header[1].gif 20.5.2006 14:02 9.59 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\hot_topic_new_posts_icon[1].gif 20.5.2006 14:02 148 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\members_list[1].gif 20.5.2006 14:01 483 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\no_new_posts_icon[1].gif 20.5.2006 14:01 142 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\pl[4].htm 20.5.2006 14:05 28 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\print_version[1].gif 20.5.2006 14:02 1.00 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\priority_post_locked_icon[1].gif 20.5.2006 14:01 289 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\register_icon[1].gif 20.5.2006 14:01 404 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\smiley36[1].gif 20.5.2006 14:03 486 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\BJMK6XEC\table_bg_image[1].gif 20.5.2006 14:02 227 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2006-02-09_181557_Gears64[1].png 20.5.2006 14:02 9.11 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2006-04-14_104013_avatar[1].jpg 20.5.2006 14:03 1.37 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\2_star_rating[1].gif 20.5.2006 14:02 1.50 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\5point0[1].gif 20.5.2006 14:05 484 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\active_topics[1].gif 20.5.2006 14:01 617 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\arrow_px_up[1].gif 20.5.2006 14:05 53 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\css[1].css 20.5.2006 14:05 2.59 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\default_style[1].css 20.5.2006 14:01 5.86 KB Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\header-background[1].gif 20.5.2006 14:02 511 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\home_icon[1].gif 20.5.2006 14:02 612 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\login_icon[1].gif 20.5.2006 14:01 484 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\new_post[1].gif 20.5.2006 14:01 775 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\new_posts_icon[1].gif 20.5.2006 14:02 150 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pages_icon[1].gif 20.5.2006 14:01 131 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pl[1].htm 20.5.2006 13:46 28 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\pl[2].htm 20.5.2006 14:04 28 bytes Hidden from Windows API.
    C:\Documents and Settings\Karri\Local Settings\Temporary Internet Files\Content.IE5\KDIRCT6B\RootkitRevealer[1].htm 20.5.2006 13:46 28.67 KB Visible in Windows API, but not in MFT or directory index.
     
    kara, May 20, 2006
    #25
  6. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Tehdään kuitenkin näin:

    Tyhjennä IE:n väliaikaistiedostot.

    Kopioi tämä -> C:\WINDOWS\System32\idbg32.exe johonkin muuhun hakemistoon. Sitten uudelleennimeä -> C:\WINDOWS\System32\idbg32.exe vaikka -> C:\WINDOWS\System32\idbg32.txt. Sitten fixaa ne O1-rivit ja katso lähtevätkö ne nyt pois.
     
    -kemisti-, May 20, 2006
    #26
  7. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11
    Nyt hävisivät O1-rivit eivätkä ainakaan heti tulleet takaisin! CWShredder ei myöskään enää löydä CWS.Bootconf ja CWS.Svchost32 örkkejä (kokeilin useamman kerran).

    Mitäs tuolle idbg32.exe:lle tehdään?
     
    kara, May 20, 2006
    #27
  8. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Loistavaa :)

    Poista sekä C:\WINDOWS\System32\idbg32.txt että se kopioitu idbg32.exe. Jolleivät lähde suosiolla, niin neuvon lisää.
     
    Last edited: May 20, 2006
    -kemisti-, May 20, 2006
    #28
  9. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11
    Ok. Tuleeko windows toimeen ilmaan ko. tiedostoa?
    Entä esim. poistettu winrnt.exe?

    Virustotalilla onnistuin nyt skannaamaan avangerin backupissa olleen winrnt.exe; sieltä löytyi:

    STATUS: FINISHEDComplete scanning result of "winrnt.exe", received in VirusTotal at 05.20.2006, 14:21:38 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.27 05.20.2006 no virus found
    Avast 4.6.695.0 05.19.2006 no virus found
    AVG 386 05.19.2006 no virus found
    BitDefender 7.2 05.20.2006 no virus found
    CAT-QuickHeal 8.00 05.20.2006 no virus found
    ClamAV devel-20060426 05.20.2006 no virus found
    DrWeb 4.33 05.20.2006 Dialer.Telefonica
    eTrust-InoculateIT 23.72.13 05.20.2006 no virus found
    eTrust-Vet 12.4.2219 05.20.2006 no virus found
    Ewido 3.5 05.19.2006 no virus found
    Fortinet 2.77.0.0 05.20.2006 suspicious
    F-Prot 3.16c 05.20.2006 no virus found
    Ikarus 0.2.65.0 05.19.2006 no virus found
    Kaspersky 4.0.2.24 05.20.2006 no virus found
    McAfee 4766 05.19.2006 no virus found
    Microsoft 1.1440 05.20.2006 no virus found
    NOD32v2 1.1549 05.19.2006 probably unknown NewHeur_PE virus
    Norman 5.90.17 05.19.2006 no virus found
    Panda 9.0.0.4 05.20.2006 Suspicious file
    Sophos 4.05.0 05.19.2006 no virus found
    Symantec 8.0 05.20.2006 no virus found
    TheHacker 5.9.8.145 05.19.2006 no virus found
    UNA 1.83 05.18.2006 no virus found
    VBA32 3.11.0 05.20.2006 no virus found


    Aditional Information
    File size: 12621 bytes
    MD5: adb74ad3a2d585d1d919f002704c2749
    SHA1: 25ac233822f2d119ab2fd36066480432b235ed2a


     
    kara, May 20, 2006
    #29
  10. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Kyllä tulee toimeen, koska itselläni ei ole sitä tiedostoa ollenkaan :)
    Eli se on n. 99,99 % varmuudella se örkki, joka aina toi ne O1-rivit takaisin. Juu, winrnt.exe on virus. Ne avengerin backupit saat halutessasi poistaa.
     
    -kemisti-, May 20, 2006
    #30
  11. kara

    kara Member

    Joined:
    May 16, 2006
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    11
    Loistavaa! Kiitos oikein paljon.

    Hyvän koulun pääsin samalla käymään, jatkossa itsekin pystyn käymään örkkisotaa ainakin pidemmälle kuin aiemmin.

    Kiitos ja kumarrus.
     
    kara, May 20, 2006
    #31
  12. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Hienoa, että tuli kuntoon :)
     
    -kemisti-, May 20, 2006
    #32
Page 2 of 2

Share This Page