Kuten otsikossa lukee, explorer välillä pommittaa ruutua ties minkälaisilla pop-upeilla, myös IE:n aloitussivun on korvannut jokin kummallinen sivu, joka kauppaa virustorjuntaroskaa. Samaten alakulmassa vilkkuu kaksikin kuvaketta, joista molemmat sanovat, että koneessa on viruksia. Niin varmasti on. Tässä tämä HJT-logi: Logfile of HijackThis v1.99.1 Scan saved at 16:12:11, on 26.6.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE D:\Program Files\F-Secure\Common\FSM32.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\program files\powerstrip\pstrip.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\No-IP\DUC20.exe D:\Program Files\Apache Group\Apache\Apache.exe d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE D:\Program Files\Apache Group\Apache\Apache.exe d:\Program Files\ewido anti-malware\ewidoctrl.exe d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe d:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe d:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe C:\WINDOWS\system32\wdfmgr.exe d:\Program Files\F-Secure\Common\FSMA32.EXE d:\Program Files\F-Secure\Common\FSMB32.EXE d:\Program Files\F-Secure\Common\FCH32.EXE d:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\iPod\bin\iPodService.exe d:\Program Files\F-Secure\Common\FNRB32.EXE d:\Program Files\F-Secure\Common\FIH32.EXE d:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe d:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\system32\atmclk.exe D:\Program Files\mIRC\mirc.exe D:\Program Files\sysreset\mirc.exe C:\Program Files\Windows Media Player\wmplayer.exe D:\Program Files\Mozilla Firefox\firefox.exe C:\hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [F-Secure Manager] "d:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [a-squared] "D:\Program Files\a-squared Anti-Malware\a2guard.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AbyssWebServer] D:\Program Files\Abyss Web Server\abyssws.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe O4 - Startup: No-IP DUC.lnk = D:\Program Files\No-IP\DUC20.exe O8 - Extra context menu item: Download All with WinGet - res://D:\Program Files\WinGet\WinIE.dll/301 O8 - Extra context menu item: Download with WinGet - res://D:\Program Files\WinGet\WinIE.dll/300 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151257357171 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B85504CD-E3D7-43DE-AA94-291647AC489D}: NameServer = 212.50.131.153 213.139.190.3 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: winbjv32 - C:\WINDOWS\SYSTEM32\winbjv32.dll O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\Program Files\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
Lataa SmitfraudFix © S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi: Avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa). Postita tämän tekstitiedoston sisältö viestiketjuusi.
Selvä, tässä tämä: SmitFraudFix v2.65 Scan done at 23:11:53,96, ma 26.06.2006 Run from C:\Documents and Settings\Omistaja\Ty”p”yt„\SmitfraudFix OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\atmclk.exe FOUND ! C:\WINDOWS\system32\dcomcfg.exe FOUND ! C:\WINDOWS\system32\hp???.tmp FOUND ! C:\WINDOWS\system32\hp????.tmp FOUND ! C:\WINDOWS\system32\hvcycg.dll FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\simpole.tlb FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! C:\WINDOWS\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Omistaja\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Omistaja\Suosikit C:\DOCUME~1\Omistaja\Suosikit\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Nykyinen kotisivu" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{7916f057-223f-4612-ac84-e882cbe043d4}"="bals" [HKEY_CLASSES_ROOT\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Avaa HijackThis, paina do a system scan only ja merkkaa nämä: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O20 - Winlogon Notify: winbjv32 - C:\WINDOWS\SYSTEM32\winbjv32.dll Sulje kaikki muut avoimet ikkunat ja paina fix cheked. Käynnistä tietokoneesi vikasietotilaan näpyttämällä F8:a käynnistyksen yhteydessä. Skannaa ensiksi ewidolla full system scan vikasietotilassa ja tallenna siitä raportti avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot. Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet. Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter". Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin. Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi. Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt. Lähetä myös uusi HijackThis loki sekä Ewidon raportti.
Noin, nuo ohjeet tehty ja tässä logit: SmitFraudFix v2.65 Scan done at 2:44:49,68, ke 28.06.2006 Run from C:\Documents and Settings\Omistaja\Ty”p”yt„\SmitfraudFix OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{7916f057-223f-4612-ac84-e882cbe043d4}"="bals" [HKEY_CLASSES_ROOT\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32] @="C:\WINDOWS\system32\hvcycg.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\hvcycg.dll -> Missing File »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\dcomcfg.exe Deleted C:\WINDOWS\system32\hp???.tmp Deleted C:\WINDOWS\system32\ld????.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\regperf.exe Deleted C:\WINDOWS\system32\simpole.tlb Deleted C:\WINDOWS\system32\stdole3.tlb Deleted C:\DOCUME~1\Omistaja\Suosikit\Antivirus Test Online.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 2:49:48, on 28.6.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE D:\Program Files\F-Secure\Common\FSM32.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\program files\powerstrip\pstrip.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe D:\Program Files\a-squared Anti-Malware\a2guard.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe D:\Program Files\No-IP\DUC20.exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\Apache Group\Apache\Apache.exe d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE D:\Program Files\Apache Group\Apache\Apache.exe d:\Program Files\ewido anti-malware\ewidoctrl.exe d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe d:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe d:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE d:\Program Files\F-Secure\Anti-Virus\fssm32.exe D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe C:\WINDOWS\system32\wdfmgr.exe d:\Program Files\F-Secure\Common\FSMA32.EXE d:\Program Files\F-Secure\Common\FSMB32.EXE d:\Program Files\F-Secure\Common\FCH32.EXE d:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe d:\Program Files\F-Secure\Common\FNRB32.EXE d:\Program Files\F-Secure\Common\FIH32.EXE d:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\System32\alg.exe D:\Program Files\mIRC\mirc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [F-Secure Manager] "d:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [a-squared] "D:\Program Files\a-squared Anti-Malware\a2guard.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AbyssWebServer] D:\Program Files\Abyss Web Server\abyssws.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe O4 - Startup: No-IP DUC.lnk = D:\Program Files\No-IP\DUC20.exe O8 - Extra context menu item: Download All with WinGet - res://D:\Program Files\WinGet\WinIE.dll/301 O8 - Extra context menu item: Download with WinGet - res://D:\Program Files\WinGet\WinIE.dll/300 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151257357171 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B85504CD-E3D7-43DE-AA94-291647AC489D}: NameServer = 212.50.131.153 213.139.190.3 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\Program Files\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:43:26, 28.6.2006 + Report-Checksum: 4AC277FB + Scan result: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup [1584] C:\WINDOWS\system32\hvcycg.dll -> Not-A-Virus.Hoax.Win32.Renos.dt : Cleaned with backup :mozilla.38:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup :mozilla.42:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.50:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup :mozilla.51:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.52:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.53:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.54:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup :mozilla.55:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup :mozilla.56:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup :mozilla.57:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup :mozilla.58:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup :mozilla.59:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.103:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.104:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.105:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.108:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup :mozilla.109:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup :mozilla.133:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.134:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.135:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.136:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.137:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.143:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.144:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.146:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup :mozilla.151:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.153:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup :mozilla.160:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup :mozilla.165:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup :mozilla.166:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup :mozilla.185:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup :mozilla.186:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup :mozilla.194:C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\mbhivlj2.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Omistaja\Local Settings\Temp\win33.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup C:\Documents and Settings\Omistaja\Local Settings\Temp\win65.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned with backup C:\WINDOWS\system32\hvcycg.dll -> Not-A-Virus.Hoax.Win32.Renos.dt : Cleaned with backup ::Report End Puhdasta? No, ainakin osittain on, kun ei enää pop-upit hypi, joskin tuossa Trojan.small-viruksessa ilmeisesti tuntuu olevan sellainen homma, että se palaa mielellään takaisin ewidolla poistamisen jälkeen. Ja sellainen kysymys, että onko mitään syytä ewidolla tehdä noita backuppeja vai kannattaako vain siitä laatikosta poistaa ruksi ja heittää kaikki menemään ilman backuppeja?
Tehdäänpäs yksi juttu vielä kun en ole varma että poistuiko toi yksi troijalainen Lataa Killbox Option^Explicitiltä. http://www.downloads.subratam.org/KillBox.zip Huomaa: Jos sinulla on jo Killbox, tämä on uusi versio joka sinun tulee asentaa. Poista aikaisempi. Tallenna työpöydällesi. Tupla-klikkaa Killbox.exe ajaaksesi ohjelman. Valitse: Delete on Reboot sitten klikkaa All Files valintaa. Kopioi ja liitä alapuolella oleva tiedostopolkut leikepöydälle mustaamalla KAIKKI ne ja painamalla CTRL + C (tai, mustaamisen jälkeen, oikea klikki hiirellä ja valitse kopioi): C:\WINDOWS\SYSTEM32\winbjv32.dll Palaa Killboxiin, mene File valikkoon, ja valitse Paste from Clipboard. Klikkaa puna-valkoista Delete File valintaa. Klikkaa Yes "Delete on Reboot" pyyntöön. Klikkaa OK mihin vain PendingFileRenameOperations pyyntöön (ja anna minun tietää jos jokin tälläinen tulee). Käynnistä koneesi itse jos se ei sitä automaattisesti tee. Lähetä tämän jälkeen uusi HijackThis loki. Kyllä mielestäni Ewidolla kannattaa ottaa backupit sillä välillä Ewidollakin tulee ns. false positiveja eli vääriä hälytyksiä.
Selvä, nuo edellämainitut asiat tehty ja se tosiaan heitti tuon yhden PengingFileRenameOperations-viestinkin ja sitten käynnistin manuaalisesti koneen uudestaan. Ja tässäpä vielä tämä HJT-logi: Logfile of HijackThis v1.99.1 Scan saved at 17:05:06, on 28.6.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Apache Group\Apache\Apache.exe d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE d:\Program Files\ewido anti-malware\ewidoctrl.exe d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe D:\Program Files\Apache Group\Apache\Apache.exe d:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE d:\Program Files\F-Secure\Anti-Virus\fssm32.exe D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe d:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\WINDOWS\system32\wdfmgr.exe d:\Program Files\F-Secure\Common\FSMA32.EXE d:\Program Files\F-Secure\Common\FSMB32.EXE d:\Program Files\F-Secure\Common\FCH32.EXE d:\Program Files\F-Secure\Common\FAMEH32.EXE d:\Program Files\F-Secure\Common\FNRB32.EXE d:\Program Files\F-Secure\Common\FIH32.EXE d:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE D:\Program Files\F-Secure\Common\FSM32.EXE D:\Program Files\DAEMON Tools\daemon.exe D:\program files\powerstrip\pstrip.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\a-squared Anti-Malware\a2guard.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\Abyss Web Server\abyssws.exe D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe D:\Program Files\No-IP\DUC20.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\mIRC\mirc.exe C:\hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [F-Secure Manager] "d:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [a-squared] "D:\Program Files\a-squared Anti-Malware\a2guard.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AbyssWebServer] D:\Program Files\Abyss Web Server\abyssws.exe O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe O4 - Startup: No-IP DUC.lnk = D:\Program Files\No-IP\DUC20.exe O8 - Extra context menu item: Download All with WinGet - res://D:\Program Files\WinGet\WinIE.dll/301 O8 - Extra context menu item: Download with WinGet - res://D:\Program Files\WinGet\WinIE.dll/300 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151257357171 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B85504CD-E3D7-43DE-AA94-291647AC489D}: NameServer = 212.50.131.153 213.139.190.3 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - d:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\Program Files\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\OULUNP~1\BAANAC~1\app\pppoeservice.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
