Selain kaapattu?? Toimii miten sattuu! Missä vika?

raipe10 · Nov 27, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:47, on 27.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Elisa\Avustaja\Elisa.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Elisa Avustaja Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Elisa\Avustaja\IEFixItNowPlugin.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Elisa Avustaja] "C:\Program Files\Elisa\Avustaja\Elisa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wuamgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wuamgrd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Palvelut - {0C1DCC66-DA86-4F3E-A4EA-559547E4D5AE} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {1138DAF4-CB7D-4674-8DEE-38951BE16D95} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CB4F5639-3ADE-4BC8-BA1E-40C14877C2DC} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAA4801-B5D7-459D-B8D5-E94AC52C88C2}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{8010B232-89FF-469C-98F9-C11AA3080C0C}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD634D7-73D5-48A3-B81F-9A92D01A6E11}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

--
End of file - 11465 bytes

McMcMc · Nov 29, 2007

Mitä tarkoitat kaapatulla? Mitä oireita selaimessa on esimerkisi esiintynyt? Itselläni on selain tuppaa kaatumaan kun laitan jonkin muun sovelluksen esim messengerin päälle. Ja käynistäessäni firefoxin. Näyttö vain herjaa yhteykatkoksesta. Jos ongelma on yhtään samanlainen ehkä joku meitä viisaampi osaisi auttaa meitä aloittelijoita.

sakari67 · Nov 29, 2007

mie joskus tein jottain tyhmiä omia asetuksia joita en muistanut enää.mie tein näintin uuden käyttäjätilin ja sinne vedin miun tärkeät ohjelmat ja kas firefox ja internet.expro. pelas ku unelma.joskus omat viritelmät saa selaimet polvilleen ei aina virukset.(huom.aloittelijan ajatuksia)muuten äsken firefoxin uusin päivitys jäi junnaamaan ja selaimet ei auennut.firefoxin ohje-kohdasta piti käydä määräämässä päivitykset asentumaan (ei siis asentunut automaattisesti vaik olin niin määritellyt ja selaimet ei löytäneet ees google-aloitussivua.) mut tää 10 päivitys nopeuttaa firefoxia! mut kyl firefox on nopee ilman säätöjäki tai siul on liian kiire elämässä ja infarkti uhkaa esim.a-squared jos siinä poistaa tiettyjä löytöjä niin selaimet tökkii mut parin päivän päästä taas pelaa ja voihan palvelutarjoaja tökkii.siks pitäs olla kaks käyttäjätilii niin voit sulkee tiettyjä vikamahdollisuuksia pois.

McMcMc · Dec 1, 2007

Itselläni en usko kyseessä olevan nämä "aloittelijoiden viritelmät" ja koneellani on useita käyttäjätilejä. Sama vika esiintyy niin firefoxissa kuin operassa sekä IE7:ssäkin.

tomato71 · Dec 1, 2007

moi
sun verkko yhteys on kaapattu

O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAA4801-B5D7-459D-B8D5-E94AC52C88C2}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{8010B232-89FF-469C-98F9-C11AA3080C0C}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD634D7-73D5-48A3-B81F-9A92D01A6E11}: NameServer = 85.255.116.163,85.255.112.15
Click to expand...

Tee uusi hjt-scannaus Do a System scan only
Sulje kaikki muut ikkunat ja selaimen.Merkkaa nämä rivit ja paina Fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wuamgrd.exe (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAA4801-B5D7-459D-B8D5-E94AC52C88C2}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{8010B232-89FF-469C-98F9-C11AA3080C0C}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD634D7-73D5-48A3-B81F-9A92D01A6E11}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15

Lataa fixwareout.exe täältä > Täältä
tai > Täältä
ja tallenna se työpöydälle. Tuplaklikkaa sitä ja seuraa ohjeita. Klikkaa Next, sitten Install ja varmistu, että "Run fixit" on valittu. Sinun pitää käynnistää kone uudelleen, kun niin käsketään.

ja sitten...

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:
*Käynnistä tietokone
*Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
*Seuraavaksi pitäisi ilmestyä valikko
*Valitse valikosta vikasietotila.

* Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio). Työpöydälle ilmestyy sdfix.exe. Tuplakilikkaa sitä, niin tiedosto purkaantuu ja asentaa itsensä siihen levyasemaan, minne on käyttöjärjestelmä on asennettu ja juureen ilmestyy kansio SDFix, ESIM c:\SDFix
* Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
* Paina Y käynnistääksesi skriptin.
* Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
* Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
* Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
* Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
* Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
* Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis lokin kera.

Lähetä uusi HjT-loki ja c:\fixwareout\report.txt + Report.txt sisältö

SlimJoe · Dec 1, 2007

sori ku häiritten teidän topicia, mutta tomato miten tiedät että selain on kaapattu? siis mitkä kohdat tossa hjt logissa kertoo niin? voitko vaikka selittää yksityisviestillä miten se päätellään?

tomato71 · Dec 1, 2007

Verkkoyhteys on kaapattu
se on nämä rivit
wareout-rootkitin tunnus merrki

O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAA4801-B5D7-459D-B8D5-E94AC52C88C2}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{8010B232-89FF-469C-98F9-C11AA3080C0C}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD634D7-73D5-48A3-B81F-9A92D01A6E11}: NameServer = 85.255.116.163,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.163 85.255.112.15

ja sen pystyy vielä varmistaa tarkistamalla tuo Ip numero
http://www.dnsstuff.com/tools/whois.ch?ip=85.255.116.163 85.255.112.15
se soittelee Ukrainaan

SlimJoe · Dec 1, 2007

Mulla on itelläkin pari ton tapasta juttua hjt lokissa.. mutta ne ne ku laittaa tohon whois juttuun niin se menee nettioperaattorille.. siis kaikki ok? kiitos selityksestä tomato..

tomato71 · Dec 1, 2007

jep
jos menee omalle operaattorille niin sit on OK

SlimJoe · Dec 1, 2007

kyllä menee.. kiitos paljon.. oppipahan jotain uutta tänään

raipe10 · Dec 2, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:44:07, on 2.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Elisa\Avustaja\Elisa.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Elisa Avustaja Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Elisa\Avustaja\IEFixItNowPlugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Elisa Avustaja] "C:\Program Files\Elisa\Avustaja\Elisa.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Palvelut - {0C1DCC66-DA86-4F3E-A4EA-559547E4D5AE} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {1138DAF4-CB7D-4674-8DEE-38951BE16D95} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CB4F5639-3ADE-4BC8-BA1E-40C14877C2DC} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

--
End of file - 10903 bytes

Username "Omistaja" - 02.12.2007 20:17:20 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdlun.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6AAA4801-B5D7-459D-B8D5-E94AC52C88C2}
"DhcpNameServer"="85.255.116.163,85.255.112.15" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1E57605-6D36-42FB-82AC-6DAB0CADACBD}
"DhcpNameServer"="85.255.116.163,85.255.112.15" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EBD634D7-73D5-48A3-B81F-9A92D01A6E11}
"DhcpNameServer"="85.255.116.163,85.255.112.15" <Value cleared.

DNS-tulkintatoiminnon välimuistin tyhjentäminen onnistui.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ATIModeChange"="Ati2mdxx.exe"
"CTHelper"="CTHELPER.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Elisa Avustaja"="\"C:\\Program Files\\Elisa\\Avustaja\\Elisa.exe\""
"RegistryMechanic"=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\" /d=60"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~

_______________________________

SDFix suoritus takkuilee, F8 ei käynnistä safemodea, joten se pitänee käynistää msconfigista. Ei suostu suorittamaan RunThis.bat tuon ohjeen mukaan? Siis viimeistely tekemättä? Miten suojautua DNSChangerilta jatkossa?

tomato71 · Dec 3, 2007

jaa... ei suostu toimii ??
saatko sen toimii normaalitilassa?

Tee uusi hjt-scannaus Do a System scan only
Sulje kaikki muut ikkunat ja selaimen.Merkkaa nämä rivit ja paina Fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Paina Käynnistä ---> Suorita -->kirjoita(tai kopioi ja liitä) sc stop wuamgrd (pamauta enteriä )
Paina Käynnistä ---> Suorita -->kirjoita(tai kopioi ja liitä) sc delete wuamgrd (pamauta enteriä )

Tallenna nämä ohjeet tekstitiedostoon tai tulosta nämä, muuten et pääse niihin käsiksi vikasietotilasta

Lataa AVG Anti-Spyware 7.5 ja tallenna ohjelma työpöydällesi.
*Kun olet ladannut ohjelman, kaksoisklikkaa asennuohjelman pikakuvaketta työpöydälläsi, asennus alkaa.
*Asennuksen jälkeen täytyy ohjelma käynnistää ja sen tunnisteet päivittää.
*Käynnistä AVG Anti-Spyware.
*Klikkaa "Update" kuvaketta päävalikossa. Sen jälkeen klikkaa "Update now" painiketta.
*Sitten klikkaa "Start Update" kuvaketta jolloin päivitys alkaa.

*Kun päivitykset on ladattu, klikkaa "Scanner" kuvaketta ikkunan ylälaidassa. Valitse sitten "Settings" välilehti.
*Kun "Settings" valikko on auennut, klikkaa "Recommended actions" ja sitten valitse "Quarantine".
*Sitten "Reports" valikon alta:
*Ota täppi pois kohdasta"Automatically generate report after every scan"
*Ota täppi pois kohdasta"Only if threats were found

*Sitten klikkaa "Shield" kuvaketta ikkunan ylälaidassa
*"Resident shield is", muuta tila active:sta inactive:ksi
*Sulje ohjelma, ÄLÄ skannaa vielä.
Käynnistä koneesi vikasietotilaan, Ohje!

ja vikasietotilassa

Sitten käytä Windowsin "Etsi" toimintoa.
Käynnistä-valikko "Etsi"
->Lisävaihtoehdot
->Raksi seuraaviin:
-Etsi järjestelmäkansioista
-Etsi piilotiedostoista ja -kansioista
-Etsi alikansioista
->Hakusanaksi C:\WINDOWS\System32\wuamgrd.exe
Poista jos löytyy

HUOM! Älä käytä muita ohjelmia AVG skannauksen aikana, tämä saattaa häiritä skannausta.
*Kun vikasietotilassa, käynnistä AVG Anti-Spyware.
*Klikkaa "Scanner" kuvaketta ikkunan ylälaidassa ja valitse "Scan" välilehti. Sitten klikkaa "Complete System Scan".
*AVG aloittaa nyt tietokoneen skannaamisen, ole kärsivällinen sillä skannaus vie aikaa.

Kun skannaus on valmis:
TÄRKEÄÄ : Älä klikkaa "Save Scan Report" ennen kuin klikkaat "Apply all Actions"
*Varmistu, että Set all elements to: näyttää Quarantine (1), jos ei, klikkaa linkkiä ja valitse Quarantine popup-valikosta.
*Sinulta kysytään mitä tehdä jos infektioita löytyi, valitse silloin "Apply all actions"

*Sitten klikkaa "Reports" kuvaketta ohjelma yläosasta.
*Klikkaa "Save report as" painiketta ikkunan vasemmassa alalaidassa ja tallenna raportti työpöydälle.
*Sulje ohjelma, käynnistä kone normaalisti ja lähetä AVG:n raportti viestikejuusi.

nyt kokeile sdfix uudelleen

Lähetä avg-loki ja uusihjt-loki

raipe10 · Dec 3, 2007

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:11:48 3.12.2007

+ Scan result:

C:\Documents and Settings\Omistaja\Local Settings\Temp\__unin__.exe -> Adware.Altnet : Cleaned with backup (quarantined).
HKU\S-1-5-21-95691010-3605996247-1844047590-1003\Software\localNRD -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\Omistaja\Cookies\omistaja@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@ehg-sanomadata.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Omistaja\Local Settings\Temp\Cookies\omistaja@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Omistaja\Cookies\omistaja@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.

::Report end

raipe10 · Dec 3, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48:32, on 3.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Elisa\Avustaja\Elisa.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Elisa Avustaja Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Elisa\Avustaja\IEFixItNowPlugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Elisa Avustaja] "C:\Program Files\Elisa\Avustaja\Elisa.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Palvelut - {0C1DCC66-DA86-4F3E-A4EA-559547E4D5AE} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {1138DAF4-CB7D-4674-8DEE-38951BE16D95} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CB4F5639-3ADE-4BC8-BA1E-40C14877C2DC} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN

--
End of file - 10585 bytes

tomato71 · Dec 6, 2007

moi
Loki on OK
Saitko sen sdfixin toimii,jos sait nii skannaa sillä ja laita loki

raipe10 · Dec 6, 2007

System Report
*************

Run on su 02.12.2007 at 21:03

Microsoft Windows XP [versio 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [544]
\??\C:\WINDOWS\system32\csrss.exe [608]
\??\C:\WINDOWS\system32\winlogon.exe [632]
C:\WINDOWS\system32\services.exe [676]
C:\WINDOWS\system32\lsass.exe [688]
C:\WINDOWS\system32\svchost.exe [860]
C:\WINDOWS\system32\svchost.exe [924]
C:\WINDOWS\Explorer.EXE [1208]

Drivers:

ADDRESS: IMAGE PATH:
804D7000: \WINDOWS\system32\ntoskrnl.exe
806FE000: \WINDOWS\system32\hal.dll
F899F000: \WINDOWS\system32\KDCOM.DLL
F88AF000: \WINDOWS\system32\BOOTVID.dll
F8450000: ACPI.sys
F89A1000: \WINDOWS\System32\DRIVERS\WMILIB.SYS
F843F000: pci.sys
F849F000: isapnp.sys
F8A67000: pciide.sys
F871F000: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
F89A3000: viaide.sys
F89A5000: intelide.sys
F84AF000: MountMgr.sys
F8420000: ftdisk.sys
F8727000: PartMgr.sys
F84BF000: VolSnap.sys
F8408000: atapi.sys
F84CF000: disk.sys
F84DF000: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
F83E8000: fltmgr.sys
F83D6000: sr.sys
F872F000: PxHelp20.sys
F83BF000: KSecDD.sys
F8332000: Ntfs.sys
F8321000: fsdfw.sys
F82F4000: \WINDOWS\System32\drivers\NDIS.SYS
F8737000: \WINDOWS\System32\drivers\fsndis5.sys
F873F000: SISAGPX.sys
F8747000: viaagp1.sys
F84EF000: ohci1394.sys
F84FF000: \WINDOWS\System32\DRIVERS\1394BUS.SYS
F88B3000: nv_agp.sys
F82D9000: Mup.sys
F773D000: \SystemRoot\System32\DRIVERS\amdk7.sys
F880F000: \SystemRoot\System32\DRIVERS\fdc.sys
F7719000: \SystemRoot\System32\DRIVERS\parport.sys
F772D000: \SystemRoot\System32\DRIVERS\serial.sys
F8983000: \SystemRoot\System32\DRIVERS\serenum.sys
F8817000: \SystemRoot\System32\DRIVERS\usbohci.sys
F76F6000: \SystemRoot\System32\DRIVERS\USBPORT.SYS
F881F000: \SystemRoot\System32\DRIVERS\usbehci.sys
F76E2000: \SystemRoot\System32\DRIVERS\NVENET.sys
F7691000: \SystemRoot\System32\DRIVERS\Cap7134.sys
F852F000: \SystemRoot\System32\DRIVERS\STREAM.SYS
F766E000: \SystemRoot\System32\DRIVERS\ks.sys
F7600000: \SystemRoot\system32\drivers\ctaud2k.sys
F75DC000: \SystemRoot\system32\drivers\portcls.sys
F853F000: \SystemRoot\system32\drivers\drmk.sys
F75C3000: \SystemRoot\system32\drivers\ctoss2k.sys
F89CB000: \SystemRoot\system32\drivers\ctprxy2k.sys
F759A000: \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
F7495000: \SystemRoot\System32\DRIVERS\HSF_DP.sys
F73D7000: \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
F8827000: \SystemRoot\System32\Drivers\Modem.SYS
F8987000: \SystemRoot\system32\drivers\pfc.sys
F854F000: \SystemRoot\System32\DRIVERS\cdrom.sys
F855F000: \SystemRoot\System32\DRIVERS\redbook.sys
F882F000: \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
F856F000: \SystemRoot\System32\DRIVERS\imapi.sys
F734A000: \SystemRoot\System32\DRIVERS\ati2mtag.sys
F7336000: \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
F8993000: \SystemRoot\system32\DRIVERS\PMJ151NM.sys
F8BC7000: \SystemRoot\System32\DRIVERS\audstub.sys
F857F000: \SystemRoot\System32\DRIVERS\rasl2tp.sys
F8997000: \SystemRoot\System32\DRIVERS\ndistapi.sys
F731F000: \SystemRoot\System32\DRIVERS\ndiswan.sys
F858F000: \SystemRoot\System32\DRIVERS\raspppoe.sys
F859F000: \SystemRoot\System32\DRIVERS\raspptp.sys
F8837000: \SystemRoot\System32\DRIVERS\TDI.SYS
F730E000: \SystemRoot\System32\DRIVERS\psched.sys
F85AF000: \SystemRoot\System32\DRIVERS\msgpc.sys
F883F000: \SystemRoot\System32\DRIVERS\ptilink.sys
F8847000: \SystemRoot\System32\DRIVERS\raspti.sys
F85BF000: \SystemRoot\System32\DRIVERS\termdd.sys
F884F000: \SystemRoot\System32\DRIVERS\kbdclass.sys
F8857000: \SystemRoot\System32\DRIVERS\mouclass.sys
F89CD000: \SystemRoot\System32\DRIVERS\swenum.sys
F72DA000: \SystemRoot\System32\DRIVERS\update.sys
F8294000: \SystemRoot\System32\DRIVERS\mssmbios.sys
F85CF000: \SystemRoot\System32\Drivers\NDProxy.SYS
F85DF000: \SystemRoot\System32\DRIVERS\usbhub.sys
F89CF000: \SystemRoot\System32\DRIVERS\USBD.SYS
B6EDB000: \SystemRoot\system32\drivers\ha10kx2k.sys
B6EBA000: \SystemRoot\system32\drivers\ctac32k.sys
B6E9F000: \SystemRoot\system32\drivers\emupia2k.sys
B6E80000: \SystemRoot\system32\drivers\ctsfm2k.sys
F8867000: \SystemRoot\System32\DRIVERS\PhTVTune.sys
F886F000: \SystemRoot\System32\DRIVERS\flpydisk.sys
F89D1000: \SystemRoot\System32\Drivers\Fs_Rec.SYS
F8B6E000: \SystemRoot\System32\Drivers\Null.SYS
F89D3000: \SystemRoot\System32\Drivers\Beep.SYS
F887F000: \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
F8887000: \SystemRoot\System32\drivers\vga.sys
F89D5000: \SystemRoot\System32\Drivers\mnmdd.SYS
F89D7000: \SystemRoot\System32\DRIVERS\RDPCDD.sys
F888F000: \SystemRoot\System32\Drivers\Msfs.SYS
F8897000: \SystemRoot\System32\Drivers\Npfs.SYS
F7CAD000: \SystemRoot\System32\DRIVERS\rasacd.sys
B6D05000: \SystemRoot\System32\DRIVERS\ipsec.sys
B6CAD000: \SystemRoot\System32\DRIVERS\tcpip.sys
B6C85000: \SystemRoot\System32\DRIVERS\netbt.sys
B6C63000: \SystemRoot\System32\drivers\afd.sys
F867F000: \SystemRoot\System32\DRIVERS\netbios.sys
B6C38000: \SystemRoot\System32\DRIVERS\rdbss.sys
B6BC9000: \SystemRoot\System32\DRIVERS\mrxsmb.sys
F86AF000: \SystemRoot\System32\Drivers\Fips.SYS
F86BF000: \SystemRoot\System32\DRIVERS\wanarp.sys
F889F000: \SystemRoot\System32\DRIVERS\USBSTOR.SYS
F88A7000: \SystemRoot\System32\DRIVERS\usbccgp.sys
F8947000: \SystemRoot\System32\DRIVERS\hidusb.sys
F86CF000: \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
F895B000: \SystemRoot\System32\DRIVERS\mouhid.sys
F895F000: \SystemRoot\System32\DRIVERS\kbdhid.sys
B6B7E000: \SystemRoot\System32\Drivers\Fastfat.SYS
B6B66000: \SystemRoot\System32\Drivers\dump_atapi.sys
F89DD000: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000: \SystemRoot\System32\win32k.sys
F897B000: \SystemRoot\System32\drivers\Dxapi.sys
F8767000: \SystemRoot\System32\watchdog.sys
BF9C3000: \SystemRoot\System32\drivers\dxg.sys
F8BA3000: \SystemRoot\System32\drivers\dxgthk.sys
BF9D5000: \SystemRoot\System32\ati2dvag.dll
BFA18000: \SystemRoot\System32\ati3d2ag.dll
F89ED000: \SystemRoot\System32\Drivers\ParVdm.SYS
B6A72000: \??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys
B6A6A000: \SystemRoot\System32\DRIVERS\mdmxsdk.sys
F89EF000: \??\C:\WINDOWS\System32\PfModNT.sys
F869F000: \??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys
F86DF000: \??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys
B6ABE000: \SystemRoot\System32\Drivers\Cdfs.SYS
B691E000: \??\C:\DOCUME~1\Omistaja\LOCALS~1\Temp\catchme.sys
7C900000: \WINDOWS\system32\ntdll.dll

Files Created/Modified - 60 Days :

C:\

C:\WINDOWS\

C:\Program Files\

Files with hidden attributes:

Catchme:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 20:57:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x00ffc\xd3w\2]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Fax"="winspool,Ne00:"
"Canon MP360 Series Printer"="winspool,Ne01:"
"Adobe PDF"="winspool,Ne02:"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Fax"="winspool,Ne00:,15,45"
"Canon MP360 Series Printer"="winspool,Ne01:,15,45"
"Adobe PDF"="winspool,Ne02:,15,45"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"="Canon MP360 Series Printer,winspool,Ne01:"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Program Folders:

C:\Program Files\

Adobe
Allaire
ArcSoft
a-squared Anti-Malware
ATI Technologies
Canon
Common Files
ComPlus Applications
Creative
DC++
Deluxe Ski Jump 3
Easy Internet signup
Elisa
Eurowordkuusi
F-Secure
Google
Home Media Networks Limited
InstallShield Installation Information
Internet Explorer
InterVideo
iPod
iTunes
IZArc
Java
Lavalys
Lavasoft
Lingea
Mediafour
Messenger
microsoft frontpage
Microsoft Office
Microsoft Visual Studio
Microsoft Works
Movie Maker
MSN Gaming Zone
MSN Messenger
MSXML 4.0
NASA
NCH Swift Sound
NetMeeting
Norton Security Scan
Online Services
Outlook Express
Paint Shop Pro 5
QuickTime
Real
RecordNow
Registry Mechanic
ScanSoft
Ski Jumping 2004
ToniArts
Trend Micro
TurnTool
Uninstall Information
Viewpoint
Windows Live Toolbar
Windows Media Connect 2
Windows Media Player
Windows NT
WindowsUpdate
Virtual Laguna Beach
WS_FTP
Xara
xerox
Yahoo!

C:\Program Files\Common Files\

Adobe
Designer
InstallShield
Java
Microsoft Shared
MimarSinan
MSSoap
ODBC
Real
ScanSoft Shared
Services
Sonic
SpeechEngines
Symantec Shared
System
xing shared

Add/Remove Programs:
********************************

Kaikki näyttää toimivan nyt OK, joten tuhannet kiitokset Tomato71!

raipe10 · Dec 6, 2007

SDFix: Version 1.116

Run by Omistaja on ma 03.12.2007 at 21:27

Microsoft Windows XP [versio 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\WINDOWS\atmh.exe.tmp - Deleted
C:\WINDOWS\dypsf.exe.tmp - Deleted
C:\WINDOWS\fopebct.exe.tmp - Deleted
C:\WINDOWS\iboxon.exe.tmp - Deleted
C:\WINDOWS\pujonib.exe.tmp - Deleted
C:\WINDOWS\rwzct.exe.tmp - Deleted
C:\WINDOWS\wzgxezkf.exe.tmp - Deleted
C:\WINDOWS\system32\TFTP1148 - Deleted
C:\WINDOWS\system32\TFTP2072 - Deleted
C:\WINDOWS\system32\TFTP3128 - Deleted
C:\WINDOWS\system32\TFTP3628 - Deleted
C:\WINDOWS\system32\TFTP7724 - Deleted

tomato71 · Dec 6, 2007

kannattais vielä varmistaa...

Skannaa koneesi Kaspersky Online Skannerilla
Käytä Internet Explorer
Sinulta kysytään sallitko ActiveX -komponentin asentamisen Kasperskyltä, klikkaa Kyllä.

Ohjelma käynnistyy ja aloittaa viimeisimpien tunnistetiedostojen lataamisen.

Kun skanneri on asennettu ja tunnistetiedot ladattu, klikkaa Next.

Klikkaa nyt asetuksia, Scan Settings

Tarkista asetuksista, että seuraavat ovat valittuina:

o Scan using the following Anti-Virus database:

+ Extended (Jos valittavissa, muuten valitse Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Klikkaa OK

Nyt valitse "select a target to scan" otsikon alta Oma Tietokone, My Computer

Skannaus vie aikaa, joten ole kärsivällinen. Kun skannaus on valmis saat ilmoituksen, jos koneesi on saastunut.

Klikkaa nyt Save as Text-painiketta.

Tallenna tiedosto työpöydällesi.

Kopioi ja Liitä tiedoston sisältö seuraavaan vastaukseesi.

raipe10 · Dec 10, 2007

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 11, 2007 12:33:40 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 479241
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 108468
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:53:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Sivuhistoria\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Omistaja\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Sivuhistoria\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Temp\~DF14AA.tmp Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Temp\~DF14B8.tmp Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Omistaja\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Omistaja\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Omistaja\ntuser.dat.LOG Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\cache.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\L0000145.FCS Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\F-Secure\Common\policy.ipf Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\0001000B.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BCEA4782-03E9-4D78-B391-C28DD803393F}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\KDLUN.0XE Infected: Trojan.Win32.DNSChanger.abk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000007-00001102-00000004-005B1102}.CDF Object is locked skipped
D:\System Volume Information\_restore{BCEA4782-03E9-4D78-B391-C28DD803393F}\RP7\change.log Object is locked skipped

Scan process completed.

tomato71 · Dec 13, 2007

moi
poista tämä tiedosto

C:\WINDOWS\system32\KDLUN.0XE

vielä ongelmia??

Log in or Sign up

Selain kaapattu?? Toimii miten sattuu! Missä vika?

raipe10 Member

McMcMc Regular member

sakari67 Guest

McMcMc Regular member

tomato71 Regular member

SlimJoe Regular member

tomato71 Regular member

SlimJoe Regular member

tomato71 Regular member

SlimJoe Regular member

raipe10 Member

tomato71 Regular member

raipe10 Member

raipe10 Member

tomato71 Regular member

raipe10 Member

raipe10 Member

tomato71 Regular member

raipe10 Member

tomato71 Regular member

Share This Page

Log in or Sign up

Selain kaapattu?? Toimii miten sattuu! Missä vika?

raipe10 Member

McMcMc Regular member

sakari67 Guest

McMcMc Regular member

tomato71 Regular member

SlimJoe Regular member

tomato71 Regular member

SlimJoe Regular member

tomato71 Regular member

SlimJoe Regular member

raipe10 Member

tomato71 Regular member

raipe10 Member

raipe10 Member

tomato71 Regular member

raipe10 Member

raipe10 Member

tomato71 Regular member

raipe10 Member

tomato71 Regular member

Share This Page

Useful Searches