spywareja

medioc · Dec 3, 2005

"Your computer is infected!

Windows has detected spyware infection!

It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install most up-to-date antispyware for you.

Click here to protect your computer from spyware!"

Elikkä tommosta ilmotusta tulee 5 sekunnin välein, SpyBotin olen ajanut läpi mutta se ei löydä _yhtään_ spywarea. Mitenkäs saisin noi spywaret sitten pois?

[ajoin HijackThis:n

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\Program Files\AGC\agc.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\wuauclt.exe
K:\Steam\Steam.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
C:\Program Files\FinnishIRC XP\FIRC.exe
C:\Program Files\Winamp\winamp.exe
K:\EvilLyrics\EvilLyrics.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Anssi Lammi\Omat tiedostot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\untitled.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AGC.lnk = C:\Program Files\AGC\agc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{57C6C096-4937-4FEE-B3EA-6E772360CC43}: NameServer = 62.148.192.130,62.148.192.131
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Kertokaa jos on jotain turhaa/poistettavia "ohjelmia".]

Jannejt · Dec 3, 2005

siirretty paremmalle alueelle.

Zipp2 · Dec 3, 2005

Hae tuolta Ewido

http://www.ewido.net/en/download/

asenna ja päivitä se.
Käynnistä sitte vikasietotilassa ja scannaa + putsaa sillä ja säästä logi.
Käynnistä sitte normaalisti ja uus Hijack + Ewidon logit.

kwakki · Dec 3, 2005

Näyttäisi olevan pari troijalaista ja viirusta.

C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\winstall.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

medioc · Dec 3, 2005

Näyttäisi olevan pari troijalaista ja viirusta.

C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\winstall.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
Click to expand...

Noiko kannattaisi poistaa siis?

Disa- · Dec 3, 2005

Tarkista kyseiset tiedostot täällä -> http://virusscan.jotti.org/

Zipp2 · Dec 3, 2005

Aja vaan se Ewido niiku kehoitin,sen pitäs poistaa suurin osa noista ja sitte lähetä molemmat logit.

medioc · Dec 4, 2005

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AGC\agc.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\wuauclt.exe
K:\Steam\Steam.exe
C:\Program Files\FinnishIRC XP\FIRC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\DC++\DCPlusPlus.exe
K:\EvilLyrics\EvilLyrics.exe
C:\Documents and Settings\Anssi Lammi\Omat tiedostot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\untitled.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AGC.lnk = C:\Program Files\AGC\agc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{57C6C096-4937-4FEE-B3EA-6E772360CC43}: NameServer = 62.148.192.130,62.148.192.131
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ewidonin ajoin ja nyt ei ole tänään tullut enää tuota kyseistä ilmoitusta, kiitos zipp2!

-kemisti- · Dec 4, 2005

Loki ei ole kunnossa.

Sammuta prosessi tehtävienhallinnasta:

kernels32.exe

Fixaa nämä HjT:llä (do a system scan only, merkkaa ja paina fix checked):

R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\untitled.dll (file missing)
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\untitled.dll (file missing)
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe

Laita piilotiedostot näkyviin, ohje -> http://keskustelu.afterdawn.com/thread_view.cfm/248944

Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä) ja poista:

C:\Program Files\==>Cram Toolbar<==
C:\WINDOWS\System32\==>kernels32.exe<==

Käynnistä uudelleen ja lähetä uusi HjT-loki ja se ewidon raportti, minkä Zipp2 jo pyysi (jos siis tallensit sen).

Log in or Sign up

spywareja

medioc Regular member

Jannejt Moderator Staff Member

Zipp2 Regular member

kwakki Member

medioc Regular member

Disa- Regular member

Zipp2 Regular member

medioc Regular member

-kemisti- Active member

Share This Page

Log in or Sign up

spywareja

medioc Regular member

Jannejt Moderator Staff Member

Zipp2 Regular member

kwakki Member

medioc Regular member

Disa- Regular member

Zipp2 Regular member

medioc Regular member

-kemisti- Active member

Share This Page

Useful Searches