Moi Elikkäs alla olevat virukset kiusaavat. Avast Antivirus ei niitä pysty poistamaan ja itse olen tässä asiassa ns. "peukalo keskellä kämmentä". Alkaa vähitellen ärsyttämään kun vähän väliä näytölle pomppaa Avastin ilmoitus "Virus löytynyt". Auttakaa avutonta lähimmäistänne!!! Tiedosto: http://85.255.115.187/users/fill/web/images/rzspy.exe Win32:Trojan-gen{Other} Tiedosto: http://85.255.115.187/users/fill/web/images/idownload.exe Win32:Small-TG[Trj] Tässä olis HiJack logi: Logfile of HijackThis v1.99.1 Scan saved at 12:31:38, on 17.5.2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\usrbridg.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\Atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINNT\system32\internat.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ZyXEL\G162\Gcc.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\ZyXEL\G162\OdHost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HiJack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vanhakettu.fi/sa.php?tunnus=asiakas&salasana=asiakas R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [yaemu.exe] C:\WINNT\system32\yaemu.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Application Name] D:\VANHAK~1\AJOPK\AJOPK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: ZyXEL G-162 Wireless Adapter Utility.lnk = C:\Program Files\ZyXEL\G162\Gcc.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/fi/win/QuickTimeInstaller.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{742C036D-146D-4FE8-A13C-867E309D501D}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{83C34FDB-451D-4D44-92F2-5DE946EBF54E}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{8CF4F1B3-EBFA-419B-9B07-1E5C9AFB686A}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{CC258682-B504-4A4D-91E2-36CBA0587C88}: NameServer = 85.255.116.92,85.255.112.68 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Modified AutoLaunch Service (jjtAutoLaunch) - Unknown owner - C:\WINNT\jjtAutoLaunch.exe (file missing) O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked): O1 - Hosts: localhost 127.0.0.1 O4 - HKLM\..\Run: [yaemu.exe] C:\WINNT\system32\yaemu.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{742C036D-146D-4FE8-A13C-867E309D501D}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{83C34FDB-451D-4D44-92F2-5DE946EBF54E}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{8CF4F1B3-EBFA-419B-9B07-1E5C9AFB686A}: NameServer = 85.255.116.92,85.255.112.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{CC258682-B504-4A4D-91E2-36CBA0587C88}: NameServer = 85.255.116.92,85.255.112.68 Hae fixwareout -> http://downloads.subratam.org/Fixwareout.exe Tallenna johonkin hakemistoon ja käynnistä se. Seuraa ohjeita, käynnistä kone uudestaan kun fixi pyytää sitä. Hae,asenna ja päivitä ewido -> http://keskustelu.afterdawn.com/thread_view.cfm/269186 Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä) Poista, jos löytyy: C:\WINNT\system32\yaemu.exe C:\WINNT\web\related.htm Skannaa ewidolla, anna poistaa mitä löytää ja tallenna raportti. Käynnistä uudelleen ja lähetä ewidon raportti sekä C:\fixwareout\report.txt-tiedoston sisältö tänne.
Kiitos avusta, muistan sinua iltarukouksessani Nämä ovat todella hyvät sivut, auttavat "maallikkoakin" pärjäämään ongelmiensa kanssa. Tässä on nää raportit: -------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:04:53, 18.5.2006 + Report-Checksum: A427ED8E + Scan result: HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup HKLM\SOFTWARE\SCom -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\SCom\Dialers -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\WhenU -> Adware.SaveNow : Cleaned with backup C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Mika\Cookies\mika@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\Mika\Cookies\mika@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Mika\Cookies\mika@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\Documents and Settings\Mika\Cookies\mika@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned with backup ::Report End Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS ... Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal
