Trojan-Downloader.Win32.Delf.ang palaa aina vain takaisin!!!!!!

porssu · Jun 29, 2006

Täydellisenä amatoorinä yritän epätoivoisesti saada apua ongelmaani: Todelliseksi riesaksi ryhtynyt Trojan-Downloader.Win.32.Delf.ang tulee aina vain takaisin vaikka virustorjuntaohjelmani onnistuneesti ilmoittaa poistaneensa kohteen! JOka ikinen kerta kun menen Exploreriin tulee uusi ilmoitus, monia kertoja päivässä.. Miten pääsen tuosta riivaajasta eroon? Yritin jo itsekin poistella epämääräisiä tiedostoja ja ilmeisesti siitä syystä nyt ei pdf:ien lukemiset netissä onnistu, vaan exploreri kaatuu... Oi jos joku voisi auttaa...??!!

Kellopeli · Jun 29, 2006

Jos sulla on Hijack This ohjelma niin aja ohjelma läpi ja lähetä logi tähän viestiketjuun niin joku guru tulee neuvoon, mitä fixaat sieltä.
Jos ei oo ohjelmaa niin sen saa täältä -> http://www.download.fi/tyopoytaohjelmat/haittaohjelmien_poisto/hijackthis.cfm

Disa- · Jun 29, 2006

Tällä vois lähteä -> http://support.f-secure.fi/fin/home/virusproblem/howtoclean/cleansystemrestore.shtml

porssu · Jun 30, 2006

Kokeilin ensin tuon f-securen ohjeen mukaan. Tälä kertaa virustarkistus ei löytänyt viruksia. Tässä näitä ohitettuja juttuja, selviääkö näistä mitään? Olen aiemmin ladannut koneelleni tuon Spybot-ohjelman, jonka avulla poistin jotain, mutta tämä nimenomainen Trojan-Downloaderi ei sillä lähtenyt, tai ainakin se tuli heti takaisin. Löytäisikö tuo Hijack This paremmin ongelman ytimen?

Tiedoston C:\hiberfil.sys avaaminen ei onnistu
Tiedoston C:\pagefile.sys avaaminen ei onnistu
Tiedoston C:\WINDOWS\system32\config\default avaaminen ei onnistu
Tiedoston C:\System Volume Information\MountPointManagerRemoteDatabase avaaminen ei onnistu
Kohteen C:\swsetup\Btooth\Data1.cab tarkistus keskeytyi [F-Secure AVP]
Tiedosto C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch.zip\users32.exe on salattu
Tiedosto C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SYSWEBTELECOM.zip\sbRecovery.reg on salattu
Tiedosto C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SYSWEBTELECOM1.zip\sbRecovery.reg on salattu
Tiedosto C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SYSWEBTELECOM2.zip\sbRecovery.reg on salattu
Tiedosto C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SYSWEBTELECOM3.zip\sbRecovery.reg on salattu

Disa- · Jun 30, 2006

Voihan siitä hjt-logista jotakin löytyä. Laita vaan jos haluat.

porssu · Jun 30, 2006

nonii.... tästä en minä ymmärrä sitten mitään:
Löytyykö täältä jotain väärää, vai onko kaikki ok?

Logfile of HijackThis v1.99.1
Scan saved at 12:31:40, on 30.6.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ELISAT~1\ANTI-S~1\fsaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Elisa Shopit\Local Settings\Temporary Internet Files\Content.IE5\4NPRM27P\HijackThis_v1.99.1[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foreca.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\system32\win32hlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone -pikakäynnistys.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: adacc - C:\WINDOWS\Registration\adacc.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Plug-in - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Disa- · Jun 30, 2006

Siirrä hjt tempistä -> C:\Hjt

Fixaa seuraavat, eli do a system scan only, laita rastit seuraaviin ja fix checked:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\system32\win32hlp.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O20 - Winlogon Notify: adacc - C:\WINDOWS\Registration\adacc.dll (file missing)

Hae täältä -> http://www.ewido.net/en/download
ewido, asenna, päivitä, älä skannaa vielä!

Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä).

Poista seuraavat:

C:\WINDOWS\system32\winbrume.dll
C:\WINDOWS\system32\winmuse.exe
C:\WINDOWS\system32\win32hlp.exe
C:\WINDOWS\Registration\adacc.dll

Aja ewido, tallenna raportti skannauksen jälkeen.

Käynnistä normaalisti. Lähetää ewidon raportti ja uusi hjt-logi.

porssu · Jun 30, 2006

höh, homma tökkäs jo ensimmäiseen tehtävään...
En löydä temp kansioista tuota ohjelmaa.... Onko se vain tuolla prefetch-kaniosssa oleva pf-tiedosto? Millä nimellä hakisin...

Disa- · Jun 30, 2006

Lataa se uudestaan ja sijoita kansioon C:\Hjt

porssu · Jun 30, 2006

Nonii.. en löytänhyt noita kahta (winmuse.exe ja win32hlp.exe) tiedostoa enää?? No poistin tuon ekan ja viimeisen, ajoin ewidon, mutta en tehnyt muuta kuin tallensin raportin joka on tässä:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:24:07 30.6.2006

+ Scan result:

C:\Hjt\backups\backup-20060630-134301-925.dll -> Adware.BHO : No action taken.
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : No action taken.
C:\RECYCLER\S-1-5-21-2593928618-1226636319-2292134637-1006\Dc31.dll -> Adware.BHO : No action taken.
C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe -> Adware.Gator : No action taken.
C:\WINDOWS\system32\req.0ll -> Downloader.ConHook.c : No action taken.
C:\Hjt\backups\backup-20060630-134301-978.dll -> Downloader.Small : No action taken.
C:\WINDOWS\system32\ilfyzgze.zvd -> Hijacker.Small.js : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@macromedia.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@maxis.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@nbcuniversal.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@c.goclick[1].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@ivwbox[2].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data2.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data3.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data4.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@paypopup[1].txt -> TrackingCookie.Paypopup : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\RECYCLER\S-1-5-21-2593928618-1226636319-2292134637-1006\Dc32.0LL -> Trojan.Agent.cs : No action taken.
C:\WINDOWS\Downloaded Program Files\SPONSORADULTO.0LL -> Trojan.Dialer.fu : No action taken.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : No action taken.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : No action taken.
HKU\S-1-5-21-2593928618-1226636319-2292134637-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : No action taken.

::Report end

Tässä vielä myös uusi hjt:

ogfile of HijackThis v1.99.1
Scan saved at 15:29:06, on 30.6.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\PROGRA~1\ELISAT~1\ANTI-S~1\fsaw.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hjt\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foreca.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fi\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone -pikakäynnistys.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Plug-in - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Mitäs nyt??

Disa- · Jun 30, 2006

Oisit poistanu ewidolla löydökset. Logi on ok, mutta aja se ewido ja poistata sillä nuo haittaohjelmat.

porssu · Jun 30, 2006

Noniinpä tietenki... sitä on tullut niin araksi omien toimiensa kanssa kun yleensä tekee vain jotain tuhoa... Otan siis uusiksi ja poistan kaikki löydetyt haittaohjelmat?

-kemisti- · Jun 30, 2006

Poista kaikki muut paitsi tämä:

C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe -> Adware.Gator : No action taken.

Tuo ei ole pöpö.

porssu · Jun 30, 2006

nonii... minähän sitten räppäsin kaikki pois, mutta jos oikein ymmärsin, tuo mainitsemasi tiedoston poisto ei ollut onnistunutkaan? tässä nyt tämä raportti. Mitäs nyt sanot?

+ Created at: 18:28:15 30.6.2006

+ Scan result:

C:\Hjt\backups\backup-20060630-134301-925.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2593928618-1226636319-2292134637-1006\Dc31.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe -> Adware.Gator : Cleaned with backup (quarantined).
[2776] C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe -> Adware.Gator : Error during cleaning.
C:\WINDOWS\system32\req.0ll -> Downloader.ConHook.c : Cleaned with backup (quarantined).
C:\Hjt\backups\backup-20060630-134301-978.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ilfyzgze.zvd -> Hijacker.Small.js : Cleaned with backup (quarantined).
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@macromedia.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@maxis.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@nbcuniversal.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Elisa Shopit\Cookies\elisa shopit@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-2593928618-1226636319-2292134637-1006\Dc32.0LL -> Trojan.Agent.cs : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\SPONSORADULTO.0LL -> Trojan.Dialer.fu : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : Cleaned with backup (quarantined).
HKU\S-1-5-21-2593928618-1226636319-2292134637-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -> Trojan.Small.anm : Cleaned with backup (quarantined).

::Report end

-kemisti- · Jun 30, 2006

Niin siis tuo on osa F-securea eli f-securesi tuskin toimii nyt ok

C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe -> Adware.Gator : Cleaned with backup (quarantined).

Palauta se siis ewidon karanteenista. Jos olet sen jo sieltä poistanut, niin F-secure täytyy asentaa uudestaan.

porssu · Jun 30, 2006

Palutin sen tiedoston, mitään peruuttamatonta siis tuskin tapahtui.

Kone oli kyllä pirun hitaalla, ei onnistunut tämänkään viestin lähetys ennen kuin käytin masiinan alhaalla. Johtuneeko se tuosta Ewidosta?

Ewido herjasi koneen auetessa palutetusta tiedostosta, ignorasin asian.

-kemisti- · Jun 30, 2006

Ota ewidon guard ewidon asetuksista (shield) pois päältä, niin nopeutuu.

Lisäksi esim. noita voi karsia käynnistymästä

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

porssu · Jun 30, 2006

Onko tämä homma nyt tältä erää tässä? Mikäli on, niin suurimmat mahdolliset kiitokset teille. Olette tolkuttoman ystävällistä ja avuliasta väkeä.

-kemisti- · Jun 30, 2006

Jos ongelmat ovat poissa, niin kaipa tämä oli tässä Ja ole hyvä.

porssu · Jun 30, 2006

Niin vielä...Ainakaan nyt ei ole Troijan Downloader ollut tulossa kertaakaan. MIkä nyt tässä suurin ongelma on ollut. Ja konekin nopeutui. Mutta vielä yksi juttu .... miten noita karsitaan käynnistymästä? Ja mitä nuo ovat? Kokeilin muutamaa pdf-tiedostoa netissä ja ainakin heti ei Exploreri mitään virhettä ilmoittanut. Korjautukohan sekin ongelma nyt noiden haittaohjelmien poiston myötä? (tähän asti internet on kaatunut aina kun on avannut pdf:n netissä)

Log in or Sign up

Trojan-Downloader.Win32.Delf.ang palaa aina vain takaisin!!!!!!

porssu Member

Kellopeli Guest

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

Share This Page

Log in or Sign up

Trojan-Downloader.Win32.Delf.ang palaa aina vain takaisin!!!!!!

porssu Member

Kellopeli Guest

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

Disa- Regular member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

-kemisti- Active member

porssu Member

Share This Page

Useful Searches