trojan vundo

Discussion in 'Virukset ja haittaohjelmat' started by janisilen, Mar 22, 2006.

  1. janisilen

    janisilen Member

    Joined:
    Mar 21, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 19:19:10, on 22.3.2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\nvidGUIv.exe
    C:\Program Files\Spyware Nuker\swnxt.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\spoolsrv.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\James69\Työpöytä\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\jkklj.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
    O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [log lies team comp] C:\Documents and Settings\All Users\Application Data\Waysizeloglies\Grid Axis.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Windows Update 64] WinV.exe
    O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
    O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
    O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe
    O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
    O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] lladik.exe
    O4 - HKCU\..\Run: [MS lsassc Startup] lsass135c.exe
    O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [Windows Update 64] WinV.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: jkklj - C:\WINDOWS\SYSTEM32\jkklj.dll
    O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
    O20 - Winlogon Notify: mlljk - C:\WINDOWS\
    O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\l80u0id9e80.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe
    O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
    O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
    O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe
     
    janisilen, Mar 22, 2006
    #1
  2. Jannejt

    Jannejt Moderator Staff Member

    Joined:
    Feb 10, 2005
    Messages:
    5,045
    Likes Received:
    6
    Trophy Points:
    118
    siirretty paremmalle alueelle.
     
    Jannejt, Mar 22, 2006
    #2
  3. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Poisto-ohje 1:


    Päivitä Ewido. Älä scannaa vielä.
    Mikäli ohjelman päivitys epäonnistuu voit ladata sen tunnisteet verkosta! -> http://www.ewido.net/en/download/updates/


    Hae VundoFix.exe ja tallenna työpöydälle

    http://www.atribune.org/ccount/click.php?id=4

    -> Tuplaklikkaa VundoFix.exe
    -> Pistä täppi kohtaan Run VundoFix as a task ja Ok,sen jälkeen oota että se fixi aukee uudestaan
    -> Klikkaa Scan for Vundo
    -> Kun scanni on valmis, klikkaa Remove Vundo
    -> Kun kysytään, haluatko poistaa tiedostot, klikkaa Yes
    -> Kun klikkaat Yes, työpöytä häviää, kun Vundon poisto alkaa.
    -> Kun se on valmis, fixi ilmoittaa, että kone sammutetaan, klikkaa ok.
    -> Käynnistä kone vikasietotilaan ja käynnistä Ewido

    Ensin asetuksiin (Settings) ->

    Merkkaa Scan every file ja OK -> Tee nyt "Complete system Scan" Eli ajat koko koneen läpi haittaohjelmien löytämiseksi.

    -> Tallenna Ewidon loki

    -> käynnistä kone normaalisti

    -> Lähetä C:\vundofix.txt, uusi Hijack loki ja Ewidon loki.

    Koneelle jäi vielä ainakin L2M örkki ja todennäköisesti muutakin.
     
    Last edited: Mar 22, 2006
    tapiiri, Mar 22, 2006
    #3
  4. NUIJJA

    NUIJJA Active member

    Joined:
    Jan 12, 2005
    Messages:
    4,410
    Likes Received:
    0
    Trophy Points:
    66
    NUIJJA, Mar 22, 2006
    #4
  5. janisilen

    janisilen Member

    Joined:
    Mar 21, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11

    VundoFix V4.2.35

    Checking Java version...

    Scan started at 18:01:06 23.3.2006

    Listing files found while scanning....

    C:\WINDOWS\System32\jkklj.dll

    C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak2
    C:\WINDOWS\system32\kjllm.ini
    Attempting to delete C:\WINDOWS\System32\jkklj.dll
    C:\WINDOWS\System32\jkklj.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kjllm.bak2
    C:\WINDOWS\system32\kjllm.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\kjllm.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V4.2.35

    Checking Java version...

    Scan started at 18:20:23 23.3.2006

    Listing files found while scanning....


    No infected files were found.

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 20:10:19, 23.3.2006
    + Report-Checksum: 48131A76

    + Scan result:

    [644] C:\WINDOWS\system32\wfweb.dll -> Adware.Look2Me : Error during cleaning
    [776] C:\WINDOWS\system32\wfweb.dll -> Adware.Look2Me : Error during cleaning
    :mozilla.24:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.76:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.77:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.88:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    :mozilla.91:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
    :mozilla.104:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
    :mozilla.105:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
    :mozilla.129:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.133:C:\Documents and Settings\James69\Application Data\Mozilla\Firefox\Profiles\qtmwn776.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
    C:\WINDOWS\mansor.exe.mwt -> Backdoor.SdBot.xd : Cleaned with backup
    C:\WINDOWS\system32\akivvaxx.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\armlib.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\asiiiexx.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\awtqo.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\awvts.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\awvvs.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\awvvu.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\awvvv.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ayifile.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\aza80aluedq80.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\cdpbk32.dll -> Adware.Look2Me : Cleaned with backup
    :mozilla.16:C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Firefox\Profiles\bah92jm9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\WINDOWS\system32\cpodm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\CyxClsCo.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ddabb.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ddaby.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ddaya.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ddccb.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ddccd.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ddcyy.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\dhnput8.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\dId8thk.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\DkvXc32f.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\DovXc32f.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\eeentcls.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\en20l1fm1.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\eqentprf.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\fpr6039se.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\FY20.DLL -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\g8joli1318.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\gebyv.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\geeba.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\geebb.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\huetcfg.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\hxpertrm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\iiircl.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\inhlpapi.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\iompagnt.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ivs.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\jkhfd.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\jkhfg.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\jkkjh.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\jkkll.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\jr0025dmg.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\jxkll.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kldcz1.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kldgae.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kt46l7hs1.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kudgae.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\l46olej31ho.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\llhsvc.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\lqcdll.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\lshsvc.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\m2nq0c55ef.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\m6460ghse6460.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\madimap.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mbacm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mdvideo.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mjtext40.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\MKCTFP.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mljge.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mljgf.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mljjg.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mljjh.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mlljh.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mllmj.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\mlrdim.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mpexch40.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mrdxmlc.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mrljh.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mtcshext.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mutask.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mvacm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mwhgrcoi.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mwljh.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mwtlsapi.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mxpatcha.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\myxml.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\nrhtml.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ohbcbcp.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\oobctrac.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\pmkji.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\putorsvc.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\qnery.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\rdriv.sys.mwt -> Rootkit.Agent.o : Cleaned with backup
    C:\WINDOWS\system32\rpgapi.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\rSsdlg.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\sdmapi.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\secsccp.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\sqprv.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ssqpn.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ssqro.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ssqrp.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\sstqn.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\sstqo.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\sstqp.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\ssttr.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\stftpub.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\tiflog.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\uzbui.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\vtsqq.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\vtstt.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\vturs.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\vtutr.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\vtutu.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\system32\wepcore.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\WghRm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wjpdxm.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wrdmtpus.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wsnhttp.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wsnrnr.dll -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\Temp\tmp000a587f -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp000d0fee -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp001034be -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp00187da7 -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp001d2d6b -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp006eea49 -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\Temp\tmp0093c6df -> Adware.Virtumonde : Cleaned with backup
    C:\WINDOWS\win3F7EC.mwt -> Backdoor.Aimbot.ca : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 20:17:54, on 23.3.2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Spyware Nuker\swnxt.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\spoolsrv.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\James69\Työpöytä\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
    O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
    O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
    O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143050198546
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
    O20 - Winlogon Notify: mlljk - C:\WINDOWS\
    O20 - Winlogon Notify: policies - C:\WINDOWS\system32\hrl0053me.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
    O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
    O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
    O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe

     
    janisilen, Mar 24, 2006
    #5
  6. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Poisto-ohje 2.

    Tämä on niin pitkä, että kannattaa tulostaa ohje ennenkuin aloitat ta sitten tallennat koneellesi.


    Ensiksi: siirrä hijackthis omaan kansioon, esim: C:/HJT/hijackthis.exe

    Poista Lisää/poista sovelluksen kautta

    Spyware Nuker

    Suorita scannaus hijackilla Uudesta kansiosta

    Laita rasti seuraavien rivien eteen:

    O4 - HKLM\..\Run: [WinDLL (regsys.dll)] rundll32.exe C:\WINDOWS\System32\regsys.dll,start
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
    O4 - HKLM\..\Run: [WinDLL (libmon.dll)] rundll32.exe C:\WINDOWS\System32\libmon.dll,start
    O4 - HKLM\..\Run: [WinDLL (v4mon.dll)] rundll32.exe C:\WINDOWS\System32\v4mon.dll,start
    O4 - HKLM\..\RunServices: [Windows Update 64] WinV.exe
    O4 - HKCU\..\Run: [AxisBone] C:\DOCUME~1\James69\APPLIC~1\chinfrag\4 Cool.exe
    O20 - Winlogon Notify: mljjj - mljjj.dll (file missing)
    O20 - Winlogon Notify: mlljk - C:\WINDOWS\
    O20 - Winlogon Notify: policies - C:\WINDOWS\system32\hrl0053me.dll
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
    O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
    O23 - Service: Windows Update 64 (Win32) - Unknown owner - C:\WINDOWS\System32\WinV.exe" -netsvcs (file missing)
    O23 - Service: Windows Archiver (winarc) - Unknown owner - (no file)
    O23 - Service: Local Network Service (Windows Remote Firewall) - Unknown owner - C:\WINDOWS\spoolsrv.exe

    Sammuta muut ohjelmat ja ikkunat ja paina Fix checked.

    Sitten, Sammuta ja Deletoi noi servicet:

    F-Secure Internet Security 2005
    fsbwsys
    Network Monitor
    nvidGUIv
    Windows Update 64
    Windows Archiver
    Local Network Service

    Näin:
    valitse Käynnistä > suorita > kirjoita ruutuun "sc stop F-Secure Internet Security 2005"

    valitse Käynnistä > suorita > kirjoita ruutuun "sc delete F-Secure Internet Security 2005"
    Jokainen yo. listasta yksitellen.

    Sitten käynnistä kone vikasietotilaan ja etsi ja poista seuraavat:

    C:\WINDOWS\System32\ >>>regsys.dll <<<
    C:\Program Files\ >>>Spyware Nuker\ <<<
    C:\WINDOWS\System32\ >>>libmon.dll <<<
    C:\WINDOWS\System32\ >>>v4mon.dll <<<
    C:\DOCUME~1\James69\APPLIC~1\ >>>chinfrag\ <<<
    C:\WINDOWS\system32\ >>>hrl0053me.dll <<<
    C:\Program Files\ >>>F-Secure Internet Security\ <<<
    C:\Program Files\ >>>Network Monitor\ <<<
    C:\WINDOWS\ >>>nvidGUIv.exe <<<
    C:\WINDOWS\System32\ >>>WinV.exe <<<
    C:\WINDOWS\ >spoolsrv.exe <<<

    Käynnistä kone normaalisti.

    Päivitä Ewido. Älä scannaa vielä.
    Mikäli ohjelman päivitys epäonnistuu voit ladata sen tunnisteet verkosta! -> http://www.ewido.net/en/download/updates/

    Lataa tuosta Look2Me-Destroyer.exe työpöydällesi.

    TÄRKEÄÄ: Ennen fixin jatkamista, sinun täytyy tehdä seuraavat:


    * Tulosta tämä, tai tallenna tekstitiedostona sopivaan sijaintiin.
    * Klikkaa käynnistä -> Suorita ja kirjoita: services.msc
    * Klikkaa OK.
    * Tarkista että tämä palvelu on käynnissä tai sen käynnistymistapa on automaattinen:
    * Toissijainen kirjautuminen
    * Seuraavaksi tietokoneesi on oltava offlinessa, vedä nettipiuha seinästä jos tarpeen.
    * Virustorjuntasi, ja kaikkien muiden turvaohjelmistojen TÄYTYY olla suljettuja.



    Jatka fixiä:


    * Sulje ikkunat jatkaaksesi.
    * Tupla-klikkaa Look2Me-Destroyer.exe filua ajaaksesi sen.
    * Rastita Run this program as a task.
    * Saat viestin joka sanoo "Look2Me-Destroyer will close and re-open in approximately 1 minute". Klikkaa OK
    * Kun se avautuu uudestaan, klikkaa Scan for L2M valintaa, pikakuvakkeesi katoavat; tämä on normaalia.
    * Kun skannaus on valmis, klikkaa Remove L2M.
    * Saat Done Scanning viestin, klikkaa OK.
    * Kun valmis, saat tämän viestin: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, klikkaa OK.
    * Koneesi sammuu.
    * Käynnistä se uudelleen.
    * Postita C:\Look2Me-Destroyer.txt lokin sisältö seuraavaan viestiisi.

    Jos Look2Me-Destroyer ei aukea automaattisesi, käynnistä tietokoneesi uudestaan ja koita uudelleen.

    *Sitten käynnistä kone vikasietotilaan ja Scannaa Ewidolla.
    Merkkaa Scan every file ja OK -> Tee nyt "Complete system Scan" Eli ajat koko koneen läpi haittaohjelmien löytämiseksi. Tallenna Ewidon loki.

    *Lähetä uusi hijackthis logi, Ewidon loki ja C:\Look2Me-Destroyer.txt
     
    tapiiri, Mar 25, 2006
    #6

Share This Page