Koneelleni on tunkeutunut DLL nimeltä msacmx.dll ja sitä on kaksin kappalein. Mikään softa ei pysty sitä poistamaan, ei Avast eivätkä mitkään muut kuten Ad-Aware, Spybot, Spy Sweeper, Advanced Windows Care jne. Osa niistä löytää, mutta mitkään eivät kykene poistamaan. Netistä läytyy tämän dll:n kohdalle haulla niin ylimaallisen ylitieteellisiä poisto-ohjeita, ettei meikä niiden kaa pääse mihinkään. Osaisiko joku auttaa tässä ongelmassa selvällä ja YMMÄRRETTÄVÄLLÄ selkokielellä suomeksi??!! Kiitos jo etukäteen avusta! Menee herrrrrrmot!
Ohoh, nyt kyll kuulostaa harvinaiselta infektiolta. -> Lataa Hijackthis: http://koti.mbnet.fi/pattaya1/HijackThis.exe -> Tallenna hakemistoon C:\hjt ->Uudelleennimeä HijackThis.exe -> scanner.exe:ksi näin: 1. Klikkaa hiiren oikealla painikkeella HijackThis ikonia. 2. Valitse Uudelleennineä/ Rename. 3. Kirjoita scanner.exe -> Käynnistä HijackThis ja klikkaa: do a system scan and save a logfile. -> Lähetä ilmestynyt logisi tähän ketjuun poistetaan siis
Moro! Kiitos kiinnostuksesta! Ja tässä logi. Pääsen huomenna illalla tsekkaamaan onko asiassa valaistusta Logfile of HijackThis v1.99.1 Scan saved at 0:04:26, on 16.7.2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\HPZipm12.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\TrojanHunter 4.7\THGuard.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\FlashGet\flashget.exe C:\hjt\scanner.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://elisa.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe" O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe" O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog O4 - Startup: Smc.lnk = C:\Program Files\Sygate\SPF\Smc.exe O8 - Extra context menu item: &Lataa FlashGetillä - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Lataa kaikki FlashGetillä - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Lataa FlashGetillä - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Lataa kaikki FlashGetillä - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Tää loki näyttää ainaki puhtaalta Luo poistolista: * Avaa HiJackThis * Klikkaa "Configure" valintaa oikealla alhaalla * Klikkaa "Misc Tools" * Klikkaa boxia joka sanoo "Uninstall Manager" * Klikkaa valintaa "Save list" * Kopioi ja liitä kyseinen lista muistiosta postiisi Luo käynnistyslista * Avaa HiJackThis * Klikkaa "Configure" valintaa oikealla alhaalla * Klikkaa "Misc Tools" * Rastita 2 boxia boxin vierestä jossa lukee "Generate StartupList log" * Klikkaa valintaa "Generate StartupList log" * Kopioi ja liitä käynnistyslistasi muistiosta postiisi ========== 1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Heps! Tässä taas tietoa runsaasti. Liitin mukaan myös Advanced WindowsCare-softan löytämät tiedot. On ainoa softa, joka tiedot löytää, mutta ei saa edes vikasiedossa poistettua noita loisia. "2k" - 16.07.2007 15:55:17 - ComboFix 07-07-13.8 - Service Pack 4 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\2k\TYPYT~1.\internet explorer.lnk ((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 ))))))))))))))))))))))))))))))) 2007-07-16 15:53 51,200 --a------ C:\WINNT\nircmd.exe 2007-07-16 00:00 <KANSIO> d-------- C:\hjt 2007-07-15 17:04 <KANSIO> d-------- C:\Program Files\Common Files\Symantec Shared 2007-07-15 17:04 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-07-15 15:09 <KANSIO> d-------- C:\Program Files\SbyB 2007-07-15 15:07 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\TrojanHunter 2007-07-15 13:50 <KANSIO> d-------- C:\Program Files\TrojanHunter 4.7 2007-07-15 13:42 <KANSIO> d-------- C:\Program Files\TroijanScan 2007-07-15 13:29 <KANSIO> d-------- C:\Program Files\StopZ 2007-07-15 12:36 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4dc.dat 2007-07-15 02:42 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys 2007-07-15 02:42 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys 2007-07-15 02:42 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys 2007-07-15 02:42 160,056 --a------ C:\WINNT\system32\drivers\ssidrv.sys 2007-07-15 02:41 1,520,952 --a------ C:\WINNT\WRSetup.dll 2007-07-15 02:41 <KANSIO> d-------- C:\Program Files\Webroot 2007-07-15 02:41 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot 2007-07-15 02:41 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\Webroot 2007-07-15 02:07 <KANSIO> d-------- C:\Program Files\Remove 2007-07-15 00:56 462,848 --a------ C:\WINNT\system32\msaatext.dll 2007-07-15 00:56 356,352 --a------ C:\WINNT\system32\oleaccrc.dll 2007-07-15 00:56 <KANSIO> d-------- C:\Program Files\Spyware Doctor 2007-07-15 00:46 <KANSIO> d-------- C:\Program Files\SpywareDoctor 2007-07-15 00:38 <KANSIO> d-------- C:\Program Files\AVG 2007-07-14 22:57 <KANSIO> d-------- C:\Program Files\Removeit 2007-07-14 22:54 <KANSIO> d-------- C:\Program Files\InCode Solutions 2007-07-14 22:51 <KANSIO> d-------- C:\RemoveIT 2007-07-13 16:13 <KANSIO> d-------- C:\My Music 2007-07-13 16:10 <KANSIO> d-------- C:\Program Files\Common Files\xing shared 2007-07-13 16:05 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\Real 2007-07-07 22:39 <KANSIO> d-------- C:\Program Files\Nokia Map Loader 2007-07-06 23:44 <KANSIO> d-------- C:\WINNT\cyc 2007-06-27 23:06 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_260.dat 2007-06-26 16:45 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_38c.dat 2007-06-25 23:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_384.dat 2007-06-22 09:03 <KANSIO> d-------- C:\WINNT\system32\SoftwareDistribution 2007-06-15 12:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_348.dat 2007-06-14 10:12 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_298.dat 2007-06-13 22:28 <KANSIO> d-------- C:\DOCUME~1\2k\Phone Browser 2007-06-13 22:28 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\Datalayer 2007-06-13 20:47 <KANSIO> d-------- C:\WINNT\winsxs 2007-06-13 20:47 <KANSIO> d-------- C:\WINNT\PCHEALTH 2007-06-13 20:30 23,510,720 --a------ C:\WINNT\dotnetfx.exe 2007-06-13 20:26 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations 2007-06-13 20:09 <KANSIO> d-------- C:\Program Files\Nokia Maploader 2007-06-13 20:05 <KANSIO> d-------- C:\Program Files\MapLoader 2007-06-13 19:50 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\Nokia Multimedia Player 2007-06-13 19:44 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_29c.dat 2007-06-12 16:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_34c.dat 2007-06-07 15:21 <KANSIO> d-------- C:\DOCUME~1\2k\APPLIC~1\Nokia 2007-06-07 01:09 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys 2007-06-07 01:09 23,416 --a------ C:\WINNT\system32\drivers\aswRdr.sys 2007-06-07 01:08 95,872 --a------ C:\WINNT\system32\AvastSS.scr 2007-06-07 01:08 94,552 --a------ C:\WINNT\system32\drivers\aswmon2.sys 2007-06-07 01:08 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys 2007-06-07 01:08 26,888 --a------ C:\WINNT\system32\drivers\aavmker4.sys 2007-06-07 01:07 745,600 --a------ C:\WINNT\system32\aswBoot.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-16 12:54:16 -------- d-----w C:\Program Files\PeerGuardian2 2007-07-16 12:35:09 -------- d-----w C:\Program Files\FlashGet 2007-07-15 14:43:06 -------- d-----w C:\Program Files\AdAware 2007-07-15 14:03:14 -------- d-----w C:\Program Files\Sygate 2007-07-13 15:42:56 31 ----a-w C:\WINNT\popcinfo.dat 2007-07-13 13:10:04 -------- d-----w C:\Program Files\Common Files\Real 2007-07-13 13:08:11 -------- d-----w C:\Program Files\Real 2007-07-10 21:40:30 -------- d-----w C:\DOCUME~1\2k\APPLIC~1\uTorrent 2007-07-10 20:29:04 70,022 ----a-w C:\WINNT\system32\perfc00B.dat 2007-07-10 20:29:04 353,958 ----a-w C:\WINNT\system32\perfh00B.dat 2007-07-02 12:00:17 -------- d-----w C:\DOCUME~1\2k\APPLIC~1\Image Zone Express 2007-06-30 21:46:47 -------- d-----w C:\Program Files\Xpert 2007-06-26 13:47:19 -------- d-----w C:\DOCUME~1\2k\APPLIC~1\Skype 2007-06-15 09:22:45 -------- d-----w C:\Program Files\WindowsCare 2007-06-06 22:06:58 -------- d-----w C:\Program Files\Alwil Software 2007-06-06 17:29:28 664 ----a-w C:\WINNT\system32\d3d9caps.dat 2007-06-06 17:27:24 -------- d-----w C:\Program Files\Nokia 2007-06-06 17:17:13 -------- d-----w C:\Program Files\DIFX 2007-06-06 17:15:25 -------- d-----w C:\Program Files\Common Files\PCSuite 2007-06-06 17:15:25 -------- d-----w C:\Program Files\Common Files\Nokia 2007-06-06 17:14:11 -------- d-----w C:\DOCUME~1\2k\APPLIC~1\PC Suite 2007-06-04 16:16:44 -------- d-----w C:\Program Files\Toast 2007-05-21 18:11:04 -------- d-----w C:\Program Files\FixExe 2007-05-19 21:15:14 -------- d-----w C:\Program Files\CCleaner 2007-05-19 09:03:23 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_358.dat 2007-05-19 08:48:39 -------- d-----w C:\Program Files\PeerGuardian 2007-05-13 13:27:02 150,485 ----a-w C:\WINNT\system32\eyetiger.exe 2007-04-29 03:48:00 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_270.dat 2007-04-27 20:13:25 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_274.dat 2007-04-27 17:34:48 41,744 ----a-w C:\WINNT\system32\ftp.exe 2007-04-27 17:34:48 17,680 ----a-w C:\WINNT\system32\tftp.exe 2007-04-27 04:04:27 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_25c.dat 2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL 2007-04-23 06:22:12 939,280 ----a-w C:\WINNT\system32\ntdsa.dll 2007-04-20 12:18:06 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_258.dat 2007-04-19 05:06:42 271,360 ----a-w C:\WINNT\system32\sp3res.dll 2007-04-16 19:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll 2007-04-16 19:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll 2007-04-16 19:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll 2007-04-16 19:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll 2007-04-16 19:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll 2007-04-16 19:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll 2007-04-16 19:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe 2007-04-16 19:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll 2007-04-16 12:44:18 54,032 ----a-w C:\WINNT\system32\mpr.dll 2007-01-08 16:19:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2006-09-16 10:32:43 271 ---h--w C:\Program Files\desktop.ini 2006-09-16 10:32:43 22,046 ---h--w C:\Program Files\folder.htt 2006-11-11 17:07:29 53,675 --sha-r C:\WINNT\eraseme_77108.exe 2006-10-03 09:51:30 79,872 --sha-r C:\WINNT\system32\ActiveScan.exe 2006-11-11 17:18:00 53,675 --sha-r C:\WINNT\system32\eraseme_10252.exe 2006-11-11 17:10:30 53,675 --sha-r C:\WINNT\system32\eraseme_77108.exe 2006-11-11 17:20:35 53,675 --sha-r C:\WINNT\system32\eraseme_82887.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 18.12.06 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] 16.05.06 15:19 81920 --a------ C:\PROGRA~1\FlashGet\jccatch.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] 31.05.05 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}] 12.09.06 10:50 126976 --a------ C:\PROGRA~1\FlashGet\getflash.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30.04.07 18:42 ] "Synchronization Manager"="mobsync.exe" [02.07.03 15:00 C:\WINNT\system32\mobsync.exe] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [13.07.07 16:09 ] "THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [23.06.07 00:19 ] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [21.06.07 18:57 ] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [23.04.05 21:03 ] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27.06.06 16:21 ] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=internat.exe "foson"=fosun.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [29.06.07 22:44 ] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService] Contents of the 'Scheduled Tasks' folder 2007-07-16 12:19:15 C:\WINNT\tasks\Smc.job 2007-07-15 12:34:08 C:\WINNT\tasks\Uniblue SpeedUpMyPC Nag.job 2007-04-26 12:02:04 C:\WINNT\tasks\Uniblue SpeedUpMyPC.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-16 16:03:12 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 16.07.2007 16:08:05 C:\ComboFix-quarantined-files.txt ... 16.07.07 16:07 --- E O F --- StartupList report, 16.7.2007, 15:51:16 StartupList version: 1.52.2 Started from : C:\hjt\scanner.exe.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\HPZipm12.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\TrojanHunter 4.7\THGuard.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\hjt\scanner.exe.exe C:\WINNT\system32\notepad.exe C:\Program Files\Alwil Software\Avast4\setup\setup.ovr -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\2k\Käynnistä-valikko\Ohjelmat\Käynnistys] Smc.lnk = C:\Program Files\Sygate\SPF\Smc.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe Synchronization Manager = "mobsync.exe" /logon NvCplDaemon = "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot THGuard = "C:\Program Files\TrojanHunter 4.7\THGuard.exe" SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PeerGuardian = "C:\Program Files\PeerGuardian2\pg2.exe" PcSync = "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} (no name) - C:\PROGRA~1\FlashGet\getflash.dll - {F156768E-81EF-470C-9057-481BA8380DBA} -------------------------------------------------- Enumerating Task Scheduler jobs: Smc.job Uniblue SpeedUpMyPC Nag.job Uniblue SpeedUpMyPC.job -------------------------------------------------- Enumerating Download Program Files: [F-Secure Online Scanner 3.1] InProcServer32 = C:\WINNT\Downloaded Program Files\fscax.dll CODEBASE = http://support.f-secure.com/ols/fscax.cab [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINNT\system32\LegitCheckControl.DLL CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204 [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB [AcceptWM Class] InProcServer32 = C:\WINNT\Downloaded Program Files\WMAcceptor.dll CODEBASE = https://w3s.webmoney.ru/WMAcceptor.dll [Shockwave Flash Object] InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9b.ocx CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll WebCheck: C:\WINNT\system32\webcheck.dll SysTray: stobject.dll -------------------------------------------------- End of report, 6 005 bytes Report generated in 0,371 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only µTorrent Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Reader 7.0.9 - Suomi Adobe Shockwave Player Advanced WindowsCare 2.50 Personal avast! Antivirus AVG Anti-Spyware 7.5 Bejeweled 2 Deluxe CCleaner (remove only) FlashGet(JetCar) HijackThis 1.99.1 Hotfix for MDAC 2.53 (KB911562) Hotfix for MDAC 2.53 (KB927779) HP Document Viewer 5.3 HP Extended Capabilities 5.3 HP Image Zone 5.3 HP Imaging Device Functions 5.3 HP Photosmart Essential HP PSC & OfficeJet 5.3.B HP PSC & OfficeJet 5.3.B HP Software Update HP Solution Center & Imaging Support Tools 5.3 iWin Games (remove only) J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 Koottu päivitys 1 Windows 2000 SP 4:lle Language pack for Ad-Aware SE Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Finnish Language Pack Microsoft .NET Framework 2.0 Microsoft .NET Framework 2.0 -tuotteen Security Update (KB928365) Microsoft Office 2000 Professional Mozilla Firefox (2.0.0.3) Mozilla Firefox (2.0.0.4) MSXML 4.0 SP2 (KB927978) Nero 6 Ultra Edition Nokia Connectivity Cable Driver Nokia Lifeblog 2.1 Nokia Map Loader Nokia Maploader Nokia MTP driver Nokia PC Connectivity Solution Nokia PC Suite Nokia Software Launcher NVIDIA Drivers PeerGuardian 2.0 RealPlayer RemoveIT Pro v4 - SE Skype 3.1 Skype Plugin Manager Spy Sweeper Spybot - Search & Destroy 1.4 Suojauspäivitys ohjelmistolle Windows 2000 (KB923689) Suojauspäivitys Windows Media Player 6.4:lle (KB925398) Suojauspäivitys Windows Media Player 7.1:lle (KB917734) Suojauspäivitys Windows Media Player 9:lle (KB917734) Suojauspäivitys Windows Media Playerille (KB911564) Sygate Personal Firewall Symantec Technical Support Web Controls TrojanHunter 4.7 Uniblue RegistryBooster2 UnInstall Envy24 Family Audio Device Driver Windows 2000 Hotfix - KB842773 Windows 2000 Hotfix - KB890046 Windows 2000 Hotfix - KB893756 Windows 2000 Hotfix - KB896358 Windows 2000 Hotfix - KB896422 Windows 2000 Hotfix - KB896423 Windows 2000 Hotfix - KB896424 Windows 2000 Hotfix - KB899587 Windows 2000 Hotfix - KB899589 Windows 2000 Hotfix - KB900725 Windows 2000 Hotfix - KB901017 Windows 2000 Hotfix - KB901214 Windows 2000 Hotfix - KB905414 Windows 2000 Hotfix - KB905495 Windows 2000 Hotfix - KB905749 Windows 2000 Hotfix - KB908519 Windows 2000 Hotfix - KB908531 Windows 2000 Hotfix - KB911280 Windows 2000 Hotfix - KB911567 Windows 2000 Hotfix - KB912919 Windows 2000 Hotfix - KB913580 Windows 2000 Hotfix - KB914388 Windows 2000 Hotfix - KB914389 Windows 2000 Hotfix - KB917008 Windows 2000 Hotfix - KB917159 Windows 2000 Hotfix - KB917422 Windows 2000 Hotfix - KB917736 Windows 2000 Hotfix - KB917953 Windows 2000 Hotfix - KB918118 Windows 2000 Hotfix - KB918899 Windows 2000 Hotfix - KB920213 Windows 2000 Hotfix - KB920670 Windows 2000 Hotfix - KB920683 Windows 2000 Hotfix - KB920685 Windows 2000 Hotfix - KB920958 Windows 2000 Hotfix - KB921398 Windows 2000 Hotfix - KB921883 Windows 2000 Hotfix - KB922582 Windows 2000 Hotfix - KB922616 Windows 2000 Hotfix - KB922760 Windows 2000 Hotfix - KB923191 Windows 2000 Hotfix - KB923414 Windows 2000 Hotfix - KB923694 Windows 2000 Hotfix - KB923980 Windows 2000 Hotfix - KB924191 Windows 2000 Hotfix - KB924270 Windows 2000 Hotfix - KB924667 Windows 2000 Hotfix - KB925454 Windows 2000 Hotfix - KB925486 Windows 2000 Hotfix - KB925902 Windows 2000 Hotfix - KB926122 Windows 2000 Hotfix - KB926436 Windows 2000 Hotfix - KB927891 Windows 2000 Hotfix - KB928090 Windows 2000 Hotfix - KB928843 Windows 2000 Hotfix - KB929969 Windows 2000 Hotfix - KB930178 Windows 2000 Hotfix - KB931768 Windows 2000 Hotfix - KB931784 Windows 2000 Hotfix - KB932168 Windows 2000 Hotfix - KB933566 Windows 2000 Hotfix - KB935839 Windows 2000 Hotfix - KB935840 Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21) Windows Installer 3.1 (KB893803) Windows Media Player Hotfix -päivitys [lisätietoja on artikkelissa Q828026] Windows Media Player -järjestelmäpäivitys (9 Series) WinRAR-pakkausohjelma WinZip Xpert Security Package 1.3.0.0 Advanced WindowsCare: msacmx.dll - CoolWebSearch, http://cwshredder.net/cwshredder/cwschronicles.html parasite variant Tartunnan viite: HKEY_CLASSES_ROOT\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B} msacmx.dll - CoolWebSearch, http://cwshredder.net/cwshredder/cwschronicles.html parasite variant tARTUNNAN VIITE: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID+{A5366673-E8CA-11D3-9CD9-0090271D075B}
Avaa Notepad ja kopioi/liitä allaolevassa lainausboxissa oleva teksti sinne: Tallenna se nimellä CFScript. (Tarkista että on juuri noin kirjoitettu) Sitten raahaa CFScript ComboFix.exeen kuten alla. Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne. ========= Lataa Intermuten CWShredder: http://cwshredder.net/bin/CWShredder.exe Tallenna se työpöydälle, mutta ÄLÄ aja sitä vielä. Käynnistä kone vikasietotilaan seuraavien ohjeiden mukaisesti: 1) Käynnistä tietokone 2) Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa 3) Seuraavaksi pitäisi ilmestyä valikko 4) Valitse valikosta vikasietotila. Vikasietotilassa käynnistä CWShredder ja paina Fix. Lähteekö pois?
Okays, ajoin sen ekku prosessin ja oli joku ongelma. Tuli hälyikkuna, jossa seuraava teksti: creg.cf: ei voi tuoda. Kaikkia tietoja ei kirjoitettu onnistuneesti rekisteriin. Järjestelmä tai jokin muu prosessi on avannut avaimia. Ja tässä se raportti: Code: 16.07.07 16:11 11377 --a------ C:\Qoobox\log 22.12.06 00:00 541 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\2k\TYPYT~1\Internet Explorer.lnk.vir PATH-kansioluettelo Levyn sarjanumero on 0006FE80 EC1F:1DF8 C:\QOOBOX | log | \---Quarantine +---C | \---DOCUME~1 | \---2k | \---TYPYT~1 | Internet Explorer.lnk.vir | \---Registry_backups Nyt meen tekeen sen toisen prosessin ja ilmoitan saiko CWShredder pahalaisia pois. Palataan!
Ok, koe tehty. CWShredder ei löytäny pahalaisia. Advanced Windowscare totesi pahalaisten edelleen olevan paikallaan.
Näin Ota ensin rekisteristä näin varmuuskopio: Suorita -> regedit -> ok. Sitten Tiedosto -> Vie. Kirjoita sille joku nimi ja sitten Tallenna(ja laita muistiin, mihin tallensit sen). Sitten tallenna tämä alla oleva tekstinpätkä nimellä fix.reg vaikka muistiossa ja vaikka työpöydälle (tallennusmuoto kaikki tiedostot) Tuplaklikkaa ja paina kyllä ja ok. Käynnistä kone uudelleen. ======== Ajetaanpas blacklightia. Lataa ja tallenna Blacklight työpöydällesi; Tupla-klikkaa fsbl.exe, hyväksy sopimus, klikkaa -> Scan, sitten -> Next Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita). Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe". ========= Joko nyt lähti?
No niis, Blacklight pyörähti ja näytti taulus, ettei löytäny mitään, MUTTA mä skannaan vielä Advanced W:llä. Täs kuitenkin logi, joka tuli. Onkohan toi ny oikea??? 07/16/07 21:08:13 [Info]: BlackLight Engine 1.0.64 initialized 07/16/07 21:08:13 [Info]: OS: 5.0 build 2195 (Service Pack 4) 07/16/07 21:08:13 [Note]: 7019 4 07/16/07 21:08:13 [Note]: 7005 0 07/16/07 21:08:49 [Note]: 7006 0 07/16/07 21:08:49 [Note]: 7011 1000 07/16/07 21:08:50 [Note]: 7026 0 07/16/07 21:08:51 [Note]: 7026 0 07/16/07 21:09:48 [Note]: FSRAW library version 1.7.1022 07/16/07 21:24:00 [Note]: 7007 0 Ilmon, mitä AW sano skannauksessaan! Palataan!
Siis......mahtavaa! Loiset katos! Ottihan vähän hietaan, mutta pois ovat. En tiedä miten kiittäisin. Joka tapauksessa tuhat lämmintä kiitosta avusta, vaivannäöstä ja kärsivällisyydestä!KIIIIIITOS!!!!!
