HJT -lokia jälleen

SniffD · 04.05.2006

Taas kone tökkii... ja F-secure pari troijalaista löysi..

Logfile of HijackThis v1.99.1
Scan saved at 14:58:55, on 4.5.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138358738101
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E89BCD-6254-4410-B4CB-ED80E0620BC5}: NameServer = 193.65.248.170,194.157.175.3
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

AfterDawn

-kemisti- · 04.05.2006

Taas täällä

Nämä fixiin:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Poistoon ---> C:\WINNT\web\related.htm

Kerros missä ne troijalaiset olivat kun lokissa niitä ei näy?

SniffD · 04.05.2006

Täällä taas Nyt on tosin eri kone kyseessä.

Tallentaako F-secure automaagisesti ne virusraportit jonnekin? Ettei tarviis uudelleen ajaa...

-kemisti- · 04.05.2006

En valitettavasti tunne ko. asiaa :/ Aja uusiksi ja tallenna se itse johonkin jollei löydy.

pkaksp · 04.05.2006

Kai se F-Secure ilmoitti myös mitä se teki ko. troijalaisille kun se ne löysi?

SniffD · 04.05.2006

F-Secure yritti puhdistaa eikä tietenkään onnistunut.. Sittenpä taisi uudelleennimetä. Pistän uudelleen F-Securen jyllää.

SniffD · 05.05.2006

Joo, F-securelta ei saanu sitä raporttia. Sen verta sekasin tämä on...

2 pöpöä siinä oli, C:\winnt -kansiossa ainaki toinen. Meni vähän epähuomiossa itelläkin oli, kun luulin että sen raportin saa...

Tässä vielä kuitenkin HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:38, on 5.5.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\fsm32.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\HJT\HijackThis_v1.99.1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138358738101
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E89BCD-6254-4410-B4CB-ED80E0620BC5}: NameServer = 193.65.248.170,194.157.175.3
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

-kemisti- · 05.05.2006

Sitten "saat" ajaa ewidon, koska en voi alkaa arvailemaan minkä nimisiä ne ovat ja missä ne ovat

Hae, asenna ja päivitä ewido -> http://keskustelu.afterdawn.com/thread_view.cfm/269186

Käynnistä vikasietotilaan.

Skannaa ewidolla, anna poistaa, mitä löytää ja tallenna raportti. Lähetä uusi HjT-loki ja ewidon raportti tänne.

SniffD · 08.05.2006

Tuossapa raportteja:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:11:41, 8.5.2006
+ Report-Checksum: F1919411

+ Scan result:

HKLM\SOFTWARE\Gator.com -> Adware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator -> Adware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\dyn -> Adware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\dyn\GUS -> Adware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\stat -> Adware.Gator : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ad-flow[2].txt -> TrackingCookie.Ad-flow : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ad-logics[1].txt -> TrackingCookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ads.enliven[1].txt -> TrackingCookie.Enliven : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@c.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@c1.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter1.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter10.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter13.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter15.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter3.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter4.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter6.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@counter8.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ehg-deltatre.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@gator[2].txt -> TrackingCookie.Gator : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@hestia.sextrail.trakkerd[2].txt -> TrackingCookie.Trakkerd : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@oxcash[2].txt -> TrackingCookie.Oxcash : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@popupsponsor[1].txt -> TrackingCookie.Popupsponsor : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@servedby.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@x10[1].txt -> TrackingCookie.X10 : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Cookies\järjestelmänvalvoja@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ad-logics[1].txt -> TrackingCookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ads.specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@adtech[1].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@adviva[2].txt -> TrackingCookie.Adviva : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@commissionpartner[1].txt -> TrackingCookie.Commissionpartner : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@counter13.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ehg-talentumoyi.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@gator[1].txt -> TrackingCookie.Gator : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@hestia.sextrail.trakkerd[1].txt -> TrackingCookie.Trakkerd : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@webpdp.gator[1].txt -> TrackingCookie.Gator : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\oppilas\Cookies\oppilas@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 13:15:29, on 8.5.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\HJT\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138358738101
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E89BCD-6254-4410-B4CB-ED80E0620BC5}: NameServer = 193.65.248.170,194.157.175.3
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

-kemisti- · 08.05.2006

Ei tainnu löytää.

Hae eScan -> http://koti.mbnet.fi/pattaya1/escanmwav.htm .
Asenna, päivitä, skannaa sivulla olevien ohjeiden mukaan. Lähetä sitten "örkkitulokset" tänne (ohje tuolla sivulla, alin kuva ja sen yläpuolella oleva teksti).

SniffD · 08.05.2006

Tää on yhen toisen koneen loki, paan tähän samaan trediin:

Logfile of HijackThis v1.99.1
Scan saved at 15:06:02, on 8.5.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\DIGITA~1\DIGITA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.merikoski.edu.ouka.fi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DtParental] C:\PROGRA~1\DIGITA~1\DIGITA~1.EXE -noshow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone -pikakäynnistys.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.merikoski.edu.ouka.fi
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125937394757
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.edu.ouka.fi
O17 - HKLM\Software\..\Telephony: DomainName = ad.edu.ouka.fi
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.edu.ouka.fi
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.edu.ouka.fi
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

SniffD · 09.05.2006

Nyt taas Lovesania näyttää F-secure... tossa ois loki HJT:stä:

Logfile of HijackThis v1.99.1
Scan saved at 14:14:26, on 9.5.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\starter.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E89BCD-6254-4410-B4CB-ED80E0620BC5}: NameServer = 193.65.248.170,194.157.175.3
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

-kemisti- · 09.05.2006

Nuo fixiin:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Ja tuo pois:

C:\WINNT\web\related.htm

Ei muuta näy.

Ja edelleen ota ylös missä se F-secure näyttää olevan pöpöjä (vaikka copy/paste, jollei saa raporttia), en ole mikään meedio

SniffD · 11.05.2006

C:\WINNT\web\related.htm -tiedostoa ei kyllä saanu millään poistettua. "Käyttö estetty. Lähdetiedosto voi olla käytössä." -teksti pamahtaa. Liekö tuota joku prosessi taustalla käyttää..?

-kemisti- · 11.05.2006

Sulje IE ennen kuin yrität poistaa sitä.

SniffD · 11.05.2006

Ei kyllä lähe siltikään...

-kemisti- · 11.05.2006

Hae KillBox

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Pura,avaa ja täppi kohtaan Delete on Reboot
Sitte kopioi rivi tosta alapuolelta yhellä kertaa

C:\WINNT\web\related.htm

Sitten KillBoxissa ylhäältä File > Paste from Clipboard
Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X)
Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se.

Lähetä sen jälkeen uus Hijack-logi.

SniffD · 11.05.2006

Logfile of HijackThis v1.99.1
Scan saved at 12:53:47, on 11.5.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\starter.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edu.ouka.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.suomi.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0E89BCD-6254-4410-B4CB-ED80E0620BC5}: NameServer = 193.65.248.170,194.157.175.3
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

Sitkeessä se haluaa olla...

-kemisti- · 11.05.2006

Oletko varma ettei se lähtenyt? Nuo rivit lokissa eivät todista vielä mitään.

Fixaa nämä:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Käynnistä uudelleen ja lähetä uusi HjT-loki.

SniffD · 11.05.2006

Tässä on ton toisen koneen F-securen loki:

c:\Documents and settings\... Trojan.Win32.Krepper.y
C:\WINNT\system32\ul... Email-worm.Win32.Tana...

Ton tarkemmin ei saa... Heitän kohta hevon perseeseen ´ton F-securen.

Kirjaudu tai liity jäseneksi

HJT -lokia jälleen

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

pkaksp Moderator Ylläpitäjä

SniffD Member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

HJT -lokia jälleen

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

pkaksp Moderator Ylläpitäjä

SniffD Member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

-kemisti- Active member

SniffD Member

Jaa tämä sivu

Hyödyllisiä hakuja