Joku trojanin zlobi virus ja pari muutaki tullu koneelle. Tässä olis hijack logi, jos joku kehtaisi katsoa. Kiitoksia! Logfile of HijackThis v1.99.1 Scan saved at 9:48:51, on 18.7.2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\WINNT\system32\ishost.exe C:\WINNT\system32\ismon.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\SpyQuake2.com\Spy-Quake2.exe C:\WINNT\system32\internat.exe C:\Program Files\SpyQuake2.com\Spy-Quake2.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\WINNT\system32\mapiicon.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINNT\system32\isnotify.exe C:\WINNT\system32\issearch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll O3 - Toolbar: @msdxmLC.dll,-1@1035,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ADSL_A2] A2Installed O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /scan O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone -pikakäynnistys.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.i-lookup.com O15 - Trusted Zone: *.offshoreclicks.com O15 - Trusted Zone: *.teensguru.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4A66D-0458-4331-8BB5-19E9AB8DBADB}: NameServer = 195.165.1.8,10.16.11.16 O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: winluj32 - C:\WINNT\SYSTEM32\winluj32.dll O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINNT\system32\pmnqguh.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
Lataa SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi: Avaa SmitfraudFix-kansio ja tuplaklikkaa smitfraudfix.cmd Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa). Postita tämän tekstitiedoston sisältö viestiketjuusi.
SmitFraudFix v2.42 Scan done at 10:47:49,15, ti 18.07.2006 Run from C:\Documents and Settings\J„rjestelm„nvalvoja\Ty”p”yt„\SmitfraudFix\SmitfraudFix OS: Microsoft Windows 2000 [Versio 5.00.2195] »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 C:\WINNT\system32\ot.ico FOUND ! C:\WINNT\system32\ts.ico FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\J„rjestelm„nvalvoja\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JRJEST~1\Suosikit C:\DOCUME~1\JRJEST~1\Suosikit\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\PestTrap\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Poista, jos lisää/poista sovellus -valikosta löytyy (ei välttämättä kirjoitusasultaan juuri samoja): SpyQuake PestTrap ErrorSafe Tämän jälkeen: Printtaa ohjeet ulos. Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi. Kun vikasietotilassa, avaa SmitfraudFix kansio ja tupla-klikkaa smitfraudfix.cmd Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot. Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet. Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter". Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin. Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi. Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt. Liitä myös uusi hjt-loki.
Logfile of HijackThis v1.99.1 Scan saved at 11:24:15, on 18.7.2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\HPZipm12.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\WINNT\system32\mapiicon.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\NOTEPAD.EXE C:\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O3 - Toolbar: @msdxmLC.dll,-1@1035,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ADSL_A2] A2Installed O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone -pikakäynnistys.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4A66D-0458-4331-8BB5-19E9AB8DBADB}: NameServer = 195.165.1.8,10.16.11.16 O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: winluj32 - C:\WINNT\SYSTEM32\winluj32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe ja SmitFraudFix v2.73 Scan done at 11:15:06,03, ti 18.07.2006 Run from C:\Documents and Settings\J„rjestelm„nvalvoja\Ty”p”yt„\SmitfraudFix\SmitfraudFix\SmitfraudFix OS: Microsoft Windows 2000 [Versio 5.00.2195] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINNT\system32\pmnqguh.dll -> C:\WINNT\system32\pmnqguh.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINNT\system32\ishost.exe Deleted C:\WINNT\system32\ismon.exe Deleted C:\WINNT\system32\isnotify.exe Deleted C:\WINNT\system32\issearch.exe Deleted C:\WINNT\system32\ixt?.dll Deleted C:\WINNT\system32\ot.ico Deleted C:\WINNT\system32\ts.ico Deleted C:\DOCUME~1\JRJEST~1\Suosikit\Antivirus Test Online.url Deleted C:\Program Files\PestTrap\ Deleted C:\Program Files\SpyQuake2.com\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
Hae KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip Pura,avaa ja täppi kohtaan Delete on Reboot. Merkitse "end explorer shell while killing file" ja "unregister .dll before deleting" (jos mahdollista) Sitte kopioi rivi tosta alapuolelta C:\WINNT\SYSTEM32\winluj32.dll Sitten KillBoxissa ylhäältä File > Paste from Clipboard Valitse "All Files".Sen jälkeen paina Delete (punainen, jossa on valkonen X) Vastaa myöntävästi kysymyksiin ja jos kone ei itestään käynnisty uudestaan,niin käynnistä se. Lähetä sen jälkeen uus Hijack-logi.
