Kone jumissa ja todella pahasti !!!

Junior Member

6. toukokuuta 2008 @ 21:42

Linkki tähän viestiin

Moi!

Nyt ois pari vuotta vanha kone pahasti jumppasessa. Voisko joku ystävällisesti auttaa ja vilasta HJT-lokia ???

Kiitos ja AnteeX

Logfile of HijackThis v1.99.1
Scan saved at 21:33:34, on 6.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\Siemens\Gigaset PC Card 54\GigasetWLANMonitor.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anni\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {6208C419-06B8-4B89-AED6-5705B92C8942} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/Ap...sharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1096469581610
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/Ap...ap/PhtPkMSN.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Fmifdg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAM FILES\NORMANAV\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norman Type-R - Unknown owner - C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\Windows\system32\ZoneLabs\vsmon.exe

AfterDawn Addict

8. toukokuuta 2008 @ 20:29

Linkki tähän viestiin

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

=============

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

Eihä kone voi edes toimia?

Junior Member

9. toukokuuta 2008 @ 01:29

Linkki tähän viestiin

Kitos vastauksesta :)

Teen nuo kyseiset toimenpiteet heti huomen iltana kunhan saavun kotia töistä ja laitan sitten uutta lokia viesti rimpsuun.

Tuhannet kiitokset vielä kerran !!!

-E-

Junior Member

10. toukokuuta 2008 @ 01:57

Linkki tähän viestiin

Moi!

Tässä olisi nyt yllämainittujen toimenpiteiden saldo:

Malware:

Malwarebytes' Anti-Malware 1.12
Tietokantaversio: 737

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 107350
Kulunut aika: 1 hour(s), 22 minute(s), 42 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 1
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 2

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\Windows\system32\netstat.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\Windows\system32\29468_upload.exe (Worm.Sasser) -> Quarantined and deleted successfully.

Sitten SDFix:

SDFix: Version 1.181
Run by Anni on la 10.05.2008 at 00:54

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\XT.EXE - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 01:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\backWeb-7681197.exe"="C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\backWeb-7681197.exe:*:Disabled:backWeb-7681197"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windows© NetMeeting©"
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"="C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe:*:Enabled:F-Secure Automatic Update"
"C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 30 Sep 2004 57,344 A.SH. --- "C:\Windows\lbbho.dll"
Sat 6 Nov 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 8 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Ja lopuksi uusin HJT-loki:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:38, on 10.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Siemens\Gigaset PC Card 54\GigasetWLANMonitor.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Documents and Settings\Anni\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {6208C419-06B8-4B89-AED6-5705B92C8942} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/Ap...sharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1096469581610
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/Ap...ap/PhtPkMSN.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Fmifdg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAM FILES\NORMANAV\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norman Type-R - Unknown owner - C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\Windows\system32\ZoneLabs\vsmon.exe

AfterDawn Addict

10. toukokuuta 2008 @ 19:55

Linkki tähän viestiin

scannaa hjt:.llä merkkaa paina Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fi/0SEFIFI/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAM FILES\NORMANAV\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norman Type-R - Unknown owner - C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE

===================

Kopioi / liitä seuraava teksti alapuolella tyhjään muistioFiluun
Varmista että tiedoston tyyppi on ”all Files” ja tallenna se Poisto.bat. nimisenä
työpöydällesi.

@echo off
sc stop NipSvc
sc delete NipSvc
sc stop "Norman Type-R"
sc delete Norman Type-R

Tupla-klikkaa Poisto.bat. filua työpöydälläsi , ikkuna avautuu ja Sulkeutuu tämä on normaalia.

==============

Poista vikasiedossa kansio

C:\PROGRAM FILES\NORMAN

=============

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

Eihä kone voi edes toimia?

Junior Member

10. toukokuuta 2008 @ 21:50

Linkki tähän viestiin

Tässä olisi nyt se loki joka tuli ComboFix.in jälkeen

ComboFix 08-05-09.1 - Anni 2008-05-10 21:32:32.1 - NTFSx86
Running from: C:\Documents and Settings\Anni\Työpöytä\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\newdotnet

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-04-10 to 2008-05-10 )))))))))))))))))
.

2008-05-10 19:47 . 2008-05-10 20:46 <KANSIO> d--h-c--- C:\$AVG8.VAULT$
2008-05-10 19:11 . 2008-05-10 19:14 <KANSIO> d----c--- C:\Windows\system32\drivers\Avg
2008-05-10 19:11 . 2008-05-10 19:11 96,520 --a--c--- C:\Windows\system32\drivers\avgldx86.sys
2008-05-10 19:11 . 2008-05-10 19:11 10,520 --a--c--- C:\Windows\system32\avgrsstx.dll
2008-05-10 19:10 . 2008-05-10 19:10 <KANSIO> d----c--- C:\Program Files\AVG
2008-05-10 19:10 . 2008-05-10 19:10 <KANSIO> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 16:27 . 2008-05-10 16:27 <KANSIO> d----c--- C:\Windows\system32\fi
2008-05-10 16:27 . 2008-05-10 16:27 <KANSIO> d----c--- C:\Windows\l2schemas
2008-05-10 16:27 . 2008-04-14 09:11 69,120 -----c--- C:\Windows\system32\wlanapi.dll
2008-05-10 16:27 . 2008-04-14 09:11 50,688 -----c--- C:\Windows\system32\tspkg.dll
2008-05-10 16:11 . 2008-04-13 09:36 144,384 -----c--- C:\Windows\system32\drivers\hdaudbus.sys
2008-05-10 16:11 . 2008-04-13 11:40 10,240 -----c--- C:\Windows\system32\drivers\sffp_mmc.sys
2008-05-10 16:05 . 2006-12-28 12:01 19,569 --a--c--- C:\Windows\005730_.tmp
2008-05-10 00:49 . 2008-05-10 00:49 <KANSIO> d----c--- C:\Windows\ERUNT
2008-05-10 00:48 . 2008-05-10 01:19 <KANSIO> d----c--- C:\SDFix
2008-05-09 23:12 . 2008-05-09 23:12 <KANSIO> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 23:12 . 2008-05-09 23:12 <KANSIO> d----c--- C:\Documents and Settings\Anni\Application Data\Malwarebytes
2008-05-09 23:12 . 2008-05-09 23:12 <KANSIO> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 23:12 . 2008-05-05 20:46 27,048 --a--c--- C:\Windows\system32\drivers\mbamcatchme.sys
2008-05-09 23:12 . 2008-05-05 20:46 15,864 --a--c--- C:\Windows\system32\drivers\mbam.sys
2008-05-06 00:25 . 2008-05-06 00:25 <KANSIO> d----c--- C:\Program Files\IObit
2008-05-06 00:25 . 2008-05-06 00:25 <KANSIO> d----c--- C:\Documents and Settings\Anni\Application Data\IObit
2008-05-06 00:25 . 2008-04-17 16:19 90,668 --a--c--- C:\Windows\system32\vobis32.dll
2008-04-14 19:24 . 2008-04-19 13:20 <KANSIO> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 19:22 . 2008-04-14 19:25 <KANSIO> d----c--- C:\Program Files\NRJKauppa
2008-04-14 08:52 . 2008-04-14 08:52 2,524 -----c--- C:\Windows\system32\pid.inf

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 15:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\Avira
2008-04-14 16:44 --------- dc----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-14 06:13 21,896 -c--a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 06:13 139,656 -c--a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 06:13 12,040 -c--a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 06:12 69,632 -c--a-w C:\WINDOWS\notepad.exe
2008-04-14 06:12 40,840 -c--a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 06:12 283,648 -c--a-w C:\WINDOWS\winhlp32.exe
2008-04-14 06:12 146,944 -c--a-w C:\WINDOWS\regedit.exe
2008-04-14 06:12 10,752 -c--a-w C:\WINDOWS\hh.exe
2008-04-14 06:12 1,034,240 -c--a-w C:\WINDOWS\explorer.exe
2008-04-14 05:51 80,256 -c--a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 05:51 73,344 -c--a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 05:51 68,096 -c--a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 05:51 46,720 -c--a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 05:51 120,064 -c--a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 05:47 800,000 -c--a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 05:47 154,112 -c--a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 05:46 37,120 -c--a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 05:46 24,576 -c--a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 05:46 14,720 -c--a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-14 05:45 5,504 -c--a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 05:45 40,704 -c--a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 05:45 40,320 -c--a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 05:43 64,512 -c--a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 05:43 52,096 -c--a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 05:42 25,600 -c----w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 05:40 57,472 -c--a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 05:40 272,896 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 05:39 51,840 -c--a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 05:39 44,544 -c--a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 05:38 39,808 -c--a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 05:37 41,728 -c--a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 05:37 41,344 -c--a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 05:36 30,080 -c--a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 05:36 23,040 -c--a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 05:36 187,904 -c--a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 09:28 175,744 -c--a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 09:21 162,816 -c--a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 09:20 91,520 -c--a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 09:20 361,344 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 09:20 182,656 -c--a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 09:19 75,264 -c--a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 09:19 51,328 -c--a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 09:19 48,384 -c--a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 09:19 146,048 -c--a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 09:19 138,112 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 09:17 83,072 -c--a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 09:17 456,576 -c--a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 09:17 105,344 -c--a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 09:16 49,536 -c--a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 09:16 141,056 -c--a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 09:15 60,800 -c--a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 09:15 574,976 -c--a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 09:15 334,848 -c--a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 09:14 63,744 -c--a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 09:14 143,744 -c--a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 09:00 225,664 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 09:00 19,072 -c--a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 08:57 41,472 -c--a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 08:57 40,576 -c--a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 08:57 34,560 -c--a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 08:57 20,864 -c--a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 08:57 152,832 -c--a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 08:57 14,336 -c--a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 08:57 10,112 -c--a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 08:56 88,320 -c--a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 08:56 69,120 -c--a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 08:56 35,072 -c--a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 08:56 34,688 -c--a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 08:56 30,592 -c--a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 08:56 30,592 -c----w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 08:56 14,592 -c--a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 08:56 12,800 -c--a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 08:56 12,800 -c----w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 08:56 12,288 -c--a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 08:55 202,624 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 08:54 88,192 -c--a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 08:54 28,672 -c--a-w C:\WINDOWS\system32\drivers\nscirda.sys
2008-04-13 08:54 11,264 -c--a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 08:53 71,552 -c--a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 08:53 40,320 -c--a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 08:53 36,608 -c----w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 08:53 264,832 -c----w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 08:51 61,824 -c--a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 08:51 60,800 -c--a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 08:51 59,904 -c--a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 08:51 55,808 -c--a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 08:51 101,120 -c----w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 08:46 61,696 -c--a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 08:46 59,136 -c----w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 08:46 53,376 -c--a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 08:46 37,888 -c----w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 08:46 36,480 -c----w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 08:46 25,344 -c--a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 08:46 18,944 -c----w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 08:46 17,024 -c----w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 08:46 121,984 -c----w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 08:44 81,664 -c--a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 08:44 20,992 -c--a-w C:\WINDOWS\system32\drivers\vga.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6208C419-06B8-4B89-AED6-5705B92C8942}]
C:\WINDOWS\lbbho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Advanced WindowsCare 3"="C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" [2008-04-22 17:01 2024200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-09-29 17:16 32881]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2004-11-03 22:10 344064]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 11:49 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 11:49 536576]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 14:20 227328]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\Windows\system32\Ati2mdxx.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-10 19:10 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 09:12 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 16:58 1744896]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Gigaset WLAN Adapter Monitor.lnk - C:\Program Files\Siemens\Gigaset PC Card 54\GigasetWLANMonitor.exe [2005-10-31 17:51:45 552960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdaterPro]
C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra--c--- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\eMule\\eMule.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-07-18 16:29]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-10 19:11]
R1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\System32\drivers\tdi_rd.sys [2004-06-27 18:55]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-10 19:10]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2004-05-04 15:24]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\Anni\LOCALS~1\Temp\cdiskdun.sys []

.
'Ajoitetut tehtävät'-kansion sisältö
"2008-05-06 20:19:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-01-24 09:31:42 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 21:40:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

folder error: C:\DOCUME~1\Anni\LOCALS~1\Temp\

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-10 21:45:49
ComboFix-quarantined-files.txt 2008-05-10 18:45:26

Pre-Run: 7,155,965,952 tavua vapaana
Post-Run: 7,156,510,720 tavua vapaana

216 --- E O F --- 2008-04-10 13:35:37

AfterDawn Addict

10. toukokuuta 2008 @ 22:03

Linkki tähän viestiin

scannaa uusi hjt:n loki

Eihä kone voi edes toimia?

Junior Member

10. toukokuuta 2008 @ 22:12

Linkki tähän viestiin

Logfile of HijackThis v1.99.1
Scan saved at 22:10:54, on 10.5.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\Siemens\Gigaset PC Card 54\GigasetWLANMonitor.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Anni\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {6208C419-06B8-4B89-AED6-5705B92C8942} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/Ap...sharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1096469581610
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/Ap...ap/PhtPkMSN.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.8.5.1302.1018.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

AfterDawn Addict

10. toukokuuta 2008 @ 22:25

Linkki tähän viestiin

scannaa hujt:llä nmerkkaa paina Fix checked

O2 - BHO: C:\WINDOWS\lbbho.dll - {6208C419-06B8-4B89-AED6-5705B92C8942} - C:\WINDOWS\lbbho.dll (file missing)
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - (no file)

===============

Lataa TÄSTÄ VundoFix.exe työpöydällesi.

Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Remove Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

Eihä kone voi edes toimia?

Junior Member

10. toukokuuta 2008 @ 23:14

Linkki tähän viestiin

VundoFix ei löytänyt tartuntaa mutta ei tullut Remove Vundofix kohtaa mihinkään...
Pitääkö Vundofix poistaa koneelta?

Tässä nyt uusi HJT-loki

Logfile of HijackThis v1.99.1
Scan saved at 23:08:11, on 10.5.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\Siemens\Gigaset PC Card 54\GigasetWLANMonitor.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Anni\Työpöytä\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.staffit.info/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/Ap...sharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1096469581610
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/Ap...ap/PhtPkMSN.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\msgrapp.8.5.1302.1018.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Mainos

AfterDawn Addict

12. toukokuuta 2008 @ 20:05

Linkki tähän viestiin

Luo poistolista:
• Avaa HiJackThis
• Klikkaa "Configure" valintaa oikealla alhaalla
• Klikkaa "Misc Tools"
• Klikkaa boxia joka sanoo "Uninstall Manager"
• Klikkaa valintaa "Save list"
• Kopioi ja liitä kyseinen lista muistiosta postiisi