Downloader.Agent.uj:n poisto

Sussu82 · 04.11.2006

Eli taas on ongelmia..

Ajoin ewidon, joka löysi downloader.agent.uj:n, mutta ei pystyyt sitä poistamaan tai laittamaan karanteeniin.

Tässä hjt-loki ja ewidon raportti jos joku jälleen kerran jaksaisi auttaa =)

Logfile of HijackThis v1.99.1
Scan saved at 13:42:06, on 4.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {376CA5D9-A783-2617-D438-66D490652E79} - C:\WINDOWS\ejmlp1.dll (file missing)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Airboard Manager] C:\Program Files\Netropa\Airboard Manager\TouchMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F541FEE-32D1-4A66-91B0-58D509F6B58B}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7105B11-C3E4-4CB7-8F31-15A5E977EE3E}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:46:11 4.11.2006

+ Scan result:

[1056] VM_01230000 -> Downloader.Agent.uj : Error during cleaning.
[1268] VM_00A80000 -> Downloader.Agent.uj : Error during cleaning.
[1528] VM_00A10000 -> Downloader.Agent.uj : Error during cleaning.
[1536] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[1544] VM_01190000 -> Downloader.Agent.uj : Error during cleaning.
[1552] VM_00A60000 -> Downloader.Agent.uj : Error during cleaning.
[1560] VM_00A80000 -> Downloader.Agent.uj : Error during cleaning.
[1572] VM_00D20000 -> Downloader.Agent.uj : Error during cleaning.
[1608] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning.
[1616] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning.
[1648] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning.
[3252] VM_010B0000 -> Downloader.Agent.uj : Error during cleaning.
[496] VM_00DB0000 -> Downloader.Agent.uj : Error during cleaning.
[520] VM_00AB0000 -> Downloader.Agent.uj : Error during cleaning.
:mozilla.131:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.132:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.57:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.58:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.163:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Alex.123-B1232ACD4A2\Cookies\alex@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.129:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.130:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.73:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.56:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.142:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.143:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.6:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.224:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.136:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.165:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.166:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.167:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.168:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.169:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.16:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.91:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.259:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Texttbnru : Cleaned.
:mozilla.67:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.68:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.245:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.21:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.128:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

AfterDawn

-kemisti- · 04.11.2006

Lataa Gromozon rootkit poistokalu Prevx:ltä työpöydällesi:

Tupla-klikkaa PrevxRemovalTool.exe ajaaksesi ohjelman.

Sinua pyydetään käynnistämään kone uudelleen - klikkaa YES.

Kun kone on käynnistynyt, työkalu avautuu ja alkaa skannaamaan. Se saattaa viedä hetken aikaa.

Se kertoo sinulle kun on valmista, skannauksen lopussa tulee lukemaan "Scan finished" tai jotain muuta vastaavaa. Kopioi lokin sisältö ja klikkaa Exit.

Sinulta kysytään jos haluat asentaa Prevx anti-malware ohjelman, jos haluat asentaa sen, klikkaa Yes, jos et, klikkaa No.

Liitä kopioitu loki tänne tuoreen HijackThis lokin kera.

Sussu82 · 04.11.2006

Mättääköhän mulla joku, kun en saa tota linkkiä auki?

-kemisti- · 04.11.2006

Gromozon taitaa estää fixin latauksen

Lataa nämä:

http://securityresponse.symantec.com/avcenter/FixLinkopt.exe
http://pcalsicuro.phpsoft.it/FixGrom.exe

Aja ensin alempi normaalitilassa ja säästä sen loki

Aja ylempi sen jälkeen vikasietotilassa

Lähetä molempien työkalujen lokit ja uusi HjT-loki.

Sussu82 · 04.11.2006

Tämäkään http://pcalsicuro.phpsoft.it/FixGrom.exe ei toimi..

Edit: tai siis en saa linkkiä auki.

-kemisti- · 04.11.2006

Kokeile kirjoittaa se linkki käsin tänne: käynnistä -> suorita ja klikkaa ok. Toimiiko nyt?

Sussu82 · 04.11.2006

Ei toimi noinkaan.

-kemisti- · 04.11.2006

Entä toimiiko se ylempi linkki? Jos, niin aja se vikasietotilassa.

Sussu82 · 04.11.2006

Ylempi linkki toimi kyllä.

Sain emulella ladattua ton Fixgromen, eli teenkö nyt alkuperäisen ohjeen mukaan?

-kemisti- · 04.11.2006

Lataa tämä -> http://www.megaupload.com/fi/?d=ON59LR4N ja pura se (siinä on se fixi sisällä).
Saatko nyt ladattua?

Sussu82 · 04.11.2006

Joo, sain ladattua.

-kemisti- · 04.11.2006

Hyvä, sitten toimi aiempien ohjeiden mukaan

Sussu82 · 04.11.2006

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\com3.hbh
\\?\C:\WINDOWS\system32\com3.hbh
Resetting file permissions...
Clearing attributes...
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\ejmlp1.dll
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\ibpp.dll
Removed!

Trojan.Gromozon Removed!

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

C:\System Volume Information\_restore{06D7012F-869A-4D02-B826-317A16323224}\RP39\A0015349.dll: (deleted)
C:\System Volume Information\_restore{06D7012F-869A-4D02-B826-317A16323224}\RP39\A0015353.dll: (deleted)

Trojan.Linkoptimizer has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 43102
The number of deleted threat files: 2
The number of threat processes terminated: 0
The number of threat threads terminated: 0
The number of registry entries fixed: 0

The tool initiated a system reboot.

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (cleared)

Logfile of HijackThis v1.99.1
Scan saved at 15:57:13, on 4.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {376CA5D9-A783-2617-D438-66D490652E79} - C:\WINDOWS\ejmlp1.dll (file missing)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Airboard Manager] C:\Program Files\Netropa\Airboard Manager\TouchMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F541FEE-32D1-4A66-91B0-58D509F6B58B}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7105B11-C3E4-4CB7-8F31-15A5E977EE3E}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

-kemisti- · 04.11.2006

Fixaa nämä:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {376CA5D9-A783-2617-D438-66D490652E79} - C:\WINDOWS\ejmlp1.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F541FEE-32D1-4A66-91B0-58D509F6B58B}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7105B11-C3E4-4CB7-8F31-15A5E977EE3E}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O20 - AppInit_DLLs:

Hae fixwareout jommastakummasta linkistä

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe

[*]Tallenna se työpöydälle ja käynnistä se. Klikkaa Next, sitten Install ja varmistu,
että Run fixit on valittuna ja klikkaa Finish.
[*]Fixi alkaa; seuraa ohjeita.
[*]Kun pyydetään käynnistää kone, niin tee se
[*]Käynnistyminen voi kestää tavallista kauemmin, se on normaalia.
[*]Lähetä uusi HjT-loki ja C:\fixwareout\report.txt-tiedoston sisältö tänne

Sussu82 · 04.11.2006

Logfile of HijackThis v1.99.1
Scan saved at 16:30:36, on 4.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Airboard Manager] C:\Program Files\Netropa\Airboard Manager\TouchMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B63C27030699-78C8-A7C4-B457-F575349B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA69DD1DB3BF-9328-3654-98A0-93F6A76B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nuqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmqun.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSFKA.EXE 51 746 2006-11-03
C:\WINDOWS\SYSTEM32\DMQUN.EXE 60 989 2004-09-14

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

-kemisti- · 04.11.2006

Poista:

C:\WINDOWS\SYSTEM32\CSFKA.EXE
C:\WINDOWS\SYSTEM32\DMQUN.EXE

Mene Ohjauspaneeli -> Verkkoyhteydet. Sitten klikkaa hiiren oikealla yhteyskuvaketta -> ominaisuudet. Valitse TCP/IP ja sitten ominaisuudet. Valitse "hae IP-osoite automaattisesti" ja klikkaa ok

Sitten käynnistä -> suorita
Kirjoita cmd ja klikkaa ok
Kirjoita ipconfig /flushdns , paina enter, kirjoita exit
ja paina enter

Jos ei toimi, mene käynnistä -> apuohjelmat -> komentorivi ja kirjoita ipconfig /flushdns sinne ja paina enter. Kirjoita exit ja enter

Päiitä ewido ja skannaa sillä vikasietotilassa.

Käynnistä uudelleen.

Aja fixwareout uudestaan

Lähetä:

- uusi HjT-loki
- ewidon raportti
- fixwareoutin raportti

Sussu82 · 04.11.2006

Logfile of HijackThis v1.99.1
Scan saved at 17:48:45, on 4.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Airboard Manager] C:\Program Files\Netropa\Airboard Manager\TouchMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:36:37 4.11.2006

+ Scan result:

C:\RECYCLER\S-1-5-21-299502267-1897051121-682003330-1003\Dc51.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.52:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.109:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.110:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.205:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.76:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.173:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.174:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.119:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.39:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.184:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.185:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.77:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.23:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.61:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.178:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.207:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.208:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.209:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.210:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.211:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.26:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.135:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.296:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Texttbnru : Cleaned.
:mozilla.70:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.71:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.282:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.56:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.36:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.172:C:\Documents and Settings\Alex.123-B1232ACD4A2\Application Data\Mozilla\Firefox\Profiles\jln40fa6.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

-kemisti- · 04.11.2006

Sammuta ewidon guard:

[*]Klikkaa Change state Resident shieldin vieressä. Sen pitäisi muuttua nyt muotoon inactive

Fixaa:

O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210

Mene Ohjauspaneeli -> Verkkoyhteydet. Sitten klikkaa hiiren oikealla yhteyskuvaketta -> ominaisuudet. Valitse TCP/IP ja sitten ominaisuudet. Valitse "hae IP-osoite automaattisesti" ja klikkaa ok

Sitten käynnistä -> suorita
Kirjoita cmd ja klikkaa ok
Kirjoita ipconfig /flushdns , paina enter, kirjoita exit
ja paina enter

Jos ei toimi, mene käynnistä -> apuohjelmat -> komentorivi ja kirjoita ipconfig /flushdns sinne ja paina enter. Kirjoita exit ja enter

Käynnistä uudelleen ja lähetä uusi HjT-loki

Sussu82 · 04.11.2006

Mulla olikin jo tossa Ewidossa tilana inactive.

Logfile of HijackThis v1.99.1
Scan saved at 0:07:59, on 5.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Airboard Manager] C:\Program Files\Netropa\Airboard Manager\TouchMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{168BF9B8-5614-42AD-8E29-BBA2A8D544FF}: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

-kemisti- · 05.11.2006

Niin ewidon guard on kyllä päällä

Running processes:

C:\Program Files\ewido anti-spyware 4.0\guard.exe

Mene käynnistä -> suorita -> services.msc -> ok

Etsi ewido anti-spyware 4.0 guard, tuplaklikkaa, paina seis ja valitse käynnistymistavaksi "ei käytössä"

Käynnistä kone uudestaan.

Mene Ohjauspaneeli -> Verkkoyhteydet. Sitten klikkaa hiiren oikealla yhteyskuvaketta -> ominaisuudet. Valitse TCP/IP ja sitten ominaisuudet.

Valitse "Käytä seuraavia DNS-palvelinosoitteita"

Laita kohtaan ensisijainen tämä -> 193.210.19.19 ja toissijainen tämä -> 193.210.18.18

Klikkaa ok.

Käynnistä uudestaan ja lähetä uusi HjT-loki.

Kirjaudu tai liity jäseneksi

Downloader.Agent.uj:n poisto

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

Downloader.Agent.uj:n poisto

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Sussu82 Member

-kemisti- Active member

Jaa tämä sivu

Hyödyllisiä hakuja