En voi asentaa F-secure/HijackThis

Viestiketju Virukset ja haittaohjelmat -osiossa. Ketjun avasi batman187 04.02.2006.

  1. batman187

    batman187 Guest

    kun yritän avata F-secure se sammuu. Jos yritän asentaa f-secure ohjelmaa kone ehdotaa sen sammutamista eikä anna sen asentamista ja sammutaa sen.

    Logfile of HijackThis v1.99.1
    Scan saved at 22:03:32, on 3.2.2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Athan\Athan.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\msmbw.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Shareaza\Shareaza.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F3 - REG:win.ini: run=C:\WINDOWS\inet20002\winlogon.exe
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20002\3.01.00.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\formatsys.exe
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\serbw.exe
    O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\formatsys.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\serbw.exe
    O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
     
  2.  
  3. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Sulla onkin kiva örkkikokoelma koneella. Yhteytesi on kaapattu Valko-Venäjältä käsin. Lisäksi tuo yksi örkki imuroi koko ajan lisää roskaa koneellesi. Ja suurin syy tähän on se, ettet ole päivittänyt Windowsia.... Kun ollaan saatu kone puhtaaksi, niin saat kyllä hakea sen Service Pack 2:n + muut kriittiset päivitykset. Muuten sun loki on foralla kerran viikossa.

    Hae
    fixwareout
    http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
    tai
    http://swandog46.geekstogo.com/Fixwareout.exe

    Tallenna se työpöydälle
    Klikkaa fixwareout käyntiin ja painele ok jne kun kysytään
    Käynnistä uudelleen kun käsketään
    HijackThis aukeaa automaattisesti tämän jälkeen. Jos se ei aukea, niin avaa se itse.

    Fixaa nämä

    F3 - REG:win.ini: run=C:\WINDOWS\inet20002\winlogon.exe
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20002\3.01.00.dll
    O4 - HKLM\..\Run: [serpe] C:\WINDOWS\System32\formatsys.exe
    O4 - HKLM\..\Run: [ltwob] C:\WINDOWS\System32\serbw.exe
    O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe
    O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\System32\formatsys.exe
    O4 - HKLM\..\RunServices: [ltwob] C:\WINDOWS\System32\serbw.exe
    O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
    O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
    04 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20002\winlogon.exe

    Hae Ewido > http://keskustelu.afterdawn.com/thread_view.cfm/269186
    Asenna ja päivitä. Älä tee vielä muuta

    Laita piilotiedostot näkyviin, ohje ->
    http://keskustelu.afterdawn.com/thread_view.cfm/248944

    Käynnistä vikasietotilaan ( F8 käynnistyksen yhteydessä )

    Poista nämä
    C:\WINDOWS\==============>inet20002<=== kansio
    C:\WINDOWS\System32\=====>formatsys.exe
    C:\WINDOWS\System32\=====>serbw.exe
    C:\WINDOWS\==============>msmbw.exe

    Skannaa Ewidolla vikasietotilassa ja tallenna raportti

    Käynnistä normaalitilaan, ja laita uusi loki+Ewidon raportti+ c:\fixwareout\report.txt sisältö
     
  4. batman187

    batman187 Guest

    En löytänyt nämä
    C:\WINDOWS\System32\=====>serbw.exe
    C:\WINDOWS\==============>msmbw.exe
    muuten OK.

    Fixwareout ver 1.003
    Last edited 1/12/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Search by size and names...

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 17:44:49, 4.2.2006
    + Report-Checksum: EED706E4

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Spyware.CoolWebSearch : Cleaned with backup
    C:\Crazy frog gets killed by train!.pif -> Worm.Sumom.a : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    :mozilla.60:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.61:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.62:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.63:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.64:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    :mozilla.65:C:\Documents and Settings\mahad\Application Data\Mozilla\Firefox\Profiles\nue4vif1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\mahad\Cookies\mahad@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\mahad\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe -> Worm.Sumom.a : Cleaned with backup
    C:\Documents and Settings\mahad\Local Settings\Temp\her.pt -> Trojan.Dialer.ay : Cleaned with backup
    C:\Documents and Settings\mahad\Local Settings\Temp\isinst.exe -> Downloader.IstBar.oe : Cleaned with backup
    C:\Documents and Settings\mahad\Local Settings\Temporary Internet Files\Content.IE5\OHKNGJ07\1001[1].exe -> Downloader.Small.awa : Cleaned with backup
    C:\Documents and Settings\mahad\Local Settings\Temporary Internet Files\Content.IE5\ULTE3YDK\009[1].jpg -> Downloader.Small.ccn : Cleaned with backup
    C:\Documents and Settings\mahad\Omat tiedostot\Downloads\~~ the oc 311.rar/Setup_toolBar.exe -> Downloader.IstBar.nj : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\mahad1\Application Data\Mozilla\Firefox\Profiles\a7d5dl4o.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\mahad1\Cookies\mahad1@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\mahad1\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe -> Worm.Sumom.a : Cleaned with backup
    C:\Fat Elvis! lol.pif -> Worm.Sumom.a : Cleaned with backup
    C:\Program Files\Avant Browser\fdsf -> Downloader.Small.awa : Cleaned with backup
    C:\Program Files\backups\backup-20060204-164155-397.dll -> Spyware.Ihbo : Cleaned with backup
    C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll -> Downloader.Small : Cleaned with backup
    C:\WINDOWS\system32\dial23.0xe -> Trojan.Dialer.ay : Cleaned with backup
    C:\WINDOWS\system32\howiper.0xe -> Trojan.Small.gq : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 17:55:04, on 4.2.2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Athan\Athan.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Shareaza\Shareaza.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

     
  5. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Yhteys tulee vieläkin Valko-Venäjältä... Ajapa se FixWareOut uudestaan, ja kun HjT aukeaa fixaa nämä rivit: Jäi viimeksi jotenkin multa mainitsematta, vaikka noista sen örkin tunnistinkin =)


    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B855C1FA-6ED0-4158-9260-79538A165B19}: NameServer = 85.255.115.20,85.255.112.81
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9C5F71-7CB2-4E90-B6DE-23896FD523EF}: NameServer = 85.255.115.20 85.255.112.81


    Laita vielä uusi loki sen jälkeen.
     
  6. batman187

    batman187 Guest

    Logfile of HijackThis v1.99.1
    Scan saved at 18:14:26, on 7.2.2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Shareaza\Shareaza.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Ares\Ares.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [VoipCheap] "C:\Program Files\VoipCheap\VoipCheap.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Etsi - C:\Program Files\Avant Browser\Search.htm
    O8 - Extra context menu item: Korosta - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Lisää mainostenestolistalle - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
    O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

     
  7. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    No nyt on hyvä =) Joko toimii paremmin?
     
  8. mawdrgn

    mawdrgn Regular member

    Liittynyt:
    02.01.2006
    Viestejä:
    469
    Kiitokset:
    0
    Pisteet:
    26
    Saanko muuten spertti kysyä, että mistä tuosta näkee että yhetys on kaapattu Valko-Venäjältä? Ihan puhtaasta mielenkiinnosta ja uteliaisuudesta kysyn ;D
     
  9. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Nuo 017 rivin IP:t johtivat Valko-Venäjälle. Ihan googlettamalla sen IP:n, tai laittamalla sen tänne > http://www.dnsstuff.com/ ja sieltä vaikka IP information saat selville aika paljon. Tuo WareOut örkki, joka sinulla oli on yleensä tunnistettavissa juurikin noista Valko-Venäläisistä IP-osoitteista, jotka johtavat Atrivon palvelimelle. Mutta tosiaan tuo fixi joka ajettiin poistaa kaikki sen jätökset todella hyvin. WareOut on vain siitä mukava mato, että se imuroi koko ajan lisää roskaa koneelle mihin se on asentunut =) Mutta nyt se huomattiin ajoissa, ja poistokin sujui suhteellisen helposti eikös juu?
     

Jaa tämä sivu