F-securen mukaan koneessa yli 8000 virusta. Auttaisko joku?

janne59 · 14.11.2006

Kannatta myös hakea SP2 valmiiksi koneelle:

http://www.microsoft.com/downloads/...FamilyID=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A

AfterDawn

chili80 · 14.11.2006

täs on nyt kuitenkin tää hjt-logi. mitäs nyt teen?

Logfile of HijackThis v1.99.1
Scan saved at 17:30:17, on 14.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\PROGRA~1\ELISAT~1\ANTI-S~1\fsaw.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\ExtraFilm Kotona\Agent.exe
C:\Program Files\Mozilla Firefox\Yinstall.exe
C:\kybrdff_e56.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\nwnmff_e56.exe
C:\Program Files\Error Safe Free\ers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\WINDOWS\v1201.exe
C:\windows_e56.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\syshost.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\{783B1303-09E5-1035-0128-030308190166}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\srshost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\kybrdff_e57.exe
c:\windows_e57.exe
c:\nwnmff_e57.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
c:\dfndrff_e57.exe
c:\dfndrff_e57.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Susanna Koskinen\Työpöytä\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...c+7PwO2sgoLrWkCQ+5a+nNfi1BdrHLpSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=...ywIPILyCPq9Nxc18sKUHTQp/KDnn0wgA+HKxlX3Nblrs=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\11.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\11.bin\MWSBAR.DLL
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{383B1303-09E5-1035-0128-030308190166}\MyToolBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tcnoki.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MS] adwareremover.exe
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\11.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [piletrustpinglite] C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Show log.exe
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\Yinstall.exe
O4 - HKLM\..\Run: [zrx20540] RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e57.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e57.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e57.exe
O4 - HKLM\..\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] c:\\windows_e57.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MS] adwareremover.exe
O4 - HKCU\..\Run: [third 4] C:\DOCUME~1\SUSANN~1\APPLIC~1\SAVEBI~1\proxy sect.exe
O4 - HKCU\..\Run: [JewelQuestSetup.exe] C:\DOCUME~1\SUSANN~1\TYPYT~1\JEWELQ~1.EXE /r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\RunServices: [MS] adwareremover.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O4 - Global Startup: WINCBR.0XE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/313133352D2D2D.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s...ownload/2006/cabs/ErrorSafeFreeInstall_fi.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\h00q0ad5ed0.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Marku2 · 14.11.2006

Moro, tällä lähetään:

1. Lataa combofix.exe tiedosto työpöydällesi.
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

chili80 · 14.11.2006

siis tässä cd-levyssä lukee "tämä recovery-cd-rom-ohjelmisto on esiasennettu kiintolevylle tehtaalla ja sitä saa käyttää ainoastaan fujitsu.. ostetun järjestelmän suojaukseen ja uudelleenlataukseen".

siis eiks tällä nyt saa windowsin palautettua?

LoBer · 14.11.2006

Avaa uudestaan HiJack This, ja paina Scan. Etsi listasta

O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min

Ylläoleva on todettu pa**aksi "viruksentorjuntaohjelmaksi" joka tuokin yllättävästi muutaman madon koneelle...Eli laita raksi tuon kohtaan ja paina fix... Sitten sanoisin tuosta työkalupalkkien määrästä. En tiedä onko nämä turhia, mutta niitä näyttäisi olevan aika paljon...Itse en löydä logistasi enempää viiruksia...

fixeri · 14.11.2006

Fixaa hjt:llä nuo rivit:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\11.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\11.bin\MWSBAR.DLL
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - \UCMTSAIE.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{383B1303-09E5-1035-0128-030308190166}\MyToolBar.dll
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\tcnoki.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [MS] adwareremover.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\11.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [piletrustpinglite] C:\Documents and Settings\All Users\Application Data\MFCD PLUS PILE TRUST\Show log.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e57.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e57.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e57.exe
O4 - HKLM\..\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] c:\\windows_e57.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [MS] adwareremover.exe
O4 - HKCU\..\Run: [third 4] C:\DOCUME~1\SUSANN~1\APPLIC~1\SAVEBI~1\proxy sect.exe
O4 - HKCU\..\Run: [JewelQuestSetup.exe] C:\DOCUME~1\SUSANN~1\TYPYT~1\JEWELQ~1.EXE \r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\11.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\RunServices: [MS] adwareremover.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...html?p=ZNfox000
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/p...133352D2D2D.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

Vikasietotilassa piilotiedostot näkyviin ja poista nuo kansiot:

C:\Program Files\---->Deskbar<----
C:\Program Files\---->DeluxeCommunications<----
C:\WINDOWS\---->DOWNLO~1<----
C:\Program Files\---->MyWebSearch<----
C:\Program Files\---->MyGlobalSearch<----
C:\Program Files\---->TheSearchAccelerator<----

Poista lisää/poista sovelluksesta Error safe.

Sit combofix:

1. Lataa combofix.exe tiedosto työpöydällesi: http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

Lähetä combofix logi, ja uus hjt logi.

-kemisti- · 14.11.2006

@fixeri: Et siis halua poistaa chili80:n koneelta botteja?

O4 - HKLM\..\Run: [MS] adwareremover.exe
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [MS] adwareremover.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\RunServices: [MS] adwareremover.exe

Ihan pelkkä fixi ei noille riitä...

Toiseksi deluxecommunications ei lähde mihinkään ilman comboa; sen hakemiston poistoa on turha ohjeistaa ennen combon ajoa..

Ja vielä: Nämä fixiin:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1I...pSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1I...gA+HKxlX3Nblrs=

chili80 · 14.11.2006

kesti vähän, kun piti hoitaa pari asiaa. tässä on nyt combofixin muistio.Aika pitkä pätkä. mitäs nyt teen?

ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Susanna Koskinen\Ty”p”yt„"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5A95A8DE-0736-42AD-827A-B6E6DBF6F97F}\InprocServer32]
@="C:\\WINDOWS\\system32\\beotvid.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE970925-6D6A-47E8-A448-9605DC5D3A9B}\InprocServer32]
@="C:\\WINDOWS\\system32\\puustab.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\system32\aza6l9fs1.dll
C:\WINDOWS\system32\beotvid.dll
C:\WINDOWS\system32\d8j02i1mg8.dll
C:\WINDOWS\system32\dnj4011qe.dll
C:\WINDOWS\system32\e2jm0c11ef.dll
C:\WINDOWS\system32\en0ol1d31.dll
C:\WINDOWS\system32\en6ul1j91.dll
C:\WINDOWS\system32\enlol1331.dll
C:\WINDOWS\system32\enlsl1371.dll
C:\WINDOWS\system32\enlul1391.dll
C:\WINDOWS\system32\f2l02c3mgf.dll
C:\WINDOWS\system32\f82m0if1e82.dll
C:\WINDOWS\system32\f8l02i3mg8.dll
C:\WINDOWS\system32\fp0q03d5e.dll
C:\WINDOWS\system32\fp8m03l1e.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\g804lidq180e.dll
C:\WINDOWS\system32\g8jo0i13e8.dll
C:\WINDOWS\system32\gp4sl3h71.dll
C:\WINDOWS\system32\h00q0ad5ed0.dll
C:\WINDOWS\system32\h44mleh11h4.dll
C:\WINDOWS\system32\hr0205doe.dll
C:\WINDOWS\system32\hr4805hue.dll
C:\WINDOWS\system32\hrnm0551e.dll
C:\WINDOWS\system32\i4240efqeh2e0.dll
C:\WINDOWS\system32\i442leho1h4c.dll
C:\WINDOWS\system32\ir2ml5f11.dll
C:\WINDOWS\system32\ir82l5lo1.dll
C:\WINDOWS\system32\j06m0aj1edo.dll
C:\WINDOWS\system32\j2j6lc1s1f.dll
C:\WINDOWS\system32\j6p00g7me6.dll
C:\WINDOWS\system32\jr0025dmg.dll
C:\WINDOWS\system32\jt6q07j5e.dll
C:\WINDOWS\system32\jtj0071me.dll
C:\WINDOWS\system32\jtjq0715e.dll
C:\WINDOWS\system32\k0440ahqed4e0.dll
C:\WINDOWS\system32\kt0sl7d71.dll
C:\WINDOWS\system32\ktlsl7371.dll
C:\WINDOWS\system32\ktnul7591.dll
C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\lv8609lse.dll
C:\WINDOWS\system32\m6po0g73e6.dll
C:\WINDOWS\system32\m8po0i73e8.dll
C:\WINDOWS\system32\mv26l9fs1.dll
C:\WINDOWS\system32\mv84l9lq1.dll
C:\WINDOWS\system32\n42ulef91h2.dll
C:\WINDOWS\system32\n8r20i9oe8.dll
C:\WINDOWS\system32\nvtui2.dll
C:\WINDOWS\system32\o6660gjse6o60.dll
C:\WINDOWS\system32\p48qlel51hq.dll
C:\WINDOWS\system32\puustab.dll
C:\WINDOWS\system32\q268lcju1fo8.dll
C:\WINDOWS\system32\r0r6la9s1d.dll
C:\WINDOWS\system32\r26ulcj91fo.dll
C:\WINDOWS\system32\r48slel71hq.dll
C:\WINDOWS\system32\s2880cluefq80.dll
C:\WINDOWS\system32\scpblb.dll
C:\WINDOWS\system32\t4r80e9ueh.dll
C:\WINDOWS\system32\wobvw.dll

Granting sedebugprivilege to Järjestelmänvalvojat ... successful

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Susanna Koskinen\Application Data\Dxcknwrd.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drsmartload1135a.exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\teller2.chk
C:\dfndrff_e18.exe
C:\dfndrff_e19.exe
C:\dfndrff_e20.exe
C:\dfndrff_e21.exe
C:\dfndrff_e22.exe
C:\dfndrff_e23.exe
C:\dfndrff_e24.exe
C:\dfndrff_e25.exe
C:\dfndrff_e26.exe
C:\dfndrff_e27.exe
C:\dfndrff_e28.exe
C:\dfndrff_e30.exe
C:\dfndrff_e31.exe
C:\dfndrff_e32.exe
C:\dfndrff_e33.exe
C:\dfndrff_e34.exe
C:\dfndrff_e35.exe
C:\dfndrff_e38.exe
C:\dfndrff_e41.exe
C:\dfndrff_e42.exe
C:\dfndrff_e43.exe
C:\dfndrff_e44a.exe
C:\dfndrff_e45.exe
C:\dfndrff_e46a.exe
C:\dfndrff_e47.exe
C:\dfndrff_e48.exe
C:\dfndrff_e49.exe
C:\dfndrff_e51.exe
C:\dfndrff_e52.exe
C:\dfndrff_e53.exe
C:\dfndrff_e54.exe
C:\dfndrff_e56.exe
C:\dfndrff_e57.exe
C:\drsmartload.exe
C:\drsmartload1.exe
C:\drsmartload45a45a45o.exe
C:\drsmartload45a45a45p.exe
C:\drsmartload45a45a45q.exe
C:\drsmartload45a45a45s.exe
C:\drsmartload45a45a45t.exe
C:\deskbar.exe
C:\deskbar_e18.exe
C:\deskbar_e19.exe
C:\deskbar_e20.exe
C:\deskbar_e21.exe
C:\deskbar_e25.exe
C:\deskbar_e26.exe
C:\deskbar_e28.exe
C:\deskbar_e29.exe
C:\deskbar_e31.exe
C:\deskbar_e34.exe
C:\deskbar_e37.exe
C:\deskbar_e41.exe
C:\deskbar_e42.exe
C:\deskbar_e44.exe
C:\deskbar_e45.exe
C:\deskbar_e46.exe
C:\deskbar_e47.exe
C:\deskbar_e48.exe
C:\deskbar_e49.exe
C:\deskbar_e51.exe
C:\deskbar_e52.exe
C:\deskbar_e53.exe
C:\deskbar_e55.exe
C:\kybrdff_e18.exe
C:\kybrdff_e19.exe
C:\kybrdff_e20.exe
C:\kybrdff_e21.exe
C:\kybrdff_e22.exe
C:\kybrdff_e23.exe
C:\kybrdff_e24.exe
C:\kybrdff_e26.exe
C:\kybrdff_e27.exe
C:\kybrdff_e28.exe
C:\kybrdff_e30.exe
C:\kybrdff_e31.exe
C:\kybrdff_e32.exe
C:\kybrdff_e33.exe
C:\kybrdff_e34.exe
C:\kybrdff_e35.exe
C:\kybrdff_e38.exe
C:\kybrdff_e41.exe
C:\kybrdff_e42.exe
C:\kybrdff_e43.exe
C:\kybrdff_e44.exe
C:\kybrdff_e45.exe
C:\kybrdff_e46.exe
C:\kybrdff_e47.exe
C:\kybrdff_e48.exe
C:\kybrdff_e49.exe
C:\kybrdff_e51.exe
C:\kybrdff_e52.exe
C:\kybrdff_e53.exe
C:\kybrdff_e54.exe
C:\kybrdff_e56.exe
C:\kybrdff_e57.exe
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNg12112006.exe
C:\MTE3NDI6ODoxNg14112006.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\MTE3NDI6ODoxNgV2.exe
C:\nwnmff_e19.exe
C:\nwnmff_e20.exe
C:\nwnmff_e21.exe
C:\nwnmff_e22.exe
C:\nwnmff_e23.exe
C:\nwnmff_e24.exe
C:\nwnmff_e25.exe
C:\nwnmff_e26.exe
C:\nwnmff_e27.exe
C:\nwnmff_e28.exe
C:\nwnmff_e30.exe
C:\nwnmff_e32.exe
C:\nwnmff_e33.exe
C:\nwnmff_e34.exe
C:\nwnmff_e35.exe
C:\nwnmff_e38.exe
C:\nwnmff_e41.exe
C:\nwnmff_e43.exe
C:\nwnmff_e44.exe
C:\nwnmff_e45.exe
C:\nwnmff_e46.exe
C:\nwnmff_e47.exe
C:\nwnmff_e49.exe
C:\nwnmff_e51.exe
C:\nwnmff_e52.exe
C:\nwnmff_e53.exe
C:\nwnmff_e54.exe
C:\nwnmff_e56.exe
C:\nwnmff_e57.exe
C:\warebundlenewer.exe
C:\ac3_0010.exe
C:\mte3ndi6odoxng.exe
C:\RDFX4.exe
C:\ucmoreiex.exe
C:\Installer4.exe
C:\Installer5.exe
C:\Program Files\CONEXANT\nico.html
C:\dollarrev.exe
C:\windows.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\TheSearchAccelerator
C:\Program Files\Common Files\{383B1303-09E5-1035-0128-030308190166}
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\Program Files\PrintView
C:\Program Files\Common Files\{783B1303-09E5-1035-0128-030308190166}
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg

((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 ))))))))))))))))))))))))))))))))))

2006-11-14 12:46 446,464 --a------ C:\windows_e57.exe
2006-11-14 12:45 32,768 --a------ C:\mc44a57.exe
2006-11-14 07:14 6,687 --a------ C:\WINDOWS\system32\ldcore.dll
2006-11-14 07:14 446,464 --a------ C:\windows_e56.exe
2006-11-14 07:13 32,768 --a------ C:\mc44a56.exe
2006-11-11 10:39 20,480 --a------ C:\mc44a54.exe
2006-11-10 15:36 69,632 --a------ C:\WINDOWS\system32\srshost.exe
2006-11-10 15:36 48,128 --a------ C:\WINDOWS\system32\srshostu.exe
2006-11-10 15:36 179,200 --a------ C:\WINDOWS\system32\winl0gon.exe
2006-11-10 00:03 434,176 --a------ C:\windows_e53.exe
2006-11-10 00:02 20,480 --a------ C:\mc44a53.exe
2006-11-09 12:57 430,080 --a------ C:\windows_e52.exe
2006-11-09 12:55 24,576 --a------ C:\mc44a52.exe
2006-11-07 18:36 442,368 --a------ C:\windows_e51.exe
2006-11-07 18:35 24,576 --a------ C:\mc44a51.exe
2006-11-06 11:57 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-06 00:01 28,672 --a------ C:\mc44a49.exe
2006-11-04 00:01 28,672 --a------ C:\mc44a47.exe
2006-11-03 21:45 100,028 --a------ C:\autoexes.exe
2006-11-03 00:01 28,672 --a------ C:\mc44a46.exe
2006-11-02 00:03 143,360 --a------ C:\yz02.exe
2006-11-02 00:03 110,592 --a------ C:\WINDOWS\v1201.exe
2006-11-02 00:00 24,576 --a------ C:\mc44a45.exe
2006-11-01 00:01 24,576 --a------ C:\mc44a44.exe
2006-10-31 00:02 24,576 --a------ C:\mc44a43.exe
2006-10-30 00:04 24,576 --a------ C:\mc44a42.exe
2006-10-28 15:12 24,576 --a------ C:\mc44a41.exe
2006-10-27 06:03 16,384 --a------ C:\mc44a38.exe
2006-10-23 23:05 16,384 --a------ C:\mc44a35.exe
2006-10-22 20:51 20,480 --a------ C:\mc44a34.exe
2006-10-18 23:02 24,576 --a------ C:\mc44a3.exe
2006-10-17 23:01 24,576 --a------ C:\mc44a2.exe
2006-10-16 04:37 50,912 --a------ C:\WINDOWS\iconu.exe
2006-10-16 02:19 24,296 --a------ C:\WINDOWS\icont.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-14 18:20 -------- d-------- C:\Program Files\Common Files
2006-11-14 18:09 -------- d-------- C:\Program Files\CONEXANT
2006-11-14 17:42 -------- d-------- C:\Documents and Settings\Susanna Koskinen\Application Data\Starware
2006-11-08 20:10 -------- d-------- C:\Program Files\Error Safe Free
2006-11-06 11:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-05 03:40 -------- d-------- C:\Program Files\Windows NT
2006-11-02 00:03 517 --a------ C:\Program Files\Common Files\niwy
2006-10-23 01:22 -------- d-------- C:\Program Files\DeluxeCommunications
2006-10-13 23:01 96768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-10-13 23:00 32768 --a------ C:\DXC9.exe
2006-10-12 15:35 69165 --a------ C:\pp4ico.exe
2006-10-08 08:04 1233 --a------ C:\WINDOWS\system32\zrx20540.sys
2006-10-05 13:32 -------- d-------- C:\Program Files\MSN Messenger
2006-10-01 18:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 18:30 -------- d-------- C:\Program Files\ArcSoft
2006-10-01 18:28 -------- d-------- C:\Program Files\Morgan
2006-10-01 18:26 -------- d-------- C:\Program Files\Yahoo!
2006-10-01 18:11 176640 --a------ C:\WINDOWS\system32\Yinstall.exe
2006-10-01 18:11 138862 --a------ C:\WINDOWS\system32\mny.exe
2006-10-01 18:10 20480 --a------ C:\WINDOWS\system32\a.exe
2006-09-30 12:41 61952 --a------ C:\WINDOWS\system32\zrx20540.dll
2006-09-24 20:37 -------- d-------- C:\Program Files\Java
2006-09-20 19:42 -------- d---s---- C:\Documents and Settings\Susanna Koskinen\Application Data\Microsoft
2006-09-13 07:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 17:49 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 15:00 11749 --------- C:\WINDOWS\_000007_.tmp.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"MS"="adwareremover.exe"
"third 4"="C:\\DOCUME~1\\SUSANN~1\\APPLIC~1\\SAVEBI~1\\proxy sect.exe"
"JewelQuestSetup.exe"="C:\\DOCUME~1\\SUSANN~1\\TYPYT~1\\JEWELQ~1.EXE /r"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\mwsoemon.exe"
"Error Safe"="\"C:\\Program Files\\Error Safe Free\\ers.exe\" /min"
"srshost.exe"="C:\\WINDOWS\\system32\\srshost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"MS"="adwareremover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"Wizard"=hex(2):00
"SoundMan"="SOUNDMAN.EXE"
"MPTBox"="C:\\PROGRA~1\\Canon\\MULTIP~1\\MPTBox.exe"
"Cryptographic Service"="C:\\WINDOWS\\System32\\tcnoki.exe"
"F-Secure Manager"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"SearchUpgrader"="C:\\Program Files\\Common files\\SearchUpgrader\\SearchUpgrader.exe"
"F-Secure Startup Wizard"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\FSSW.EXE\" /reboot"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"MS"="adwareremover.exe"
"FireWire Service"="nvscv32.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\mwsoemon.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"News Service"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\ispnews.exe\""
"VVSN"="C:\\Program Files\\VVSN\\VVSN.exe"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"My Web Search Bar"="rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\11.bin\\MWSBAR.DLL,S"
"piletrustpinglite"="C:\\Documents and Settings\\All Users\\Application Data\\MFCD PLUS PILE TRUST\\Show log.exe"
"ExtraFilmHemmaAgent"="\"C:\\Program Files\\ExtraFilm Kotona\\Agent.exe\""
"zrx20540"="RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3"
"Error Safe"="C:\\Program Files\\Error Safe Free\\ers.exe /scan"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"windows"="c:\\\\windows_e57.exe"
"Microsoft Windows System"="syshost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MS"="adwareremover.exe"
"FireWire Service"="nvscv32.exe"
"Microsoft Windows System"="syshost.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\qufyturu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\CONEXANT\\nico.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NvCplScan"="nvsc32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"NvCplScan"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A747984B9188134B.job
C:\WINDOWS\tasks\Scheduled scanning task.job

Completion time: 06-11-14 18:21:48.75
C:\ComboFix.txt ... 06-11-14 18:21

Marku2 · 14.11.2006

Lähetä uusi HjT-loki, jotta voin antaa puhdistus ohjeet

chili80 · 14.11.2006

fiksasin noi fixerin antamat rivit ja nyt hjt-logi on tällainen:

Logfile of HijackThis v1.99.1
Scan saved at 20:36:52, on 14.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\ExtraFilm Kotona\Agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\windows_e57.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\dollarrev.exe
c:\nwnmff_e57.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
c:\degoqatr.exe
C:\WINDOWS\system32\msasvc.exe
c:\windows\lsass.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Susanna Koskinen\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.fi/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...c+7PwO2sgoLrWkCQ+5a+nNfi1BdrHLpSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=...ywIPILyCPq9Nxc18sKUHTQp/KDnn0wgA+HKxlX3Nblrs=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: MSN Search -työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [FireWire Service] nvscv32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe"
O4 - HKLM\..\Run: [zrx20540] RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [System] c:\windows\lsass.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WINCBR.0XE
O4 - Global Startup: Windows-työpöytähaku.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fi-fi\bin\WindowsSearch.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\fi-fi\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/230?72fb726351314e3484dec34d5e5459a2
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\fi-fi\msntabres.dll/229?72fb726351314e3484dec34d5e5459a2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SMS-viesti - {16CAD19D-3F2B-4756-AEC2-57720F888E58} - http://sms.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Palvelut - {5E4AAEE1-7CF1-4730-BDDA-1065E3C80EAB} - http://service.kolumbus.fi/ (file missing) (HKCU)
O9 - Extra button: Tuki - {CDD5EE68-F9D9-49BE-B94B-5FA9267CCC59} - http://tuki.elisa.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s...ownload/2006/cabs/ErrorSafeFreeInstall_fi.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Client - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

chili80 · 14.11.2006

fixeri sanoi:

Vikasietotilassa piilotiedostot näkyviin ja poista nuo kansiot:

C:\Program Files\---->Deskbar<----
C:\Program Files\---->DeluxeCommunications<----
C:\WINDOWS\---->DOWNLO~1<----
C:\Program Files\---->MyWebSearch<----
C:\Program Files\---->MyGlobalSearch<----
C:\Program Files\---->TheSearchAccelerator<----

Poista lisää/poista sovelluksesta Error safe.

Hmm.. joskus oon jotai joutunu tekemään vikasietotilassa, mutta en nyt muista miten sinne pääsee..? kertoisko joku? ja miten saan piilotiedostot näkyviin? oon ihan pihalla

Laajenna...

Marku2 · 14.11.2006

Jatka tämän ohjeen mukaan:

Lataa
SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:

Käynnistä tietokone

Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa

Seuraavaksi pitäisi ilmestyä valikko

Valitse valikosta vikasietotila.

Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.

Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.

Paina Y käynnistääksesi skriptin.

Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".

Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.

Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.

Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".

Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.

Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis lokin kera.

Fixaa HjT:llä (Do a system scan only, merkkaa ja paina fix checked)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1I...pSV3CD9UsG2Ig==
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1I...gA+HKxlX3Nblrs=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [zrx20540] RUNDLL32.EXE w5c041d3.dll,n 0052053b0000000a5c041d3
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [MS] adwareremover.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [System] c:\windows\lsass.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/...eInstall_fi.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg\command.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

1. Lataa The Avenger (c) työpöydällesi.

Klikkaa Avenger.zip filua avataksesi sen.

Pura Avenger.exe työpöydällesi.

2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\durvilx.dll
C:\windows\lsass.exe
C:\WINDOWS\system32\msasvc.exe
C:\windows_e57.exe
C:\dollarrev.exe
C:\nwnmff_e57.exe
C:\degoqatr.exe

Folders to delete:
C:\Program Files\DeluxeCommunications
C:\Program Files\Starware
C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg
C:\Program Files\Network Monitor
C:\Program Files\Deskbar
C:\Program Files\MyWebSearch
C:\Program Files\MyGlobalSearch
C:\Program Files\TheSearchAccelerator
Laajenna...

Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.

3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.

"Script file to execute" alapuolelta valitse "Input Script Manually".

Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script".

Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.

Klikkaa Done.

Nyt klikkaa vihreää valoa aloittaaksesi skriptin.

Klikkaa "Yes" kun tulee kaksi varoitusboksia.

Avenger tekee automaattisesti seuraavat:

Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)

Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.

Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt

Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.

5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.

Hae AVG Anti-Spyware -> http://aaxxeell.googlepages.com/ewido4
Päivitä, Scannaa, Poista löydöt ja tallenna raportti.

Lähetä uusi HjT-loki, Report.txt, C:\avenger.txt ja AVG:n raportti.

chili80 · 14.11.2006

Ehtisin jo tulla siskon luota kotiin, mutta menen huomenna tekemään noitten ohjeitten mukaan. Huomasin juuri, että välissä oli kemistiltäkin tullut joitakin ohjeita. Noudatanko niitä sitten ensin vai vaan viimeisiä ohjeita? Onpas tää nyt hankalaa.

esakom · 14.11.2006

No itse kyllä ainakin kokeilisin sitä recovery-cd:tä... (Varmuuskopiothan on otettu?)

chili80 · 14.11.2006

Miksi sitä nyt enää kokeilisin, kun jo on jotain tehty ja en tie, mut ainaki kone nyt paljon vakaampi kuin ennen. Luotan, että muutki pöpöt lähtee pois.

Niin en ymmärrä tota f-securea, kun sen uusimmat päivitykset on tullu tänään, mutta sit ei kuitenkaa mukamas toimi?

fixeri · 14.11.2006

Ei kannata enää ruveta formatoimaan konetta kun on alkuun päästy noiden örkkien poistamisessa.
Seuraa vaan nyt tuota Marku2 ohjetta, ja lisää ohjeita tulee, kyllä nuo pöpöt pois saadaan tuolta.

esakom · 15.11.2006

chili80 sanoi:

Miksi sitä nyt enää kokeilisin, kun jo on jotain tehty ja en tie, mut ainaki kone nyt paljon vakaampi kuin ennen. Luotan, että muutki pöpöt lähtee pois.
Laajenna...

No hyvä että alkaa auttaa, joo ei sitä formattia enää kannata, kun on jo ties miten monta tuntia tuohon uhrattu... Itse olen joskus vastaaviin puhdistusoperaatioihin joutunut, ja todennut että täysi tyhjennys ja ohjelmien uusiksi asennus on vienyt vähemmän aikaa (pari tuntia) kuin winukan pöpö-siivous (pahimmillaan pari päivää)

chili80 sanoi:

Niin en ymmärrä tota f-securea, kun sen uusimmat päivitykset on tullu tänään, mutta sit ei kuitenkaa mukamas toimi?
Laajenna...

Tuohonkin on aiemmin törmätty... F-Securessa f tarkoittaa "fucked up".

Suosittelen kokeilemaan vaikka AVG:tä: http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5

Niin ja palomuuriksi sitten vaikka zone-alarm...

-kemisti- · 15.11.2006

@esakom: Koneen putsaus harvemmin vie paria päivää, jos tunnistaa infektiot, jotka vaativat erikoisfixiä... Muutamassa tunnissa onnistuu, jollei nyt satu olemaan joitain v***umaisia rootkittejä mukana.

chili80 · 15.11.2006

tässä on sdfixin raportti, (Avengerin raportti hävisi kokonaan, kun jouduin käynnistämään koneen uudelleen ja en älynnyt tallentaa sitä. Löytyisköhän jostakin?) Skannaan juuri avg:llä konetta. on kestänyt jo tunnin. laitan kohta sen tulokset ja uuden hjt-login.

SDFix: Version 1.38
-------------------

Scan run on:
ke 15.11.2006

Time:
11:05

Microsoft Windows XP [versio 5.1.2600]

Running from: C:\Documents and Settings\Susanna Koskinen\Ty”p”yt„\SDFix\SDFix

Stage One...

Checking Services...

Name:
-----
MsaSvc

Path:
----
C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Repairing Registry...

Killing PID 272 'lsass.exe'
Killing PID 272 'lsass.exe'

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\FASTBOOT.EXE
C:\MC44A2.EXE
C:\MC44A3.EXE
C:\MC44A34.EXE
C:\MC44A35.EXE
C:\MC44A38.EXE
C:\MC44A41.EXE
C:\MC44A42.EXE
C:\MC44A43.EXE
C:\MC44A44.EXE
C:\MC44A45.EXE
C:\MC44A46.EXE
C:\MC44A47.EXE
C:\MC44A49.EXE
C:\MC44A51.EXE
C:\MC44A52.EXE
C:\MC44A53.EXE
C:\MC44A54.EXE
C:\MC44A56.EXE
C:\MC44A57.EXE
C:\WINDOWS\TEMP\STDRUN1.EXE
C:\WINDOWS\TEMP\STDRUN2.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\STDRUN1.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN1.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN2.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN3.EXE
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-113D05CC.pf
C:\uniq
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\durvil1.dll
C:\WINDOWS\system32\durvil1.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\srshostu.exe
C:\WINDOWS\system32\syshost.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

chili80 · 15.11.2006

oisko tää se avengerin raportti? (avg skannaa edelleen.. jo yli 1,5h mennyt... kestää!)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nonqhbbd

*******************

Script file located at: \??\C:\WINDOWS\system32\ddkysdtm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\dxclib303562752.dll deleted successfully.

File C:\WINDOWS\system32\durvilx.dll not found!
Deletion of file C:\WINDOWS\system32\durvilx.dll failed!

Could not process line:
C:\WINDOWS\system32\durvilx.dll
Status: 0xc0000034

File C:\windows\lsass.exe not found!
Deletion of file C:\windows\lsass.exe failed!

Could not process line:
C:\windows\lsass.exe
Status: 0xc0000034

File C:\WINDOWS\system32\msasvc.exe not found!
Deletion of file C:\WINDOWS\system32\msasvc.exe failed!

Could not process line:
C:\WINDOWS\system32\msasvc.exe
Status: 0xc0000034

File C:\windows_e57.exe deleted successfully.
File C:\dollarrev.exe deleted successfully.
File C:\nwnmff_e57.exe deleted successfully.
File C:\degoqatr.exe deleted successfully.
Folder C:\Program Files\DeluxeCommunications deleted successfully.
Folder C:\Program Files\Starware deleted successfully.
Folder C:\WINDOWS\U3VzYW5uYSBLb3NraW5lbg deleted successfully.
Folder C:\Program Files\Network Monitor deleted successfully.

Folder C:\Program Files\Deskbar not found!
Deletion of folder C:\Program Files\Deskbar failed!

Could not process line:
C:\Program Files\Deskbar
Status: 0xc0000034

Folder C:\Program Files\MyWebSearch deleted successfully.
Folder C:\Program Files\MyGlobalSearch deleted successfully.

Folder C:\Program Files\TheSearchAccelerator not found!
Deletion of folder C:\Program Files\TheSearchAccelerator failed!

Could not process line:
C:\Program Files\TheSearchAccelerator
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

Kirjaudu tai liity jäseneksi

F-securen mukaan koneessa yli 8000 virusta. Auttaisko joku?

janne59 Active member

chili80 Member

Marku2 Regular member

chili80 Member

LoBer Regular member

fixeri Regular member

-kemisti- Active member

chili80 Member

Marku2 Regular member

chili80 Member

chili80 Member

Marku2 Regular member

chili80 Member

esakom Regular member

chili80 Member

fixeri Regular member

esakom Regular member

-kemisti- Active member

chili80 Member

chili80 Member

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

F-securen mukaan koneessa yli 8000 virusta. Auttaisko joku?

janne59 Active member

chili80 Member

Marku2 Regular member

chili80 Member

LoBer Regular member

fixeri Regular member

-kemisti- Active member

chili80 Member

Marku2 Regular member

chili80 Member

chili80 Member

Marku2 Regular member

chili80 Member

esakom Regular member

chili80 Member

fixeri Regular member

esakom Regular member

-kemisti- Active member

chili80 Member

chili80 Member

Jaa tämä sivu

Hyödyllisiä hakuja