HJT-logi

Viestiketju Virukset ja haittaohjelmat -osiossa. Ketjun avasi Disa- 06.11.2005.

  1. Disa-

    Disa- Regular member

    Liittynyt:
    06.09.2005
    Viestejä:
    860
    Kiitokset:
    0
    Pisteet:
    26
    Logfile of HijackThis v1.99.1
    Scan saved at 13:14:02, on 6.11.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    c:\windows\system32\cqgrqtc.exe
    C:\WINDOWS\System32\sdij.exe
    C:\WINDOWS\System32\hqfo.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
    C:\WINDOWS\system32\steat1a2.exe
    C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\AceGain\LiveUpdate\aceagent.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\mIRC\mirc.exe
    C:\program files\internet explorer\iexplore.exe
    C:\program files\internet explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll
    O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
    O2 - BHO: (no name) - {9A66BEDC-00C2-4678-AF87-BE09C83FD93C} - C:\Program Files\cdmweb\lmpbgaxrlq.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
    O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\sdij.exe
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
    O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\hqfo.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
    O4 - HKLM\..\Run: [steat1a2] C:\WINDOWS\system32\steat1a2.exe
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [wrijsrn] c:\windows\system32\cqgrqtc.exe r
    O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117903901953
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus -ohjelman automaattinen suojaus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  2.  
  3. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Hae ewido -> http://www.ewido.net/en/download
    Päivitä ewido, mut älä skannaa vielä

    Imuroi Cleanup
    http://www.stevengould.org/software/cleanup/download.html
    asenna se, käytetään sitä myöhemmin

    Hae nailfix -> http://www.noidea.us/easyfile/file.php?download=20050515010747824
    Pura se työpöydälle, mutta älä aja sitä vielä.

    Imuroi
    AP -> http://www.diamondcs.com.au/index.php?page=apt
    pura zippi omaan kansionnsa työpöydälle
    avaa se kansio ja tuplaklikkaa apt.exe:ä
    apt: ikkunassa eti c:\windows\system32\cqgrqtc.exe

    Laita piilotiedostot näkyviin -> http://keskustelu.afterdawn.com/thread_view.cfm/248944, mee C:\Windows\system32
    ja etsi c:\windows\system32\cqgrqtc.exe
    älä tee sille vielä mitään, mutta jätä kansio auki et kohta löydät sen helposti ja nopeasti

    mee takas APT:hen ja valitse c:\windows\system32\cqgrqtc.exe
    klikkaa nappia KILL 3

    sitten heti poistat tuon -> c:\windows\system32\cqgrqtc.exe
    sieltä system 32-kansiosta

    Poista lisää/poista sovellus-kohdasta:

    2Search
    Zango

    buuttaa kone vikasietoon (F8 käynnistyksen yhteydessä)

    aja nailfix

    skannaa ewidolla
    anna poistaa mitä löyty
    tallenna raportti

    Avaa hijackthis,klikkaa do a system scan only, laita rasti näiden kohdalle ja klikkaa fix checked

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll
    O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
    O2 - BHO: (no name) - {9A66BEDC-00C2-4678-AF87-BE09C83FD93C} - C:\Program Files\cdmweb\lmpbgaxrlq.dll
    O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
    O4 - HKLM\..\Run: [Windows_Protect] winsystem.exe
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\sdij.exe
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
    O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\hqfo.exe
    O4 - HKLM\..\Run: [steat1a2] C:\WINDOWS\system32\steat1a2.exe
    O4 - HKLM\..\Run: [wrijsrn] c:\windows\system32\cqgrqtc.exe r
    O4 - HKLM\..\RunServices: [Windows_Protect] winsystem.exe
    O4 - HKCU\..\Run: [Windows_Protect] winsystem.exe
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
    O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Sitten käynnistä -> suorita -> services.msc -> ok -> etsi listalta System Startup Service (SvcProc) ->
    tuplaklikkaa sitä -> valitse käynnistymistavaksi "ei käytössä".


    aja
    CleanUp


    * paina nappia Options
    * siirrä nuoli kohtaan Custom CleanUp!
    * laita rastit seuraaviin kohtiin
    o Delete Cookies
    o Empty Recycle Bins
    o Delete Prefetch files
    o Cleanup! All Users

    * klikkaa OK
    * sitten klikkaa CleanUp nappia. kestää jonkin aikaa, anna sen tehä hommansa
    * kun se kysyy uudelleenkäynnistystä vastaa No
    * sulje CleanUp


    buuttaa takas normaalitilaan ja laita ewidon raportti ja uusi hjt-loki
     
    Viimeksi muokattu: 06.11.2005

Jaa tämä sivu