Pöpöhyökkäys! Hjt-logi mukana

Viestiketju Virukset ja haittaohjelmat -osiossa. Ketjun avasi dm7280 09.01.2006.

  1. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    No niin, vaikka Spybot, Microsoft Antispyware ja Ad-Aware pörräävät, ja taustatukea tulee ainakin Dr. Webiltä ja Kasperskylta, on )%%&¤:n popupit aloittaneet kunnon rintamahyökkäyksen Explorerin kautta. Osaatteko auttaa? Tässä on HijackThis -logi:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    D:\FSecure\Common\FSM32.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\QuickTime\qttask.exe
    d:\FSecure\Common\FSMA32.EXE
    d:\FSecure\Common\FSMB32.EXE
    C:\Program Files\Network Monitor\netmon.exe
    d:\FSecure\Common\FCH32.EXE
    d:\FSecure\Common\FAMEH32.EXE
    E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\WINDOWS\System32\svchost.exe
    d:\FSecure\Common\FSGK32.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\My Downloads\Phone\Skype.exe
    C:\WINDOWS\system32\mapiicon.exe
    C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    D:\Jukka\program files\Picture Package Applications\Residence.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    d:\FSecure\Common\FNRB32.EXE
    C:\WINDOWS\system32\wscntfy.exe
    d:\FSecure\Common\FIH32.EXE
    d:\FSecure\Anti-Virus\fsav32.exe
    C:\Program Files\Labtec Wireless Desktop\OSD.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Jukka\eMule\emule.exe
    C:\Documents and Settings\Jukka\Desktop\drweb-cureit.exe
    C:\DOCUME~1\Jukka\LOCALS~1\Temp\RarSFX0\drw_start.exe
    C:\DOCUME~1\Jukka\LOCALS~1\Temp\RarSFX0\drweb32w.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    D:\Jukka\program files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [F-Secure Manager] "d:\FSecure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DVDTray] E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] E:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "D:\My Downloads\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2C657869-6874-4732-8A10-64CF729B42F6} (ICONICS LoginActiveX) - http://varmdomarknad.dyndns.org/webhmi/cabs/gwxview32.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130785743132
    O16 - DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} (VersionInfo Class) - http://varmdomarknad.dyndns.org/webhmi/cabs/GenVersion.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE73DD35-9525-479D-B09A-0DECC6F9171F}: NameServer = 192.168.0.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\o4pq0e75eh.dll
    O23 - Service: FS BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\FSecure\BackWeb\7681197\PROGRAM\SERVIC~1.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\FSecure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\FSecure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\FSecure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\FSecure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
     
  2.  
  3. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Tuolla nyt ainakin näkyy osia Look2Me "örkistä". Varmistutaanpa siitä ensin, eli tee näin:

    Hae täältä -> http://www.atribune.org/downloads/l2mfix.exe l2mfix ja tallenna työpöydälle. Tuplaklikkaa sitä ja klikkaa install. Avaa l2mfix -kansio työpöydältä ja tuplaklikkaa l2mfix.bat ja valitse #1 painamalla 1 ja enter(ÄLÄ tee vielä mitään muuta!!). Kopioi se loki ja lähetä tänne.
     
  4. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Oolrait, tässäpä on k.o logi.

    L2MFIX find log 010406
    These are the registry keys present
    *****************************************************************************

    *****
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,

    \
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\ir40l5hm1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    *****************************************************************************

    *****
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\User Agent\Post Platform]
    "{DC12555F-7962-A8A8-B4DF-9A53533FBC27}"=""

    *****************************************************************************

    *****
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

    Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft

    Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file

    compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script

    Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete

    List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete

    List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete

    List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler

    (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right

    Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo

    Target"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box

    Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit

    Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist

    Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar

    Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time

    Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property

    Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as

    Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD

    Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to

    Playlist Context Menu Handler"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon

    Handler"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet

    Extension"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne

    Player"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
    "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
    "{51550900-DCAC-11d4-AA0F-0080C87C465B}"="WayTech MultiMouse"
    @="CorelDRAW Shell Extension Component"
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
    "{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}"=""
    "{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}"=""
    "{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}"=""

    *****************************************************************************

    *****
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}]

    [HKEY_CLASSES_ROOT\CLSID\{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}\InprocServer3

    2]

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\Implemented

    Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\Implemented

    Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\InprocServer3

    2]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\Implemented

    Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\Implemented

    Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\InprocServer3

    2]
    @="C:\\WINDOWS\\system32\\lwexpand.dll"
    "ThreadingModel"="Apartment"

    *****************************************************************************

    *****
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    gccoll~1.dll Tue 15 Nov 2005 12.12.08 A.... 126 680 123,71 K
    gcunco~1.dll Tue 15 Nov 2005 12.12.06 A.... 95 448 93,21 K
    hashlib.dll Tue 15 Nov 2005 12.12.08 A.... 117 976 115,21 K
    hgakheg.dll Fri 2 Dec 2005 20.43.22 A.... 5 784 5,65 K
    ibdskksl.dll Fri 2 Dec 2005 20.30.46 A.... 2 640 2,58 K
    ir40l5~1.dll Mon 9 Jan 2006 20.38.04 ..S.R 234 535 229,04 K
    lvns09~1.dll Tue 10 Jan 2006 0.59.22 ..S.R 236 020 230,49 K
    lwexpand.dll Tue 10 Jan 2006 8.02.10 ..S.R 234 535 229,04 K
    msctl32.dll Mon 9 Jan 2006 15.12.24 A.... 67 584 66,00 K
    ohbkuyhv.dll Fri 2 Dec 2005 20.43.24 A.... 15 217 14,86 K
    sirenacm.dll Thu 13 Oct 2005 0.11.06 A.... 118 784 116,00 K

    11 items found: 11 files (3 H/S), 0 directories.
    Total of file sizes: 1 255 203 bytes 1,20 M
    Locate .tmp files:

    C:\WINDOWS\SYSTEM32\
    guard.tmp Tue 10 Jan 2006 8.02.16 ..S.R 235 880 230,35 K
    ren2.tmp Tue 1 Nov 2005 10.51.58 A.... 0 0,00 K
    ren3.tmp Tue 1 Nov 2005 10.51.58 A.... 0 0,00 K
    ren4.tmp Tue 1 Nov 2005 10.51.58 A.... 0 0,00 K

    4 items found: 4 files (1 H/S), 0 directories.
    Total of file sizes: 235 880 bytes 230,35 K
    *****************************************************************************

    *****
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 884B-0701

    Directory of C:\WINDOWS\System32

    01/10/2006 08:02 235ÿ880 guard.tmp
    01/10/2006 08:02 234ÿ535 lwexpand.dll
    01/10/2006 00:59 236ÿ020 lvns0957e.dll
    01/09/2006 20:38 234ÿ535 ir40l5hm1.dll
    12/09/2005 10:46 <DIR> dllcache
    10/13/2005 15:57 4ÿ182 KGyGaAvL.sys
    10/13/2005 15:57 56 10CF5799F4.sys
    06/08/2004 01:46 <DIR> Microsoft
    6 File(s) 945ÿ208 bytes
    2 Dir(s) 3ÿ364ÿ741ÿ120 bytes free
     
  5. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Juu, eli kyllä tuo taisi L2M olla....

    Sulje ensin kaikki ohjelmat, koska kone käynnistyy uudelleen.

    Avaa l2mfix-kansio työpöydältä, tuplaklikkaa l2mfix.bat ja valitse valinta #2 (Run Fix) painamalla 2 ja enter , paina sitten mitä tahansa näppäintä, jolloin kone käynnistyy uudelleen. Käynnistyksen jälkeen työpöytä ja kuvakkeet häipyvät hetkeksi näkyvistä,se on normaalia. L2mfix jatkaa scannia ja kun se on valmis, loki avautuu muistioon. Kopioi se ja liitä tänne uuden hijackthis-lokin kanssa.

    Jos käynnistyksen jälkeen kuvakkeet eivät häviä tai loki ei avaudu muistioon, tuplaklikkaa l2mfix-kansiossa olevaa second.bat, jotta fixi jatkuu.
     
  6. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    No niin. Ennen kuin postaan nuo logit, pikku updeitti tilanteeseen. Nuo typerät popupit ovat nyt hävinneet minun puoleltani, mutta ovat ilmaantuneet isäni käyttäjäpuolelle.(!)

    --->Elikkä L2M -logi:

    L2mfix 010406
    Creating Account.
    The command completed successfully.

    Adding Administrative privleges.
    The command completed successfully.
    Checking for L2MFix account(0=no 1=yes):
    1
    Granting SeDebugPrivilege to L2MFIX ... successful

    Running From:
    C:\WINDOWS\system32

    Killing Processes!

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 588 'smss.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 664 'winlogon.exe'
    Killing PID 664 'winlogon.exe'
    Killing PID 664 'winlogon.exe'
    Killing PID 664 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'
    Killing PID 960 'winlogon.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1736 'explorer.exe'
    Killing PID 1736 'explorer.exe'
    Killing PID 1736 'explorer.exe'
    Killing PID 1736 'explorer.exe'
    Killing PID 1736 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'
    Killing PID 712 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1492 'rundll32.exe'
    Killing PID 1492 'rundll32.exe'
    Killing PID 1604 'rundll32.exe'
    Killing PID 1604 'rundll32.exe'
    Killing PID 2400 'rundll32.exe'
    Killing PID 2400 'rundll32.exe'
    Restoring Sedebugprivilege:
    Granting SeDebugPrivilege to Administrators ... successful

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    0 file(s) copied.
    0 file(s) copied.
    0 file(s) copied.
    0 file(s) copied.
    Deleting: C:\WINDOWS\system32\ir40l5hm1.dll
    Successfully Deleted: C:\WINDOWS\system32\ir40l5hm1.dll
    Deleting: C:\WINDOWS\system32\lvns0957e.dll
    Successfully Deleted: C:\WINDOWS\system32\lvns0957e.dll
    Deleting: C:\WINDOWS\system32\lwexpand.dll
    Successfully Deleted: C:\WINDOWS\system32\lwexpand.dll
    Deleting: C:\WINDOWS\system32\guard.tmp
    Successfully Deleted: C:\WINDOWS\system32\guard.tmp

    msg11?.dll
    0 file(s) copied.



    Restoring Windows Update Certificates.:

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,

    \
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\ir40l5hm1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

    \
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\ir40l5hm1.dll
    C:\WINDOWS\system32\lvns0957e.dll
    C:\WINDOWS\system32\lwexpand.dll
    C:\WINDOWS\system32\guard.tmp

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg

    folder.
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}]

    [HKEY_CLASSES_ROOT\CLSID\{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}\InprocServer3

    2]

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\Implemented

    Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\Implemented

    Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}\InprocServer3

    2]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\Implemented

    Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\Implemented

    Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}\InprocServer3

    2]
    @="C:\\WINDOWS\\system32\\lwexpand.dll"
    "ThreadingModel"="Apartment"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell

    Extensions\Approved]
    "{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}"=-
    "{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}"=-
    "{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64}]
    [-HKEY_CLASSES_ROOT\CLSID\{D60D18AB-CBA9-4BFD-9C4B-6344A3A34715}]
    [-HKEY_CLASSES_ROOT\CLSID\{A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

    Settings\User Agent\Post Platform]
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************

    ****************************************************************************
    Checking for L2MFix account(0=no 1=yes):
    0
    Zipping up files for submission:
    zip warning: name not matched: dlls\*.*

    zip error: Nothing to do! (backup.zip)
    adding: backregs/3B7AEBB3-BE01-4B6A-93EA-ED0B235B9F64.reg (212 bytes

    security) (deflated 55%)
    adding: backregs/A3DCB4B1-B6D7-4B84-8252-C83BD65AC35C.reg (212 bytes

    security) (deflated 70%)
    adding: backregs/D60D18AB-CBA9-4BFD-9C4B-6344A3A34715.reg (212 bytes

    security) (deflated 70%)
    adding: backregs/notibac.reg (140 bytes security) (deflated 87%)


    --->Ja sitten HJT -logi:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:56:12, on 1/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\notepad.exe
    D:\FSecure\Common\FSM32.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\QuickTime\qttask.exe
    d:\FSecure\Common\FSMA32.EXE
    d:\FSecure\Common\FSMB32.EXE
    C:\Program Files\Network Monitor\netmon.exe
    E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    d:\FSecure\Common\FCH32.EXE
    d:\FSecure\Common\FAMEH32.EXE
    d:\FSecure\Common\FSGK32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\My Downloads\Phone\Skype.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\mapiicon.exe
    C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    d:\FSecure\Common\FNRB32.EXE
    C:\WINDOWS\system32\wscntfy.exe
    D:\Jukka\program files\Picture Package Menu\SonyTray.exe
    d:\FSecure\Common\FIH32.EXE
    d:\FSecure\Anti-Virus\fsav32.exe
    D:\Jukka\program files\Picture Package Applications\Residence.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\Labtec Wireless Desktop\OSD.EXE
    C:\WINDOWS\System32\svchost.exe
    D:\Jukka\program files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [F-Secure Manager] "d:\FSecure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DVDTray] E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] E:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "D:\My Downloads\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2C657869-6874-4732-8A10-64CF729B42F6} (ICONICS LoginActiveX) - http://varmdomarknad.dyndns.org/webhmi/cabs/gwxview32.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130785743132
    O16 - DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} (VersionInfo Class) - http://varmdomarknad.dyndns.org/webhmi/cabs/GenVersion.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE73DD35-9525-479D-B09A-0DECC6F9171F}: NameServer = 192.168.0.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ir40l5hm1.dll (file missing)
    O23 - Service: FS BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\FSecure\BackWeb\7681197\PROGRAM\SERVIC~1.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\FSecure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\FSecure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\FSecure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\FSecure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

     
  7. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Vai että sellainen tapaus.... Eihän siinä sitten muukaan auta, kuin putsata isäsi puoli samalla työkalulla, eli l2mfixillä.

    Mutta siivotaan nyt ensin tämä sinun puolesi =)

    Fixaa nämä HjT:lla

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ir40l5hm1.dll (file missing)

    Hae Ewido http://keskustelu.afterdawn.com/thread_view.cfm/269186
    Asenna ja päivitä, mutta älä skannaa vielä

    Laita piilotiedostot näkyviin, ohje ->
    http://keskustelu.afterdawn.com/thread_view.cfm/248944

    Käynnistä vikasietotilaan ( F8 käynnistyksen yhteydessä ), ja poista jos löytyy:

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\===>ibm00001.exe<========
    c:\===============================================>secure32.html<=======

    Skannaa Ewidolla vikasietotilassa, ja tallenna raportti.

    Laita uusi loki, ja Ewidon raportti
     
    Viimeksi muokattu: 10.01.2006
  8. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Juupeli! Eipä ole enää popupeja! Ewidon skannaus jäi kesken (pitääpä jatkaa), mutta suoritin muut toimenpiteet ja sinne jäi örkit! Laitan vielä ao. logit näkyville kun ehdin, mutta sitäkin ennen tuhannet kiitokset!
    Enpä olisi yksin mitenkään päässyt niistä eroon.
     
  9. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Eipä mitään =) Laita tosiaan ne lokit, jotta saadaan varmistus asiasta. Tuo Ewidon ajo vikasietotilassa on muutenkin tärkeää, sillä tuo about:blank variantti, mikä tuolla näyttää olevan, ei lähde muuten. Eli teepä nuo kaikki toimenpiteet tosiaan ja postaa lokit niin tutkaillaan taas.
     
  10. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    No niin, skannaukset on tehty safe modessa.

    Tässä on Ewido:

    + Created on: 14:40:53, 1/11/2006
    + Report-Checksum: 48FCBE82

    + Scan result:

    C:\Documents and Settings\Jukka\Cookies\jukka@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Jukka\Cookies\jukka@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


    ::Report End

    Ja tässä HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 14:41:54, on 1/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Jukka\program files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [F-Secure Manager] "d:\FSecure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DVDTray] E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] E:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "D:\My Downloads\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2C657869-6874-4732-8A10-64CF729B42F6} (ICONICS LoginActiveX) - http://varmdomarknad.dyndns.org/webhmi/cabs/gwxview32.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130785743132
    O16 - DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} (VersionInfo Class) - http://varmdomarknad.dyndns.org/webhmi/cabs/GenVersion.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE73DD35-9525-479D-B09A-0DECC6F9171F}: NameServer = 192.168.0.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: FS BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\FSecure\BackWeb\7681197\PROGRAM\SERVIC~1.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Jukka\program files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - D:\Jukka\program files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\FSecure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\FSecure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\FSecure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\FSecure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
     
  11. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Jäihän sinne vielä sittenkin...

    Fixaa tuo
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    Sen jälkeen käynnistä > suorita > services.msc > tuplaklikkaa Network Monitor > valitse seis, ja käynnistymistavaksi ei käytössä.

    Boottaa vikasietotilaan , ja poista tuo kansio:

    C:\Program Files\====>Network Monitor<=======
     
    Viimeksi muokattu: 11.01.2006
  12. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Ei ole ongelmia, örkit on ajettu tiehensä ja kaikki skulaa. :)
    KIITOS!
     
  13. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Eli tuo on tosiaankin örkki, mutta tuosta kansion poistosta en olekaan enää niin varma..... Tee, niinkuin sanoin, mutta poista pelkästään tuo

    C:\Program Files\Network Monitor\===>netmon.exe<========

    Sen jälkeen siellä vikasietotilassa.

    Se on nimittäin 100% varmuudella örkki
     
    Viimeksi muokattu: 11.01.2006
  14. w32

    w32 Guest

  15. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Firefoxia en mielellään käytä --> en tykännyt kun kokeilin, mm. aika hitaalta tuntui.
    Spywareblasterin asensin ja hyvin surraa, kiitos.

    Lieköhän sattumaa (God, I hope), mutta kone tuntuu aivan tolkuttoman hitaalta... Kaikki, jopa My Computer avautuvat järjettömän hitaasti ja saattaa kestää minuutteja että esim. VLC Player lopulta napsahtaa auki. Ehkäpä on vain liikaa kamaa koviksella, mutta ei se tätä ennen pöpöhyökkäystä tehnyt.
     
    Viimeksi muokattu: 11.01.2006
  16. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Teitkö jo nuo jutut tuossa ylempänä? Voisit laittaa uuden lokin vielä sen jälkeen, niin tarkistan lähtikö kaikki niinkuin pitikin...
     
  17. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Tehty on, ja tässä on HJT -logi:

    Logfile of HijackThis v1.99.1
    Scan saved at 18:05:51, on 1/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Jukka\program files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fi\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [F-Secure Manager] "d:\FSecure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DVDTray] E:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] E:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "D:\My Downloads\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2C657869-6874-4732-8A10-64CF729B42F6} (ICONICS LoginActiveX) - http://varmdomarknad.dyndns.org/webhmi/cabs/gwxview32.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130785743132
    O16 - DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} (VersionInfo Class) - http://varmdomarknad.dyndns.org/webhmi/cabs/GenVersion.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE73DD35-9525-479D-B09A-0DECC6F9171F}: NameServer = 192.168.0.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: FS BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\FSecure\BackWeb\7681197\PROGRAM\SERVIC~1.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Jukka\program files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - D:\Jukka\program files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\FSecure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\FSecure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\FSecure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\FSecure\Common\FSMA32.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

     
  18. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Eipä se lähtenyt tuo rivi tuolta pois.... Kokeilepa Fixata se vikasietotilassa. Siis tämä rivi:

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    Teitkö myös tämän :
    käynnistä > suorita > services.msc > tuplaklikkaa Network Monitor > valitse seis, ja käynnistymistavaksi ei käytössä. ? Jos ei tuolla nimellä löytynyt, niin se saattaa olla myös nimellä "Net Functions Monitoring (Netmon)"
     
  19. dm7280

    dm7280 Member

    Liittynyt:
    28.11.2004
    Viestejä:
    29
    Kiitokset:
    0
    Pisteet:
    11
    Okei, unohdin tuon disablaamisen (punastuu), mutta nyt on tehty. Se oli jo pysäytetty, ja nyt on disablattu. Poistin kyllä k.o tiedoston safe modessa ennen disablaamista.
     
  20. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Boottaapa vielä, ja katso tuleeko se vielä lokiin näkyviin?
     

Jaa tämä sivu