Spyaxe--Falcon--kotisivua ei voi asettaa, -logit lisätty

tiqruli · 13.03.2006

Siskoni koneeseen iski SpyAxe tyyppi Falcon ilmeisesti, hän käytti f-securen tarjoamaa poistotyökalua. Nyt on ongelma, että ei selain anna asentaa haluttua kotisivua tai mitään sivua siihen, siis vaikka laittaisikin itse aseta tämä kotisivuksi tai sitten internetasetuksista, niin tulee vain blank-sivu. Ei toimi edes käytä oletussivua. Miten tämä korjaantuu?

AfterDawn

blade81 · 13.03.2006

Näyttävät olevan aikamoinen "muotivillitys" nämä smitfraud variantit..

Laita HjT-loki, ohjelman saat täältä -> http://koti.mbnet.fi/pattaya1/HijackThis.exe . Tallenna hakemistoon c:\hjt, käynnistä, klikkaa do a system scan and save a logfile ja lähetä loki tänne.

tiqruli · 14.03.2006

Logfile of HijackThis v1.99.1
Scan saved at 12:00:07, on 14.3.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Norman\bin\ZLH.EXE
C:\Norman\Bin\Zanda.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\D-Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Timo Reijonen\Työpöytä\carita\winamp\winampa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DC++\DCPlusPlus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll (file
missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Timo
Reijonen\Työpöytä\carita\winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
https://www.gamespyid.com/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner -
C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman
ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data
Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software,
Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

blade81 · 14.03.2006

Palaan pian asiaan.

------------------------

No niin. Koneelle on voinut jäädä vielä Smitfraudin jämät, joten tehdään näin:

->Lataa smitrem työpöydälle
http://noahdfear.geekstogo.com/click counter/click.php?id=1
Tuplaklikkaa sitä ja Start, niin saat smitrem kansion työpöydälle .

-> Hae Ewido
http://www.ewido.net/en/download/
asenna ja päivitä se.

-> Käynnistä kone vikasietotilassa(F8 käynnistyksen yhteydessä).

Käynnistä hjt, klikkaa do a system scan only ja merkkaa (jos löytyy):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Sulje muut ikkunat ja klikkaa fix checked.

Sen jälkeen avaa smitrem-kansio ja tuplaklikkaa RunThis.bat ja seuraa ohjeita.
Tämän jälkeen scannaa ja putsaa Ewidolla + säästä logi.

Käynnistä sitten normaalisti ja lähetä uus Hijack logi,Ewidon logi ja C:\smitfiles.txt logi foorumille.

tiqruli · 14.03.2006

Ok, teemme niin. Lähetän lokeja kun ne ovat valmiit, ewidon lataus on hitaan puolesta, joten menee hetkonen...

tiqruli · 14.03.2006

Yksi kysymys liittyen siihen runthis.bat- juttuun. Olemme tilanteessa, jossa se käskee painamaan nappia, että se ohjelma aloittaa alustuksen, arvioitu aika voi olla tiedon mukaan 3 h.
Eli poistaako se silloin huonoja tiedostoja, vai koko kovalevyn tiedot? Tyhmä kysymys varmaan, mutta en uskalla edetä ennen kuin tiedän.

tiqruli · 14.03.2006

tässä ewido: (tähdet on käyttäjän koko nimen tilalla)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:06:29, 14.3.2006
+ Report-Checksum: E6CE2630

+ Scan result:

HKU\S-1-5-21-959060794-3301610316-307398329-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@sportingnews.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\**** ********\Cookies\**** ********@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\WINDOWS\system32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bs : Cleaned with backup

::Report End

tiqruli · 14.03.2006

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [versio 5.1.2600]

Running from
C:\Documents and Settings\**** ********\Ty”p”yt„\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 824 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

tiqruli · 14.03.2006

Logfile of HijackThis v1.99.1
Scan saved at 15:10:10, on 14.3.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Documents and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoctrl.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\D-Tools\daemon.exe
C:\Documents and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoguard.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\**** ********\Työpöytä\******\winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Norman\Bin\Zanda.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fi\msntb.dll (file
missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\****
********\Työpöytä\******\winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
https://www.gamespyid.com/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents
and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents
and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoguard.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner -
C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman
ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data
Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software,
Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

tiqruli · 14.03.2006

Ai juu, ja se ongelma, että kotisivua ei saa määritettyä ei vieläkään mennyt pois.

blade81 · 14.03.2006

Lokit näyttävät kyllä olevan ok. Kokeile niin, että käynnistät koneen uudelleen ja yritä sitten vaihtaa aloitussivu. Jos ei onnistu, luo hjt:llä startuplista. Tämä tapahtuu seuraavasti:

1. Käynnistä hjt, klikkaa config...
2. Klikkaa Misc Tools ja sen jälkeen laita täppä kahteen ruutuun Generate StartupList log -painikkeen oikealla puolella.
3. Klikkaa Generate StartupList log ja vastaa kysymykseen yes.
4. Lähetä koko generoitunut loki tänne.

tiqruli · 14.03.2006

StartupList report, 14.3.2006, 19:46:54
StartupList version: 1.52.2
Started from : C:\hjt\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Documents and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoctrl.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\D-Tools\daemon.exe
C:\Documents and Settings\**** ********\Työpöytä\******\EWIDO\ewido
anti-malware\ewidoguard.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\**** ********\Työpöytä\******\winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Norman\Bin\Zanda.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Macromedia\Fireworks 8\Fireworks.exe
C:\hjt\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\****
********\Käynnistä-valikko\Ohjelmat\Käynnistys]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys]
Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqthb08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
Norman ZANDA = C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
DAEMON Tools-1033 = "C:\D-Tools\daemon.exe" -lang 1033
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
WinampAgent = C:\Documents and Settings\****
********\Työpöytä\******\winamp\winampa.exe
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"
/startintray

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall
%SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE
/CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB
/CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named
something else.
- Regedit.exe has no OriginalFilename property! It is either missing or
named something else.
- Regedit.exe has no FileDescription property! It is either missing or named
something else.

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = https://www.gamespyid.com/alaunch.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE =
http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[Java Plug-in 1.4.1_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
CODEBASE =
http://java.sun.com/products/plugin/1.4/jinstall-14_06-windows-i586.cab

[Java Plug-in 1.4.1_07]
InProcServer32 = C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
CODEBASE =
http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab

[Java Plug-in 1.5.0_05]
InProcServer32 = C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
CODEBASE =
http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE =
http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE =
http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE =
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

ACEDRV05: \??\C:\WINDOWS\system32\drivers\ACEDRV05.sys (autostart)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual
start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual
start)
Hälytys: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Sovelluskerroksen yhdyskäytäväpalvelu: %SystemRoot%\System32\alg.exe (manual
start)
AMD Processor Driver: system32\DRIVERS\AmdK8.sys (system)
Sovellusten hallinta: %SystemRoot%\system32\svchost.exe -k netsvcs (manual
start)
1394 ARP -asiakasprotokolla: system32\DRIVERS\arp1394.sys (manual start)
Aspi32: System32\drivers\aspi32.sys (autostart)
ASP.NET State Service:
%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual
start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standardi IDE/ESDI-kiintolevyohjain: system32\DRIVERS\atapi.sys (system)
ATM ARP Client -protokolla: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
BITS-tausta-ajo (Background Intelligent Transfer Service):
%SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Tietokoneiden selaus: %SystemRoot%\system32\svchost.exe -k netsvcs
(autostart)
CD-ROM-ohjain: system32\DRIVERS\cdrom.sys (system)
Indeksointipalvelu: %SystemRoot%\system32\cisvc.exe (manual start)
Leikekirja: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+-järjestelmäsovellus: C:\WINDOWS\system32\dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Salauspalvelut: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d347bus: system32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
DCOM-palvelinprosessin käynnistys: %SystemRoot%\system32\svchost -k
DcomLaunch (autostart)
DHCP-asiakas: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Levyohjain: system32\DRIVERS\disk.sys (system)
Loogisen levyn hallinnan valvontapalvelu: %SystemRoot%\System32\dmadmin.exe
/com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Loogisen levyn hallinta: %SystemRoot%\System32\svchost.exe -k netsvcs
(manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS-asiakas: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual
start)
Virheraportointipalvelut: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
Tapahtumaloki: %SystemRoot%\system32\services.exe (autostart)
COM+-tapahtumajärjestelmä: C:\WINDOWS\system32\svchost.exe -k netsvcs
(manual start)
ewido security suite control: C:\Documents and Settings\****
********\Työpöytä\******\EWIDO\ewido anti-malware\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Documents and Settings\****
********\Työpöytä\******\EWIDO\ewido anti-malware\guard.sys (system)
ewido security suite guard: C:\Documents and Settings\****
********\Työpöytä\******\EWIDO\ewido anti-malware\ewidoguard.exe (autostart)
Nopean käyttäjän vaihdon yhteensopivuus: %SystemRoot%\System32\svchost.exe
-k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Levykeaseman ohjain: system32\DRIVERS\fdc.sys (manual start)
Levykeasemaohjain: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager -ohjain: system32\DRIVERS\ftdisk.sys (system)
Yleinen paketinmääritys: system32\DRIVERS\msgpc.sys (manual start)
Ohjeet ja tuotetuki: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID -luokkaohjain: system32\DRIVERS\hidusb.sys (manual start)
HSFHWBS2: system32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
CD-levyjen kirjoittamisen IMAPI COM -palvelu: C:\WINDOWS\system32\imapi.exe
(manual start)
InCD File System: system32\drivers\InCDFs.sys (disabled)
InCDPass: system32\drivers\InCDPass.sys (system)
InCD Reader: system32\drivers\InCDRm.sys (system)
Windowsin IPv6-palomuurin ohjain: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC-ohjain: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA -väyläohjain: system32\DRIVERS\isapnp.sys (system)
Näppäimistön luokkaohjain: system32\DRIVERS\kbdclass.sys (system)
Näppäimistön HID-ohjain: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual
start)
Palvelin: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Työasema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService
(autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Viestinvälitys: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting etätyöpöydän jakaminen: C:\WINDOWS\system32\mnmsrvc.exe (manual
start)
Hiiren luokkaohjain: system32\DRIVERS\mouclass.sys (system)
Hiiren HID-ohjain: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual
start)
Windows Installer -ohjelma: C:\WINDOWS\system32\msiexec.exe /V (manual
start)
Microsoft Streaming Service -välityspalvelin: system32\drivers\MSKSSRV.sys
(manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual
start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys
(manual start)
Microsoft-järjestelmänhallinnan BIOS-ohjain: system32\DRIVERS\mssmbios.sys
(manual start)
Ndiskio: \??\C:\Norman\Nse\bin\NDISKIO.SYS (autostart)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O -protokolla: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS-käyttöliittymä: system32\DRIVERS\netbios.sys (system)
NetBIOS TCP/IP:n päällä: system32\DRIVERS\netbt.sys (system)
Verkon DDE: %SystemRoot%\system32\netdde.exe (disabled)
Verkon DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Verkkokirjautuminen: %SystemRoot%\system32\lsass.exe (manual start)
Verkkoyhteydet: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
RCA USB Digital Cable Modem Driver: system32\DRIVERS\netrcacm.sys (manual
start)
1394-verkko-ohjain: system32\DRIVERS\nic1394.sys (manual start)
Norman API-hooking helper: C:\Norman\Nvc\BIN\nipsvc.exe (manual start)
NLA-nimiavaruus (Network Location Awareness):
%SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Norman NJeeves: C:\Norman\bin\NJEEVES.EXE (manual start)
Norman ZANDA: "C:\Norman\Bin\Zanda.exe" (autostart)
NT LM -suojaustuen toimittaja: %SystemRoot%\system32\lsass.exe (manual
start)
Siirrettävät tallennusvälineet: %SystemRoot%\system32\svchost.exe -k netsvcs
(manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
nvatabus: system32\DRIVERS\nvatabus.sys (system)
nvcfsr: \??\C:\Norman\Nvc\bin\nvcfsr.sys (manual start)
nvcoafl51: \??\C:\Norman\Nvc\bin\nvcoafl51.sys (manual start)
nvcoaft51: \??\C:\Norman\Nvc\bin\nvcoaft51.sys (manual start)
nvcoarc51: \??\C:\Norman\Nvc\bin\nvcoarc51.sys (manual start)
Norman Virus Control on-access component: C:\Norman\Nvc\bin\nvcoas.exe
(manual start)
Norman Virus Control Scheduler: C:\Norman\Nvc\BIN\NVCSCHED.EXE (manual
start)
NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys
(manual start)
NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys
(system)
Rinnakkaisporttiohjain: system32\DRIVERS\parport.sys (manual start)
PCI-väyläohjain: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC-palvelut: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Suojattu tallennuspaikka: %SystemRoot%\system32\lsass.exe (autostart)
QoS-paketinajoitus: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection -ohjain: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection -hallinta: %SystemRoot%\system32\svchost.exe
-k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Etäkäytön (RAS) yhteyksienhallinta: %SystemRoot%\system32\svchost.exe -k
netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Suora rinnakkainen: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Etätyöpöydän ohjeen istunnonhallinta: C:\WINDOWS\system32\sessmgr.exe
(manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys
(system)
Reititys ja etäkäyttö: %SystemRoot%\system32\svchost.exe -k netsvcs
(autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Etäproseduurikutsujen (RPC) paikannin: %SystemRoot%\system32\locator.exe
(manual start)
Etäproseduurikutsu (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Käyttöoikeustilien hallinta: %SystemRoot%\system32\lsass.exe (autostart)
Älykortti: %SystemRoot%\System32\SCardSvr.exe (manual start)
Tehtävien ajoitus: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (autostart)
Toissijainen kirjautuminen: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
Järjestelmätapahtuman ilmoitus: %SystemRoot%\system32\svchost.exe -k netsvcs
(autostart)
Serenum Filter -ohjain: system32\DRIVERS\serenum.sys (manual start)
Sarjaporttiohjain: system32\DRIVERS\serial.sys (system)
Windowsin palomuuri / Internet-yhteyden jakaminen (ICS):
%SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Käyttöliittymän laitteistotunnistus: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual
start)
Taustatulostusohjain: %SystemRoot%\system32\spoolsv.exe (autostart)
Järjestelmän palautussuodatin -ohjain: system32\DRIVERS\sr.sys (system)
Järjestelmän palauttaminen -palvelu: %SystemRoot%\system32\svchost.exe -k
netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP-palvelu (Simple Service Discovery Protocol):
%SystemRoot%\system32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
WIA (Windows Image Acquisition): %SystemRoot%\system32\svchost.exe -k imgsvc
(autostart)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
(autostart)
Ohjelmistoväyläohjain: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys
(manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe
/Processid:{BB887157-B80D-49B7-AB0E-E2A1E6BD6284} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual
start)
Resurssilokit ja -hälytykset: %SystemRoot%\system32\smlogsvc.exe (manual
start)
Puhelin: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP-protokollaohjain: system32\DRIVERS\tcpip.sys (system)
Päätelaiteohjain: system32\DRIVERS\termdd.sys (system)
Päätepalvelut: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Teemat: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tiedostolinkkijäljityksen asiakas: %SystemRoot%\system32\svchost.exe -k
netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe
(autostart)
Microcode Update -ohjain: system32\DRIVERS\update.sys (manual start)
Universal Plug & Play -laiteisäntä: %SystemRoot%\system32\svchost.exe -k
LocalService (manual start)
UPS: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual
start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver:
system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver:
system32\DRIVERS\usbohci.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB-massamuistiohjain: system32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Aseman tilannevedos: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys
(manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
WMI-palvelu (Windows Management Instrumentation):
%systemroot%\system32\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\drivers\WmBEnum.sys (manual
start)
Kannettavan mediasoittimen sarjanumeropalvelu:
%SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Logitech WingMan HID Filter Driver: system32\drivers\WmFilter.sys (manual
start)
WMI resurssisovitin: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\drivers\WmVirHid.sys (manual
start)
Logitech WingMan Translation Layer Driver: system32\drivers\WmXlCore.sys
(manual start)
Tietoturvakeskus: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automaattiset päivitykset: %systemroot%\system32\svchost.exe -k netsvcs
(autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
xmasbus: system32\DRIVERS\xmasbus.sys (system)
xmasscsi: System32\Drivers\xmasscsi.sys (system)
Verkon käyttöönottopalvelu: %SystemRoot%\System32\svchost.exe -k netsvcs
(manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34 907 bytes
Report generated in 0,156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only

blade81 · 15.03.2006

Eipä tuosta kyllä mitään ilmenny. Kokeillaanpa vähän kovempia otteita.

* Lataa smitrem työpöydälle ([bold]jos ehdit jo poistaa sen[/bold])
http://noahdfear.geekstogo.com/click counter/click.php?id=1
Tuplaklikkaa sitä ja Start, niin saat smitrem-kansion työpöydälle.

* Ota FixSF.reg työpöydälle
http://www.bleepingcomputer.com/files/reg/FixSF.reg
Tuplaklikkaa sitä ja vastaa myöntävästi.
* Käynnistä sitten kone vikasietotilassa(F8 käynnistyksen yhteydessä)
* Poista ohjauspaneelista (lisää/poista sovellus)
- SpyFalcon
ja jos se käskee\vaatii käynnistään koneen uudestaan, älä käynnistä.
Sitten poista
C:\Program\SpyFalcon\ < kansio voi olla, että ei löydy enää
C :\Windows\System32\dxmpp.dll
C:\WINDOWS\system32\ginuerep.dll
* Sen jälkeen avaa smitrem-kansio ja tuplaklikkaa RunThis.bat ja seuraa ohjeita.

Kun homma on valmis, käynnistä normaalitilaan ja lähetä smitrem.txt sekä normaalitilassa otettu tuore hjt-loki.

tiqruli · 15.03.2006

Tämän nimiset troijalaiset tuli ilmi eilen, w32/ zlob.YN ja w32/renos.dt. Norman pisti ne karanteeniin eikä tehnyt niille mitään muuta.
Kokeillaan annettuja ohjeita kuitenkin, näkee sitten mitä tapahtuu. Lähetän sitten lokeja.

-kemisti- · 15.03.2006

@tiqruli: Nuo liittyvät just tohon smitfraudiin eli eivätköhän lähde
Tyhjennä kuitenkin myös Normanin karanteeni.

tiqruli · 15.03.2006

Hmm... ei ollut yhtäkään tiedostoa jotka olis pitänyt poistaa eikä smitrem antanut lokia ollenkaan. ja nyt on taas yks virus slob.yn karanteenissa.. help

Mistä sen karanteenin löytää?

-kemisti- · 15.03.2006

Täällä karanteenista -> http://www.norman.com/Support/FAQs/Norman_Internet_Control/31355/fi

Voi olla, et smitfraud on järjestelmän palautuksessa ja siks tulee aina takaisin.

tiqruli · 15.03.2006

Jos se on siellä järjestelmän palautuksessa, niin mitä on tehtävä että sen tilanteen saa korjattua?

-kemisti- · 15.03.2006

Tyhjennettävä järjestelmän palautus. Tällöin tosin häviävät kaikki aiemmat palautuspisteet. Mutta tyhjennä se normanin karanteeni ensin, niin katotaan, onko tuo tarpeen

blade81 · 16.03.2006

@tiqruli: Mikäs on tämän tapauksen tilanne? Vieläkö aloitussivun vaihtaminen epäonnistuu?

Kirjaudu tai liity jäseneksi

Spyaxe--Falcon--kotisivua ei voi asettaa, -logit lisätty

tiqruli Member

blade81 Active member

tiqruli Member

blade81 Active member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

blade81 Active member

tiqruli Member

blade81 Active member

tiqruli Member

-kemisti- Active member

tiqruli Member

-kemisti- Active member

tiqruli Member

-kemisti- Active member

blade81 Active member

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

Spyaxe--Falcon--kotisivua ei voi asettaa, -logit lisätty

tiqruli Member

blade81 Active member

tiqruli Member

blade81 Active member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

tiqruli Member

blade81 Active member

tiqruli Member

blade81 Active member

tiqruli Member

-kemisti- Active member

tiqruli Member

-kemisti- Active member

tiqruli Member

-kemisti- Active member

blade81 Active member

Jaa tämä sivu

Hyödyllisiä hakuja