onko juu vielä täällä?

apuva!!

nyt minulla on FINDnFIX logi
katsotko mikä mättää

Tue 24 Aug 04 15:01:44

»»»»»»»»»»»»»»»»»»***LOG!***(*updated *8/25*)»»»»»»»»»»»»»»»»

*System:
Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)
*IE version:
6.0.2800.1106 SP1-Q324929-Q813489-Q330994

The type of the file system is NTFS.

__________________________________
!!*Creating backups...!!

The operation completed successfully
__________________________________

*Local time:
24. elokuuta 2004 (24.8.2004)
15:01, FLE Daylight Time
*Uptime:
15:01:46 up 0 days, 0:05:45

*Path:
C:\FINDnFIX
----------------------------------------------------
»»Member of...: ("ADMIN" logon group match required!)

User is a member of group DOMNBFIN01\Domain Users.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group DOMNBFIN01\Merlin.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [DOMNBFIN01\juj], is a member of:

DOMNBFIN01\Domain Users
\Everyone

SystemDrive is C:
SystemRoot is C:\WINNT
Logon Domain is ***
Administrator's Name is ***
Computer Name is ***
LOGON SERVER is \\***

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________

......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........
»»Read access error(s)...

»»»»» (*2*) »»»»»........

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________
Path: C:\WINNT\SYSTEM32 Including: *.DLL

____________________________________________________________________________
*By size and date...

No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

BHO search and other files...

No matches found.

*sp.html in temp folder was NOT FOUND!

*Filter keys search...
REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

(*text/html Subkey was NOT FOUND!)

REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

(*text/plain Subkey was NOT FOUND!)

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

No differences found.

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs   SZ   
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout   SZ   15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota   DWORD   00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler   SZ   yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk   SZ   
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout   SZ   90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota   DWORD   00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read    BUILTIN\Users
(IO) ALLOW Read    BUILTIN\Users
(NI) ALLOW Read    BUILTIN\Power Users
(IO) ALLOW Read    BUILTIN\Power Users
(NI) ALLOW Full access    BUILTIN\Administrators
(IO) ALLOW Full access    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    BUILTIN\Administrators
(IO) ALLOW Full access    CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read    BUILTIN\Users
Read    BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM

»»Performing string scan....
00001150: ?
00001190: vk f AppInit_
000011D0:DLLs G vk UDeviceNotSelectedTimeout
00001210: 1 5 @ 9 0 | vk ' zGDIProce
00001250:ssHandleQuota" vk Spooler2 y e s n
00001290: 0 ` vk =pswapdisk vk
000012D0: R TransmissionRetryTimeout 0 `
00001310: vk ' n USERProcessHandleQuotai
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fùAppInit_DLLsÖ?æG
--------------
--------------
$011C8: AppInit_DLLs
$011F7: UDeviceNotSelectedTimeout
$01247: zGDIProcessHandleQuota
$012E0: TransmissionRetryTimeout
$01330: USERProcessHandleQuotai
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

.............
-----------------------

»»»»»»Backups list...»»»»»»
15:03:27 up 0 days, 0:07:27
-----------------------
Tue 24 Aug 04 15:03:27

C:\FINDNFIX\
keyback.hiv Tue 24 Aug 2004 15.01.42 A.... 8 192 8,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 8 192 bytes 8,00 K

C:\FINDNFIX\KEYS1\
winkey.reg Tue 24 Aug 2004 15.01.44 A.... 287 0,28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0,28 K

*Temp backups...

"C:\Documents and Settings\juj\Local Settings\Temp\Backs2\"
keyback2.hi_ 24 Aug 2004 8192 "keyback2.hi_"
winkey2.re_ 24 Aug 2004 287 "winkey2.re_"

2 items found: 2 files, 0 directories.
Total of file sizes: 8 479 bytes 8,28 K
-D---- JUNKXXX 00000000 15:01.44 24/08/2004
A----- STARTIT .BAT 00000060 15:01.44 24/08/2004

________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
-----END------
Tue 24 Aug 04 15:03:29


5

684

    Vastaukset

    Anonyymi (Kirjaudu / Rekisteröidy)
    5000
    • Juu

      Tuo FINDnFIX ei löytänny mitään,elikkäs joudutaan koittaa jotain muuta keinoo.
      Pistä uus Hijack logi tänne.

      • apuva!!

        Logfile of HijackThis v1.98.2
        Scan saved at 15:50:17, on 24.8.2004
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINNT\System32\smss.exe
        C:\WINNT\system32\winlogon.exe
        C:\WINNT\system32\services.exe
        C:\WINNT\system32\lsass.exe
        C:\SAFEGUARD\SGEASY\SGECTL.EXE
        C:\WINNT\system32\svchost.exe
        C:\WINNT\System32\svchost.exe
        C:\WINNT\system32\spoolsv.exe
        C:\Program Files\NavNT\DefWatch.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\NETOP\HOST\NHOSTSVC.EXE
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
        C:\Program Files\NavNT\rtvscan.exe
        C:\Safeguard\SGEAgent.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
        C:\WINNT\Explorer.EXE
        C:\WINNT\System32\hkcmd.exe
        C:\WINNT\LTSMMSG.exe
        C:\Program Files\Apoint2K\Apoint.exe
        C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        C:\PROGRA~1\NavNT\vptray.exe
        C:\SAFEGUARD\SGEASY\SGECRYPT.EXE
        C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\Apoint2K\Apntex.exe
        C:\WINNT\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\HjT\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metso Corporation IE6
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
        O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
        O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
        O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
        O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
        O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        O4 - HKLM\..\Run: [Sgecrypt] C:\SAFEGUARD\SGEASY\SGECRYPT.EXE /SYSTRAY
        O4 - HKLM\..\Run: [EDWizard] C:\SAFEGUARD\SGEASY\EDWIZARD.EXE as
        O4 - HKLM\..\Run: [SgeEcView] C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?


      • Juu
        apuva!! kirjoitti:

        Logfile of HijackThis v1.98.2
        Scan saved at 15:50:17, on 24.8.2004
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINNT\System32\smss.exe
        C:\WINNT\system32\winlogon.exe
        C:\WINNT\system32\services.exe
        C:\WINNT\system32\lsass.exe
        C:\SAFEGUARD\SGEASY\SGECTL.EXE
        C:\WINNT\system32\svchost.exe
        C:\WINNT\System32\svchost.exe
        C:\WINNT\system32\spoolsv.exe
        C:\Program Files\NavNT\DefWatch.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\NETOP\HOST\NHOSTSVC.EXE
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
        C:\Program Files\NavNT\rtvscan.exe
        C:\Safeguard\SGEAgent.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
        C:\WINNT\Explorer.EXE
        C:\WINNT\System32\hkcmd.exe
        C:\WINNT\LTSMMSG.exe
        C:\Program Files\Apoint2K\Apoint.exe
        C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        C:\PROGRA~1\NavNT\vptray.exe
        C:\SAFEGUARD\SGEASY\SGECRYPT.EXE
        C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\Apoint2K\Apntex.exe
        C:\WINNT\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\HjT\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metso Corporation IE6
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
        O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
        O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
        O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
        O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
        O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        O4 - HKLM\..\Run: [Sgecrypt] C:\SAFEGUARD\SGEASY\SGECRYPT.EXE /SYSTRAY
        O4 - HKLM\..\Run: [EDWizard] C:\SAFEGUARD\SGEASY\EDWIZARD.EXE as
        O4 - HKLM\..\Run: [SgeEcView] C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?

        Pistä piilotiedostot näkyviin,ohje tuolla

        http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

        Sitte kytke kone kokonaan pois netistä (typ pihua irti)

        Käynnistä vikasietotilassa ja scannaa Hijackillä,merkkaa nuo ja sulje kaikki muut ikkunat ja paina FIX checked

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?

        Sitte etsi ja poista tuo,jos löytyy

        C:\WINNT\svchost.exe
        - tuolta tuo svchost.exe

        Edelleen vikasietotilassa putsaa sillä Cwshredderillä.

        Käynnistä sitte normaalisti ja pistä uus Hijack logi,niin nähään miten kävi


      • apuva!!
        Juu kirjoitti:

        Pistä piilotiedostot näkyviin,ohje tuolla

        http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

        Sitte kytke kone kokonaan pois netistä (typ pihua irti)

        Käynnistä vikasietotilassa ja scannaa Hijackillä,merkkaa nuo ja sulje kaikki muut ikkunat ja paina FIX checked

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?

        Sitte etsi ja poista tuo,jos löytyy

        C:\WINNT\svchost.exe
        - tuolta tuo svchost.exe

        Edelleen vikasietotilassa putsaa sillä Cwshredderillä.

        Käynnistä sitte normaalisti ja pistä uus Hijack logi,niin nähään miten kävi

        haittaakohan se kun sammutan / käynnistän koneen safemoodilla, silti xp kertoo aina joka kerta että "lataan henk koht asetukset" ?

        Logfile of HijackThis v1.98.2
        Scan saved at 16:24:05, on 24.8.2004
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINNT\System32\smss.exe
        C:\WINNT\system32\winlogon.exe
        C:\WINNT\system32\services.exe
        C:\WINNT\system32\lsass.exe
        C:\SAFEGUARD\SGEASY\SGECTL.EXE
        C:\WINNT\system32\svchost.exe
        C:\WINNT\System32\svchost.exe
        C:\WINNT\system32\spoolsv.exe
        C:\Program Files\NavNT\DefWatch.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\NETOP\HOST\NHOSTSVC.EXE
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
        C:\Program Files\NavNT\rtvscan.exe
        C:\Safeguard\SGEAgent.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
        C:\WINNT\Explorer.EXE
        C:\WINNT\System32\hkcmd.exe
        C:\WINNT\LTSMMSG.exe
        C:\Program Files\Apoint2K\Apoint.exe
        C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        C:\PROGRA~1\NavNT\vptray.exe
        C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        C:\SAFEGUARD\SGEASY\SGECRYPT.EXE
        C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        C:\Program Files\QuickTime\qttask.exe
        C:\WINNT\System32\ctfmon.exe
        C:\Program Files\Apoint2K\Apntex.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\HjT\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metso Corporation IE6
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
        O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
        O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
        O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
        O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
        O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        O4 - HKLM\..\Run: [Sgecrypt] C:\SAFEGUARD\SGEASY\SGECRYPT.EXE /SYSTRAY
        O4 - HKLM\..\Run: [EDWizard] C:\SAFEGUARD\SGEASY\EDWIZARD.EXE as
        O4 - HKLM\..\Run: [SgeEcView] C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?


      • Juu
        apuva!! kirjoitti:

        haittaakohan se kun sammutan / käynnistän koneen safemoodilla, silti xp kertoo aina joka kerta että "lataan henk koht asetukset" ?

        Logfile of HijackThis v1.98.2
        Scan saved at 16:24:05, on 24.8.2004
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINNT\System32\smss.exe
        C:\WINNT\system32\winlogon.exe
        C:\WINNT\system32\services.exe
        C:\WINNT\system32\lsass.exe
        C:\SAFEGUARD\SGEASY\SGECTL.EXE
        C:\WINNT\system32\svchost.exe
        C:\WINNT\System32\svchost.exe
        C:\WINNT\system32\spoolsv.exe
        C:\Program Files\NavNT\DefWatch.exe
        C:\Program Files\lotus\notes\ntmulti.exe
        C:\NETOP\HOST\NHOSTSVC.EXE
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
        C:\Program Files\NavNT\rtvscan.exe
        C:\Safeguard\SGEAgent.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
        C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
        C:\WINNT\Explorer.EXE
        C:\WINNT\System32\hkcmd.exe
        C:\WINNT\LTSMMSG.exe
        C:\Program Files\Apoint2K\Apoint.exe
        C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        C:\PROGRA~1\NavNT\vptray.exe
        C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        C:\SAFEGUARD\SGEASY\SGECRYPT.EXE
        C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        C:\Program Files\QuickTime\qttask.exe
        C:\WINNT\System32\ctfmon.exe
        C:\Program Files\Apoint2K\Apntex.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\HjT\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/3100/sp.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/3100/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/3100/sp.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metso Corporation IE6
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
        O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
        O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
        O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
        O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
        O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
        O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
        O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
        O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
        O4 - HKLM\..\Run: [Sgecrypt] C:\SAFEGUARD\SGEASY\SGECRYPT.EXE /SYSTRAY
        O4 - HKLM\..\Run: [EDWizard] C:\SAFEGUARD\SGEASY\EDWIZARD.EXE as
        O4 - HKLM\..\Run: [SgeEcView] C:\SAFEGUARD\SGEASY\ECVIEW.EXE
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [svchost] C:\WINNT\svchost.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O13 - DefaultPrefix: http://69.50.191.50/?
        O13 - WWW Prefix: http://69.50.191.50/?

        Onpa sitkee kaappari.
        Jos sulla on piilotiedostot näkyvissä ja etsit ton koneelta,niin löytyykö se?

        C:\WINNT\svchost.exe


    Ketjusta on poistettu 0 sääntöjenvastaista viestiä.

    Luetuimmat keskustelut

    1. Hoitajalakko peruuntuu, tilalle joukkoirtisanoutumiset

      "Tehyn ja Superin hallitukset kokoontuivat tänään toteamaan, että tilanne edellyttää järeämpiä työtaistelutoimia." https://www.hs.fi/politiikka/art-2
      Maailman menoa
      739
      9198
    2. Johan tuli oikea aivopieru Britti Lordilta

      Emeritusprofessori Lordi Robert Skidelsky sanoi Suomen rikkovan YYA sopimusta joka on tehty Neuvostoliiton kanssaa 1948. Mitä pir
      Maailman menoa
      373
      8004
    3. Tehyn Rytkösellä tallessa tekstiviestit A-studiokohussa

      https://www.mtvuutiset.fi/artikkeli/a-studiosta-kohu-tehyn-rytkosen-mukaan-ministeri-linden-sai-paattaa-osallistujat-ohjelma-kiistaa-vaitteen/8407068
      Maailman menoa
      162
      5761
    4. William ja Sonja Aiello ERO

      Hyvä Sonja! Nyt etsit uudet kaverit ja jätät nuo huume- ja rahanpesu porukat haisemaan taaksesi!
      Kotimaiset julkkisjuorut
      54
      2378
    5. Oho! Seurapiirikaunotar, ex-missi Sabina Särkkä yllättää tällä harvinaisella kyvyllä: "Mulla on..."

      Sabina Särkkä on nähty monissa tv-reality-sarjoissa. Mutta tiesitkö, että Särkällä on valokuvamuisti? https://www.suomi24.fi/viihde/oho-seurapiirikaun
      Kotimaiset julkkisjuorut
      6
      2103
    6. Se siitä sitten

      Kirjoitan tänne kun en sulle voi. En vaivaa sua enää koskaan. En ikinä tarkoittanut olla ahdistava tai takertuva. Tunteet heräsi enkä osannut olla tyy
      Ikävä
      82
      1752
    7. Ohhoh! Rita Niemi-Manninen otti ison tatuoinnin - Herätti somekansan: "Täydellinen paikka!"

      Rita Niemi-Mannisen suuri, uusi tatuointi on saanut somekansan heräämään talvihorroksesta. Niemi-Manninen otti tatskan rakkauslomalla Aki-miehensä kan
      Kotimaiset julkkisjuorut
      20
      1695
    8. Ihastumisesta kertominen

      Olen päättänyt kertoa tunteistani ihastukseni kohteelle. Erityisen vaikeaksi tilanteeni tekee se, että kyseessä on ns. kielletty rakkaus. Olen jo toi
      Ihastuminen
      92
      1455
    9. Taas Venäjän tiedoittaja akka Varoitti Suomea ja Ruotsia liittymästä Natoon

      Juuri sopivasti julkaistu varoitus, kun Suomen eduskunta alkaa klo 13:50 käsitellä asiaa suorassa TV 1:n lähetyksessä. ILtasanomat.
      Maailman menoa
      440
      1382
    10. Harvoin julkisuudessa nähty Jari Sillanpää, 56, julkaisi uusia kuvia - Karisti Suomen pölyt jaloista

      Huumekohun jälkeen matalaa profiilia pitänyt Jari "Siltsu" Sillanpää on ollut vaitonainen elämästään. Tänä keväänä miehen some on ollut hiljainen. Nyt
      Kotimaiset julkkisjuorut
      7
      1380
    Aihe