Käynnistäessä aukeaa RUNDLL ikkuna, jossa heraa virheellisestä koodista c:\windows\system32:vgopen.dll.
Muutenkin käynnistyminen hidasta. Alla logi.
Logfile of HijackThis v1.98.2
Scan saved at 17:36:46, on 18.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nthjdjdudmeqbiqymq.com/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPFNwJNJmPVubAZ9OGCDvK7i.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
Hidasta+vgaopenl.dll
15
771
Vastaukset
Ota linkistä Ad-Aware ellei jo ole, lue ohjeet (myös asetuksista) ja puhdista sillä. Scannaa vielä tuolla online scannerilla ja anna poistaa kaikki mitä löytyy. Laita sitten uusi logi.
http://koti.mbnet.fi/pattaya1/adaware.htm
http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php- Juu
Mulla oli semmonen tunne,että sää äherrät ton login kimpussa ja en sen takia ruvennu ees kattoon sitä.
Juu kirjoitti:
Mulla oli semmonen tunne,että sää äherrät ton login kimpussa ja en sen takia ruvennu ees kattoon sitä.
aatellu selvänäkijän uraa :D
- frontdoor
Ad-aware ajettu ja kone bootattu juuri ennen login ottamista. Kokeilen tuota toista, kunhan kotikoneeni ääreen ehdin ja pistän sitten uuden login. Kiitoksia neuvoista. Katsellaan mitä tuleman pitää.
- frontdoor
Tässäpä ad-awaren ja tuon toisen jälkeinen uusi logi:
Logfile of HijackThis v1.98.2
Scan saved at 17:44:50, on 19.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE - frontdoor
Edelliseen ei tainut koko logi tulla mukaan, joten:
Logfile of HijackThis v1.98.2
Scan saved at 17:48:28, on 19.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab frontdoor kirjoitti:
Edelliseen ei tainut koko logi tulla mukaan, joten:
Logfile of HijackThis v1.98.2
Scan saved at 17:48:28, on 19.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cabLista on työn alla
frontdoor kirjoitti:
Edelliseen ei tainut koko logi tulla mukaan, joten:
Logfile of HijackThis v1.98.2
Scan saved at 17:48:28, on 19.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cabHae linkistä LSP-Fix, asenna se työpöydälle, avaa ohjelma, klikkaa I know what I´m doing, klikkaa vasemmasta ruudusta osmim.dll, klikkaa nuolinäppäimellä se oikealla olevaan ruutuun ja klikkaa Finish. Käytä XP;n Etsi toimintoa ja poista osmim.dll.
http://cexx.org/lspfix.htm
Poista Lisää/Poista sovelluksessa
Messenger Plus! 3
Saat sillä haittaohjelmia
Laita piilotiedostot näkyviin, tuossa ohjeet
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Sulje Tehtävien hallinassa nuo prosessit
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINDOWS\mwsvm.exe
Sulje selain ja muut ikkunat, laita ruksi noiden eteen ja paina FIX
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
Käynnistä vikasietotilaan etsi ja poista jos löytyy
C:\WINDOWS\---tuo---lbbho.dll
C:\WINDOWS\---tuo---system32:vgopenl.dll,Init 1 ( Huom älä poista System 32 kansiota)
C:\WINDOWS\---tuo---pzjumb.exe
C:\WINDOWS\System32\---tuo---77656191.exe
C:\PROGRA~1\COMETS~1\---tuo---DM\bin\dmserver.exe /onreboot
C:\WINDOWS\---tuo---Belt.exe
C:\Program Files\---tuo---Orbit\update.exe
C:\WINDOWS\---tuo---opvcK3BkS.exe
C:\WINDOWS\---tuo---mwsvm.exe
C:\WINDOWS\---tuo---fash.exe
C:\Program Files\---tuo---websx\int114844.exe-auto
C:\WINDOWS\---tuo---aqadcup.exe
C:\Program Files\---tuo---Messenger3\MsgPlus.exe
C:\WINDOWS\---tuo---kpwt.exe
:\Documents and Settings\All Users\Application Data\---tuo---dupe bolt axis love\showmath.exe
C:\Documents and Settings\All Users\Application Data\---tuo---Nurb 64 math barb\poproam.exe
C:\DOCUME~1\Ipe\APPLIC~1\---tuo---EXITSA~1\flaw program.exe
Tässäpä näitä näin aluksi :)
Normaali käynnistys ja laita uusi logi- frontdoor
HJT kirjoitti:
Hae linkistä LSP-Fix, asenna se työpöydälle, avaa ohjelma, klikkaa I know what I´m doing, klikkaa vasemmasta ruudusta osmim.dll, klikkaa nuolinäppäimellä se oikealla olevaan ruutuun ja klikkaa Finish. Käytä XP;n Etsi toimintoa ja poista osmim.dll.
http://cexx.org/lspfix.htm
Poista Lisää/Poista sovelluksessa
Messenger Plus! 3
Saat sillä haittaohjelmia
Laita piilotiedostot näkyviin, tuossa ohjeet
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Sulje Tehtävien hallinassa nuo prosessit
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINDOWS\mwsvm.exe
Sulje selain ja muut ikkunat, laita ruksi noiden eteen ja paina FIX
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
Käynnistä vikasietotilaan etsi ja poista jos löytyy
C:\WINDOWS\---tuo---lbbho.dll
C:\WINDOWS\---tuo---system32:vgopenl.dll,Init 1 ( Huom älä poista System 32 kansiota)
C:\WINDOWS\---tuo---pzjumb.exe
C:\WINDOWS\System32\---tuo---77656191.exe
C:\PROGRA~1\COMETS~1\---tuo---DM\bin\dmserver.exe /onreboot
C:\WINDOWS\---tuo---Belt.exe
C:\Program Files\---tuo---Orbit\update.exe
C:\WINDOWS\---tuo---opvcK3BkS.exe
C:\WINDOWS\---tuo---mwsvm.exe
C:\WINDOWS\---tuo---fash.exe
C:\Program Files\---tuo---websx\int114844.exe-auto
C:\WINDOWS\---tuo---aqadcup.exe
C:\Program Files\---tuo---Messenger3\MsgPlus.exe
C:\WINDOWS\---tuo---kpwt.exe
:\Documents and Settings\All Users\Application Data\---tuo---dupe bolt axis love\showmath.exe
C:\Documents and Settings\All Users\Application Data\---tuo---Nurb 64 math barb\poproam.exe
C:\DOCUME~1\Ipe\APPLIC~1\---tuo---EXITSA~1\flaw program.exe
Tässäpä näitä näin aluksi :)
Normaali käynnistys ja laita uusi logiKiitos jo tässä vaiheessa. Suoritan nuo toimenpiteet kunhan saan lapset nukutettua. Kun perheessä on netissä chattaileva teini ja netissä pelaileva 12-vuotias poika, niin koneelle näyttää kertyvän kaikenlaista moskaa.
- frontdoor
HJT kirjoitti:
Hae linkistä LSP-Fix, asenna se työpöydälle, avaa ohjelma, klikkaa I know what I´m doing, klikkaa vasemmasta ruudusta osmim.dll, klikkaa nuolinäppäimellä se oikealla olevaan ruutuun ja klikkaa Finish. Käytä XP;n Etsi toimintoa ja poista osmim.dll.
http://cexx.org/lspfix.htm
Poista Lisää/Poista sovelluksessa
Messenger Plus! 3
Saat sillä haittaohjelmia
Laita piilotiedostot näkyviin, tuossa ohjeet
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Sulje Tehtävien hallinassa nuo prosessit
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\WINDOWS\mwsvm.exe
Sulje selain ja muut ikkunat, laita ruksi noiden eteen ja paina FIX
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vckqrodhsiplxbqgwewhzmzz.info/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPEYwzgkd7ujDQZ9OGCDvK7i.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccocvdhwcwudszz.net/F0pTWyyOrP50Ope39cCuujSk5srEyg67zpV/cylgUIg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BAF783E7-EBF1-B83A-63DD-D546986B38A5} - C:\PROGRA~1\ELSEPI~1\Nurb Htm.exe (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {C49140E4-7B98-4FEC-B41D-74AE53C4DF35} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {E1347641-762F-BC62-35E4-CEA05CBEA069} - C:\PROGRA~1\ELSEPI~1\Close Long.exe (file missing)
O4 - HKLM\..\Run: [vgopenl] rundll32 C:\WINDOWS\system32:vgopenl.dll,Init 1
O4 - HKLM\..\Run: [pwmzewvg] C:\WINDOWS\pzjumb.exe
O4 - HKLM\..\Run: [77656191.exe] C:\WINDOWS\System32\77656191.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [cOH7G] C:\WINDOWS\opvcK3BkS.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [kpwt] C:\WINDOWS\kpwt.exe
O4 - HKLM\..\Run: [axis love heck bind] C:\Documents and Settings\All Users\Application Data\dupe bolt axis love\showmath.exe
O4 - HKLM\..\Run: [MATH BARB MAPI ROAM] C:\Documents and Settings\All Users\Application Data\Nurb 64 math barb\poproam.exe
O4 - HKCU\..\Run: [safeknob] C:\DOCUME~1\Ipe\APPLIC~1\EXITSA~1\flaw program.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
Käynnistä vikasietotilaan etsi ja poista jos löytyy
C:\WINDOWS\---tuo---lbbho.dll
C:\WINDOWS\---tuo---system32:vgopenl.dll,Init 1 ( Huom älä poista System 32 kansiota)
C:\WINDOWS\---tuo---pzjumb.exe
C:\WINDOWS\System32\---tuo---77656191.exe
C:\PROGRA~1\COMETS~1\---tuo---DM\bin\dmserver.exe /onreboot
C:\WINDOWS\---tuo---Belt.exe
C:\Program Files\---tuo---Orbit\update.exe
C:\WINDOWS\---tuo---opvcK3BkS.exe
C:\WINDOWS\---tuo---mwsvm.exe
C:\WINDOWS\---tuo---fash.exe
C:\Program Files\---tuo---websx\int114844.exe-auto
C:\WINDOWS\---tuo---aqadcup.exe
C:\Program Files\---tuo---Messenger3\MsgPlus.exe
C:\WINDOWS\---tuo---kpwt.exe
:\Documents and Settings\All Users\Application Data\---tuo---dupe bolt axis love\showmath.exe
C:\Documents and Settings\All Users\Application Data\---tuo---Nurb 64 math barb\poproam.exe
C:\DOCUME~1\Ipe\APPLIC~1\---tuo---EXITSA~1\flaw program.exe
Tässäpä näitä näin aluksi :)
Normaali käynnistys ja laita uusi logiNäyttää nyt tältä:
Logfile of HijackThis v1.98.2
Scan saved at 7:20:55, on 20.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oyrgptwrskxunywozw.com/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPGOkjmZY423gQZ9OGCDvK7i.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab frontdoor kirjoitti:
Näyttää nyt tältä:
Logfile of HijackThis v1.98.2
Scan saved at 7:20:55, on 20.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oyrgptwrskxunywozw.com/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPGOkjmZY423gQZ9OGCDvK7i.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://fi.trendmicro-europe.com/consumer/products/housecall_pre.php"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src"); (C:\Documents and Settings\Ipe\Application Data\Mozilla\Profiles\default\3r080lp2.slt\prefs.js)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\TeleWell\TW-EA100B ADSL USB\CnxDslTb.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093583573921
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cabSehän on jo paljon paremman näköinen :D Pientä viilausta vaille valmis.
Fixaa vielä tuo
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oyrgptwrskxunywozw.com/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPGOkjmZY423gQZ9OGCDvK7i.htm
Jos et tunne noita osoitteita niin lisää nekin listaan
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
Tyhjennä TEMP kansiot
Käy linkistä ainakin SpywareBlaster(ellei jo ole), siellä on paljon muutakin hyödyllistä.
http://koti.mbnet.fi/pattaya1/
Jos/kun kone toimii normaalisti on syytä tehdä vielä tuon ohjeen mukaan
http://support.f-secure.fi/fin/home/virusproblem/howtoclean/cleansystemrestore.shtml- frontdoor
HJT kirjoitti:
Sehän on jo paljon paremman näköinen :D Pientä viilausta vaille valmis.
Fixaa vielä tuo
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oyrgptwrskxunywozw.com/F0pTWyyOrP6qgKv3q2XO6cAArw5VewUE8cM9NCHXbPGOkjmZY423gQZ9OGCDvK7i.htm
Jos et tunne noita osoitteita niin lisää nekin listaan
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
Tyhjennä TEMP kansiot
Käy linkistä ainakin SpywareBlaster(ellei jo ole), siellä on paljon muutakin hyödyllistä.
http://koti.mbnet.fi/pattaya1/
Jos/kun kone toimii normaalisti on syytä tehdä vielä tuon ohjeen mukaan
http://support.f-secure.fi/fin/home/virusproblem/howtoclean/cleansystemrestore.shtmlKiitoksia avusta. Näyttäisi, että nyt örkit ovat kurissa. Kone toimii hyvin, mutta käynnistyminen edelleen suht. hidasta. Muuttui hitaaksi kun asensin sp2:n ja F-Securen anti viruksen. Vaikuttaako esim. tuon virusohjelman käynnistyminen yleensä miten paljon käynnistymisnopeuteen?
frontdoor kirjoitti:
Kiitoksia avusta. Näyttäisi, että nyt örkit ovat kurissa. Kone toimii hyvin, mutta käynnistyminen edelleen suht. hidasta. Muuttui hitaaksi kun asensin sp2:n ja F-Securen anti viruksen. Vaikuttaako esim. tuon virusohjelman käynnistyminen yleensä miten paljon käynnistymisnopeuteen?
se vaikuttaa ja F-Secure on aika raskas ohjelma pyörittää mutta kaipa se on tehokaskin.
- Fox
Hyvä ettei nimimerkkisi ole backdoor...
Kaverit on kai huilaamassa (Juu,HJT,Juggis), joten kokeilehan odotellessa automaattianalyysia:
http://www.hijackthis.de/
Kyllä sulla aika paljon on siivottavaa, johtuen varmaan tuosta Messenger Plussasta.
Jos ei ketään ala kuulumaan illan mittaan, voin laitella poistettavia rivejä malliksi.
Toinen foorumi on myös http://www.virustorjunta.net
Siellä siivotaan myös saastuneita koneita.
Palataan astialle.- frondoor
joo, ei sentään backdoor. tuo frontdoor tuntui hieman häveliäämmältä kuin konettani riivaava backdoor.
toivon mukaan myöhäisillan tunteina pääsen vihdoin värkkäämään konetta...
Ketjusta on poistettu 0 sääntöjenvastaista viestiä.
Luetuimmat keskustelut
- 1231205
Tiedät, että en voi enää laittaa viestiä
Aikaa kulunut. Eikä se näyttäisi enää luontevalta vastata näin pitkän ajan jälkeen. Tiedän myös, että sinä et enää lait89884- 87767
Nostetaanpas kissa pöydälle: Onko Kuhmossa työpaikkakiusaamista?
Kuka uskaltaa puhua? Vai uskaltaako kukaan? Naisvaltaisella alalla on kuulemma Kuhmossa ruma tilanne. Mitä aikuiset ede19726- 93707
Tuleeko Martinasta rouva Muhis
Saako vihdoinkin ne haaveilemansa prinsessa häät Hajjin entinen Muhammad kanssa, 😂 yhteistä heillä on se, että molemmat281690- 109626
- 32583
Oletko miettinyt sitä
Että jos meidän persoonat ei sovi yhtään yhteen ;) No onneksi kumpikin on fiksu eikä halua toiselle mitään pahaa.49543Eipä oo näkyny montakkasn etelänvetelää vielä kylällä.
Liekkö tuo pensanhinta vetelille liian kallista, kun ovat jeäneet kesäksi kottiinsa vetelehtimmään. Pärjätään iliman vet115511