[Amfiibinimene]

olen proovind teda eemaldada safe modes Spybotiga kõige uuema versiooniga, samuti on olnud system restore maas kuid ikkagi tuleb tagasi? Mida teha?

[Amfiibinimene]

CoolWWWSearch: Data (File, nothing done)
C:\Documents and Settings\teet\Local Settings\Temp\sp.html

CoolWWWSearch: IE Search bar (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar=about:blank

CoolWWWSearch: IE Search bar (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar=about:blank

CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

CoolWWWSearch: IE Search URL (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank

CoolWWWSearch: IE Search URL (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank


--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-15 Includes\Dialer.sbi
2004-12-16 Includes\Hijackers.sbi
2004-12-15 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-15 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-16 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2004-12-15 Includes\Trojans.sbi

[Amfiibinimene]

[neo]

HijackThis ehk on abiks:
http://www.spychecker.com/program/hijackthis.html

[Amfiibinimene]

Logfile of HijackThis v1.99.0
Scan saved at 14:52:16, on 28.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\DSB\DSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
C:\Program Files\DSB\direct.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\teet\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {04132961-1C5C-4E0B-AF43-56B06C43F8A6} - C:\WINDOWS\System32\fbfkfja.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\System32\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\System32\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\System32\Recalculate.exe /reloadenterpice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Uahe] C:\Documents and Settings\teet\Application Data\autp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093617672968
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://gw.tallinnlv.ee:11082/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E392BD-0AC3-4C29-9051-5D56661FA051}: NameServer = 192.168.0.1,0.0.0.0
O18 - Filter: text/html - {6EF5E526-7BB1-4B29-8441-F3922749E61C} - C:\WINDOWS\System32\fbfkfja.dll
O18 - Filter: text/plain - {6EF5E526-7BB1-4B29-8441-F3922749E61C} - C:\WINDOWS\System32\fbfkfja.dll
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Amfiibinimene]

mida võiks maha lasta

[Amfiibinimene]

[halogen]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {04132961-1C5C-4E0B-AF43-56B06C43F8A6} - C:\WINDOWS\System32\fbfkfja.dll : selle paneksin küsimärgi alla. kui sul sellise failiga seonduvat brauseripõhist teenust kasutuses ei ole, kustuta ära.

coolwebsearchi eemaldamiseks kasuta cwshredderit.

[Amfiibinimene]

cwsheaderit kasutatud ei aita

[halogen]

kõige uuema versiooniga?
eemalda ka eelnevalt väljatoodud BHO'd.
restardi arvuti safe modes, ava spybot ja tee ära update ning käivita uus scan, samuti skanneeri korduvalt ka cwshredderiga.

[Amfiibinimene]

tegin nii sain lahti safe modes kuid tuli mingi aeg jälle tagasi

[HacaX]

Buudi safe mode'i (soovitavalt isegi mõne teise kasutaja all), tee TEMP kataloogid tühjaks, ära ühtegi muud proge tööle tõmba vaid käivita ainult CWShredder, "Fix" (või mis iganes see tekst seal täpselt oli), tee alglaadimine. Siis (kui peaks ikka tagasi tulema) tee HJTga uus logi ja postita siia,

Mainiks ära, et vanas olid ka need sissekanded kahtlased:

O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E392BD-0AC3-4C29-9051-5D56661FA051}: NameServer = 192.168.0.1,0.0.0.0
O18 - Filter: text/html - {6EF5E526-7BB1-4B29-8441-F3922749E61C} - C:\WINDOWS\System32\fbfkfja.dll
O18 - Filter: text/plain - {6EF5E526-7BB1-4B29-8441-F3922749E61C} - C:\WINDOWS\System32\fbfkfja.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Esimene rida... kui sa mingis sisevõrgus ei istu kus nimeserveriks on tõesti 192.168.0.1 (mis on täiesti võimalik, aga järgnev 0.0.0.0 mis on mitteksisteeriv IP ja ei tohiks nagu ühes õiges DNS servude nimekirjas figureerida) siis võiks selle ära parandada. Kui tagavarakoopiate tegemine sisse lülitatud siis saab ka kõik parandatu uuesti olematuks teha kui mingid probleemid peaksid ilmnema.

[peosuslik]

Off topic. olin ka cws hadas ennem ja see kurjam ilmutas end taas.

Kas keegi oskab midagi öelda nende dll falide kohta? on nad eluks vajalikud voi voin ma nad maha lasta?

#:19 [C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE]
File Path: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE
ProcessID: 4294497123
Threads: 3
Priority: Normal
File Size: 404 KB
Version: 1.0.0.1
File Version: 1, 0, 0, 1
Product Version: 1, 0, 0, 1
Copyright: Copyright (C) 2003
Company Name: ,
File Description: HiJack MFC Application
Internal Name: System Hijack Scanner
Original Filename: HiJackNT.EXE
Product Name: System Hijack Scanner
Created on: 14.05.03 20:19:48
Last accessed: 30.12.04
Last modified: 14.05.03 20:19:48
System Hijack Scanner Entries:
---------------

R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page=http://www.neti.ee/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, start page_bak=http://www.neti.ee/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (file missing)
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe (file missing)
O4 - Start Up: C:\WINDOWS\Start Menu\Programs\StartUp\SpySubtract.lnk
O5 - control.ini [don't load]: snd.cpl=no
O5 - control.ini [don't load]: joystick.cpl=no
O5 - control.ini [don't load]: midimap.drv=no
O5 - control.ini [don't load]: sticpl.cpl=no
O14 - iereset.inf: MS_START_PAGE_URL="http://www.msn.com"
O14 - iereset.inf: START_PAGE_URL="http://www.msn.com"
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\SYSTEM\INETCOMM.DLL
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX (file missing)

[HacaX]

Su logifail on poolik. Postita kogu sisu.

[peosuslik]

Running Processes:
-----------------

#:1 [C:\WINDOWS\SYSTEM\KERNEL32.DLL]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4293856875
Threads: 4
Priority: High
File Size: 460 KB
Version: 4.10.0.2222
File Version: 4.10.2222
Product Version: 4.10.2222
Copyright: Copyright (C) Microsoft Corp. 1991-1999
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:37:29
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:2 [C:\WINDOWS\SYSTEM\MSGSRV32.EXE]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4294924087
Threads: 1
Priority: Normal
File Size: 460 KB
Version: 4.10.0.2222
File Version: 4.10.2222
Product Version: 4.10.2222
Copyright: Copyright (C) Microsoft Corp. 1991-1999
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:37:29
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:3 [C:\WINDOWS\SYSTEM\MPREXE.EXE]
File Path: C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID: 4294920775
Threads: 1
Priority: Normal
File Size: 28 KB
Version: 4.10.0.1998
File Version: 4.10.1998
Product Version: 4.10.1998
Copyright: Copyright (C) Microsoft Corp. 1993-1998
Company Name: Microsoft Corporation
File Description: WIN32 Network Interface Service Process
Internal Name: MPREXE
Original Filename: MPREXE.EXE
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:38:48
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:4 [C:\WINDOWS\SYSTEM\mmtask.tsk]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4294942619
Threads: 1
Priority: Normal
File Size: 460 KB
Version: 4.10.0.2222
File Version: 4.10.2222
Product Version: 4.10.2222
Copyright: Copyright (C) Microsoft Corp. 1991-1999
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:37:29
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:5 [C:\WINDOWS\SYSTEM\MSTASK.EXE]
File Path: C:\WINDOWS\SYSTEM\MSTASK.EXE
ProcessID: 4294927651
Threads: 3
Priority: Normal
File Size: 116 KB
Version: 4.71.1959.1
File Version: 4.71.1959.1
Product Version: 4.71.1959.1
Copyright: Copyright (C) Microsoft Corp. 1997
Company Name: Microsoft Corporation
File Description: Task Scheduler Engine
Internal Name: TaskScheduler
Original Filename: mstask.exe
Product Name: Microsoft® Windows® Task Scheduler
Created on: 22.11.04 21:38:50
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:6 [C:\WINDOWS\EXPLORER.EXE]
File Path: C:\WINDOWS\EXPLORER.EXE
ProcessID: 4294962987
Threads: 7
Priority: Normal
File Size: 176 KB
Version: 4.72.3110.1
File Version: 4.72.3110.1
Product Version: 4.72.3110.1
Copyright: Copyright (C) Microsoft Corp. 1981-1997
Company Name: Microsoft Corporation
File Description: Windows Explorer
Internal Name: explorer
Original Filename: EXPLORER.EXE
Product Name: Microsoft(R) Windows NT(R) Operating System
Created on: 22.11.04 21:38:43
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:7 [C:\WINDOWS\SYSTEM\INTERNAT.EXE]
File Path: C:\WINDOWS\SYSTEM\INTERNAT.EXE
ProcessID: 4294774775
Threads: 2
Priority: Normal
File Size: 28 KB
Version: 4.10.0.2222
File Version: 4.10.2222
Product Version: 4.10.2222
Copyright: Copyright (C) Microsoft Corp. 1998
Company Name: Microsoft Corporation
File Description: Keyboard Language Indicator Applet
Internal Name: INTERNAT
Original Filename: INTERNAT.EXE
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:38:46
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:8 [C:\WINDOWS\TASKMON.EXE]
File Path: C:\WINDOWS\TASKMON.EXE
ProcessID: 4294772143
Threads: 2
Priority: Normal
File Size: 28 KB
Version: 4.10.0.1998
File Version: 4.10.1998
Product Version: 4.10.1998
Copyright: Copyright (C) Microsoft Corp. 1998
Company Name: Microsoft Corporation
File Description: Task Monitor
Internal Name: TaskMon
Original Filename: TASKMON.EXE
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:42:08
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:9 [C:\WINDOWS\LOADQM.EXE]
File Path: C:\WINDOWS\LOADQM.EXE
ProcessID: 4294806591
Threads: 4
Priority: Normal
File Size: 7 KB
Version: 5.4.1103.3
File Version: 5.4.1103.3
Product Version: 5.4.1103.3
Copyright: Copyright (C) Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
File Description: Microsoft QMgr
Internal Name: LOADQM.EXE
Original Filename: LOADQM.EXE
Product Name: QMgr Loader
Created on: 25.03.03 18:20:28
Last accessed: 30.12.04
Last modified: 03.05.00 17:23:10

#:10 [C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE]
File Path: C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
ProcessID: 4294831167
Threads: 3
Priority: Normal
File Size: 148 KB
Version: 0.1.0.1622
File Version: 0.1.0.1622
Product Version: 0.1.0.1622
Copyright: Copyright © RealNetworks, Inc. 1995-2002
Company Name: RealNetworks, Inc.
File Description: RealNetworks Scheduler
Internal Name: schedapp
Original Filename: realsched.exe
Product Name: RealOne Player (32-bit)
Created on: 31.03.03 12:11:12
Last accessed: 30.12.04
Last modified: 31.03.03 12:11:14

#:11 [C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE]
File Path: C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
ProcessID: 4294782127
Threads: 19
Priority: Normal
File Size: 4768 KB
Version: 6.2.0.137
File Version: 6.2.0137
Product Version: Version 6.2
Copyright: Copyright (c) Microsoft Corporation 1997-2004
Company Name: Microsoft Corporation
File Description: MSN Messenger
Internal Name: msnmsgr
Original Filename: msnmsgr.exe
Product Name: MSN Messenger
Created on: 28.05.04 15:22:04
Last accessed: 30.12.04
Last modified: 28.05.04 15:22:04

#:12 [C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE]
File Path: C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
ProcessID: 4294795395
Threads: 9
Priority: Normal
File Size: 1160 KB
Version: 1.0.1.49
File Version: 1, 0, 1, 49
Product Version: 2.60
Copyright: Copyright (c) 2004 InterMute, Inc. All rights reserved.
Company Name: InterMute, Inc.
File Description: SpySubtract Program EXE
Internal Name: SpySub.exe
Original Filename: SpySub.exe
Product Name: SpySubtract
Created on: 25.12.04 17:25:37
Last accessed: 30.12.04
Last modified: 25.12.04 17:25:38

#:13 [C:\WINDOWS\SYSTEM\DDHELP.EXE]
File Path: C:\WINDOWS\SYSTEM\DDHELP.EXE
ProcessID: 4294678075
Threads: 4
Priority: Real Time
File Size: 31 KB
Version: 4.8.1.881
File Version: 4.08.01.0881
Product Version: 4.08.01.0881
Copyright: Copyright © Microsoft Corp. 1994-2001
Company Name: Microsoft Corporation
File Description: Microsoft DirectX Helper
Internal Name: DDHelp.exe
Original Filename: DDHelp.exe
Product Name: Microsoft® DirectX for Windows® 95 and 98
Created on: 24.03.03 19:03:52
Last accessed: 30.12.04
Last modified: 30.10.01 8:10:00

#:14 [C:\WINDOWS\NETDDE.EXE]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4294672903
Threads: 1
Priority: Normal
File Size: 460 KB
Version: 4.10.0.2222
File Version: 4.10.2222
Product Version: 4.10.2222
Copyright: Copyright (C) Microsoft Corp. 1991-1999
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Operating System
Created on: 22.11.04 21:37:29
Last accessed: 30.12.04
Last modified: 23.04.99 22:22:00

#:15 [C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE]
File Path: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
ProcessID: 4294644667
Threads: 5
Priority: Normal
File Size: 59 KB
Version: 5.0.2919.6304
File Version: 5.00.2919.6304
Product Version: 5.00.2919.6304
Copyright: Copyright (C) Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
File Description: Internet Explorer
Internal Name: iexplore
Original Filename: IEXPLORE.EXE
Product Name: Microsoft(R) Windows (R) 2000 Operating System
Created on: 05.11.99
Last accessed: 30.12.04
Last modified: 05.11.99

#:16 [C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE]
File Path: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
ProcessID: 4294545367
Threads: 7
Priority: Normal
File Size: 59 KB
Version: 5.0.2919.6304
File Version: 5.00.2919.6304
Product Version: 5.00.2919.6304
Copyright: Copyright (C) Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
File Description: Internet Explorer
Internal Name: iexplore
Original Filename: IEXPLORE.EXE
Product Name: Microsoft(R) Windows (R) 2000 Operating System
Created on: 05.11.99
Last accessed: 30.12.04
Last modified: 05.11.99

#:17 [C:\PROGRAM FILES\WINRAR\WINRAR.EXE]
File Path: C:\PROGRAM FILES\WINRAR\WINRAR.EXE
ProcessID: 4294444679
Threads: 4
Priority: Normal
File Size: 827 KB
Version: 3.42.0.0
File Version: 3.42
Product Version:
Copyright: Copyright © Alexander Roshal 1993-2004
Company Name: Alexander Roshal
File Description: WinRAR archiver
Internal Name: WinRAR
Original Filename: WinRAR.exe
Product Name:
Created on: 29.12.04 21:36:16
Last accessed: 30.12.04
Last modified: 26.12.04 20:33:44

#:18 [C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE]
File Path: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE
ProcessID: 4294565899
Threads: 2
Priority: Normal
File Size: 404 KB
Version: 1.0.0.1
File Version: 1, 0, 0, 1
Product Version: 1, 0, 0, 1
Copyright: Copyright (C) 2003
Company Name: ,
File Description: HiJack MFC Application
Internal Name: System Hijack Scanner
Original Filename: HiJackNT.EXE
Product Name: System Hijack Scanner
Created on: 14.05.03 20:19:48
Last accessed: 30.12.04
Last modified: 14.05.03 20:19:48

#:19 [C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE]
File Path: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE
ProcessID: 4294497123
Threads: 3
Priority: Normal
File Size: 404 KB
Version: 1.0.0.1
File Version: 1, 0, 0, 1
Product Version: 1, 0, 0, 1
Copyright: Copyright (C) 2003
Company Name: ,
File Description: HiJack MFC Application
Internal Name: System Hijack Scanner
Original Filename: HiJackNT.EXE
Product Name: System Hijack Scanner
Created on: 14.05.03 20:19:48
Last accessed: 30.12.04
Last modified: 14.05.03 20:19:48



System Hijack Scanner Entries:
---------------

R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page=http://www.neti.ee/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, start page_bak=http://www.neti.ee/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (file missing)
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe (file missing)
O4 - Start Up: C:\WINDOWS\Start Menu\Programs\StartUp\SpySubtract.lnk
O5 - control.ini [don't load]: snd.cpl=no
O5 - control.ini [don't load]: joystick.cpl=no
O5 - control.ini [don't load]: midimap.drv=no
O5 - control.ini [don't load]: sticpl.cpl=no
O14 - iereset.inf: MS_START_PAGE_URL="http://www.msn.com"
O14 - iereset.inf: START_PAGE_URL="http://www.msn.com"
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\SYSTEM\INETCOMM.DLL
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX (file missing)

[HacaX]

Mis versiooni HijackThisist sa üleüldse kasutad (või on see hoopis Bulletproofi Hijack)? Üldiselt paistab kõik OK olevat, ehkki ei meenu et HJT sääraseid sissekandeid kunagi näidanud oleks...

[peosuslik]

see bulletprrof loog jah

kas need dll failid ei ole miskid pahalased

[HacaX]

Ei tohiks olla. *Aga* sa kasutad valet proge (no OK, logifaili struktuuri kopeerimine ei ole nii hull kui SpyBoti andmebaasi varastamine (mida Bulletproof teeb), aga siiski üpris nõme võte). Hangi HijackThis 1.99.0 ning postita tolle logi.

[peosuslik]

HijackThis ei naita midagi.

Hetkel on jaääle nagu kpoik korras ka, aga olen kindel et uue aasta hommikul voin jalle cws-ssele tere oelda. Kuskil on ta siga ikka peidus

Logfile of HijackThis v1.99.0
Scan saved at 14:33:39, on 31.12.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\JMC\JMC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.neti.ee/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

[HacaX]

Korras jah.

EDIT: vot milles probleem peaks olema - HJT kasutab tuntud "korras" asjade nimekirja, seetõttu ta neid DLLe ei näitagi (kuna need on OK). Taas kivi Bulletproofi kapsaaeda (niigi ohtliku HJT lähenemise viib veel sammukese võrra kaugemale )

EDIT2: pole küll kena iseennast promoda, aga kui jätkuvalt IEd kasutad siis võiks pilgu heita sinna: https://foorum.hinnavaatlus.ee/viewtopic.php?t=93622

[Amfiibinimene]

vaatasin uuesti seda arvutit mis algselt oli ja on jälle coolwww tagasi, hjcakceriga saab lahti kuid tekib tagasi nii 10-15 min pärast

[Amfiibinimene]

[HacaX]

System Restore maha keeratud? Oled proovinud mõne teise konto alt puhastada? SpywareBlasteri ja SpyBotiga immunize tehtud?

[Amfiibinimene]

system restore muidugi maas, kasutand olen ainult spy boti (immunize tehtud) ta tekib mingit moodi erinevate nimedena tagasi, admini konto alt olen teind

[Amfiibinimene]

Logfile of HijackThis v1.99.0
Scan saved at 16:53:26, on 1.02.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\teet\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\System32\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\System32\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LSAS] C:\WINDOWS\System32\LSAS.exe /check
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: portal.hot.ee
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093617672968
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://gw.tallinnlv.ee:11082/activex/AxisCamControl.cab
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe