antivir valittaa viruksesta ja virus/troijalainen ei meinaa poistua.

Joo eli avira antivir valittaa aina koneen käynnistyessä viruksesta. Virus ei millään meinaa poistua vaikka olen ajanut avast, antivir, ad-aware, spybot ohjelmat. Tässä HJT-logi:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:01, on 9.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
H:\AVG Anti-Spyware 7.5\avgas.exe
H:\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
H:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
G:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C66D64E-332E-4F75-93CF-852191373937} - C:\WINDOWS\system32\ljJYRHAQ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {831adef8-94f1-dc09-0b74-d3280d6b0e4d} - {d4e0b6d0-823d-47b0-90cd-1f498feda138} - C:\WINDOWS\system32\mkyhbs.dll (file missing)
O2 - BHO: (no name) - {dae2bb1d-be98-4436-8b22-ad47b82b8e57} - (no file)
O2 - BHO: (no name) - {EF8820EB-F11E-4DD6-BC6C-D99084691C18} - C:\WINDOWS\system32\vtUmNHAQ.dll (file missing)
O2 - BHO: (no name) - {F55853E3-2B80-4FE4-B5F9-AD21B09B7484} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMf3e6c5a5] Rundll32.exe "C:\WINDOWS\system32\hydcmrvt.dll",s
O4 - HKLM\..\Run: [TrojanScanner] G:\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [f0d5f639] rundll32.exe "C:\WINDOWS\system32\tcxfcptc.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214727598906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: vtUmNHAQ - vtUmNHAQ.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8475 bytes

 

En tunnistanut palomuuria koneeltasi.
Asennukset on syytä tehdä Järjestelmänvalvojan tunnuksilla
Asenna koneellesi YKSI palomuuriohjelma NYT:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

Jos käytät sisäänrakennettua Windowsin palomuuria, se ei ole suositeltua sillä se ei estä koneelta ulosmeneviä yhteyksiä.
Muista käyttää vain yhtä palomuuria kerrallaan.

-----------------------------------------------------------------------------

Mene Windowsin ControlPaneliin (Ohjauspaneli) ja sieltä Lisää / Poista sovellus
Vistassa Ohjelmat ja toiminnot
Etsi ja poista ohjelma jonka nimessä on:


AntiVir PersonalEdition
Trojan Remover


Käynnistä kone vikasietotilaan => OHJE
Laita piilotiedostot näkyviin =>vikasiedossa OHJE

Poista kansio/t:
G:\Trojan Remover\
C:\Program Files\Avira\

*********************************************************

1. Käynnistä Spybot-S&D Edistyneessä tilassa
2. Jos se ei ole Edistyneessä tilassa, mene Tila-valikkoon ja valitse Edistynyt tila
3. Klikkaa vasemmalla Työkalut
4. Klikkaa listassa Pysyvä suojaus
5. Ota rasti pois kohdasta "Pysyvä TeaTimer" ja paina OK.
6. Käynnistä kone uudelleen.

--------------------------------------------------------------------------

Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.

------------------------------------------------------------------

Javan päivitys ja välimuistin tyhjennys:

Lataa JavaRa ja pura se työpöydällesi.

***Sulje kaikki päällä olevat Internet Explorerin ikkunat ennen jatkamista!***

* Tuplaklikkaa JavaRa.exeä käynnistääksesi ohjelma.
* Valitse English pudotusvalikosta valitaksesi kieleksi englannin ja klikkaa Select.
* Klikkaa Remove Older Versions poistaaksesi vanhat Java-versiot koneeltasi.
* Klikkaa Yes kun pyydetään. Kun JavaRa on valmis, se ilmoittaa, että lokitiedosto on luotu. Klikkaa OK.
* Lokitiedosto avautuu. Lähetä sen sisältö seuraavassa viestissäsi.

4. Asenna uusin Java päivitys seuraavasta linkistä..

http://java.sun.com/javase/downloads/index.jsp

Rullaa alas kohteeseen Java Runtime Environment (JRE) 6 Update 7

Paina Download

Laita Platform -kohtaan Windows

Ruksaa I agree to the Java SE Runtime Environment 6 License Agreement ja paina Continue

Paina Windows Offline Installationin alapuolella jre-6u4-windows-i586-p.exe

Tallenna tiedosto vaikka työpöydälle ja asenna se.

5. Käynnistä kone uudelleen asennuksen jälkeen.

6. Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi).

7. General-välilehdellä klikkaa Settings. Vedä liukusäädintä (Disk Space) pienemmälle.

(Jotkut javapohjaiset ohjelmat saattavat tarvita enemmän levytilaa.
Jos huomaat säädön pienentämisen jälkeen koneessa hitautta, siirrä liukusäädintä isommalle).

8. Klikkaa Delete Files -nappia. Varmista että kaikki kaksi valintaa ovat rastitettuja:

* Applications and Applets

* Trace and Log Files


Ja paina OK -nappia
Huomaa: Tämä poistaa kaikki ladatut sovellukset ja appletit VÄLIMUISTISTA.

9. Klikkaa OK "Temporary Files Settings" -ikkunassasi.

10. Välilehti Update: ota ruksi pois kohdasta Check for Updates automatically

Valitse Never check

11. Klikkaa Apply ja OK jättääksesi Java asetusikkunasi.

-----------------------------------------

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
*

 

Malwarebytes' Anti-Malware 1.24
Tietokantaversio: 1012
Windows 5.1.2600 Service Pack 3

19:16:52 9.8.2008
mbam-log-8-9-2008 (19-16-48).txt

Tarkistustyyppi: Täysi tarkistus (C:\|E:\|F:\|G:\|H:\|)
Tarkistetut kohteet: 120163
Kulunut aika: 1 hour(s), 29 minute(s), 26 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 7
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 4

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d4e0b6d0-823d-47b0-90cd-1f498feda138} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d4e0b6d0-823d-47b0-90cd-1f498feda138} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f146c9b1-vmvq-a9rc-nufl-d0ba00b4e999} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\mkyhbs.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMf3e6c5a5.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMf3e6c5a5.txt (Trojan.Vundo) -> No action taken.
C:\Program Files\Services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:49:33, on 9.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
H:\AVG Anti-Spyware 7.5\avgas.exe
H:\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
G:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C66D64E-332E-4F75-93CF-852191373937} - C:\WINDOWS\system32\ljJYRHAQ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {dae2bb1d-be98-4436-8b22-ad47b82b8e57} - (no file)
O2 - BHO: (no name) - {EF8820EB-F11E-4DD6-BC6C-D99084691C18} - C:\WINDOWS\system32\vtUmNHAQ.dll (file missing)
O2 - BHO: (no name) - {F55853E3-2B80-4FE4-B5F9-AD21B09B7484} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214727598906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: vtUmNHAQ - vtUmNHAQ.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7663 bytes

e. Palomuurina on Buffalon reitittimen oma palomuuri, joten sitä ei näissä tiettävästi näy.

 

Malwarebytes' Anti-Malware 1.24
Tietokantaversio: 1012
Windows 5.1.2600 Service Pack 3

19:17:01 9.8.2008
mbam-log-8-9-2008 (19-17-01).txt

Tarkistustyyppi: Täysi tarkistus (C:\|E:\|F:\|G:\|H:\|)
Tarkistetut kohteet: 120163
Kulunut aika: 1 hour(s), 29 minute(s), 26 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 7
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 4

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d4e0b6d0-823d-47b0-90cd-1f498feda138} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d4e0b6d0-823d-47b0-90cd-1f498feda138} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f146c9b1-vmvq-a9rc-nufl-d0ba00b4e999} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\mkyhbs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf3e6c5a5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf3e6c5a5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

Eipä ole Buffalon muuri pöpöjä estänyt !!!

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
combofix.exe
combofix.exe


Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)



Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

-----------------------------------------------------------------

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O20 - Winlogon Notify: vtUmNHAQ - vtUmNHAQ.dll (file missing)


Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:43:16, on 9.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
H:\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214727598906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6779 bytes

------------------------------------------------------------------

ComboFix 08-08-08.08 - ÖSY 2008-08-09 22:09:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1035.18.1549 [GMT 3:00]
Running from: C:\Documents and Settings\ÖSY\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\ÖSY\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctpcfxct.ini
C:\WINDOWS\system32\kpfoslfy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\QAHRYJjl.ini
C:\WINDOWS\system32\QAHRYJjl.ini2

.
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-07-09 to 2008-08-09 )))))))))))))))))
.

2008-08-09 20:41 . 2008-06-25 05:54 <KANSIO> d--h----- C:\Documents and Settings\Muut\Verkkoymp„rist”
2008-08-09 20:41 . 2008-08-09 20:44 <KANSIO> d-------- C:\Documents and Settings\Muut\Ty”p”yt„
2008-08-09 20:41 . 2008-06-25 05:54 <KANSIO> d--h----- C:\Documents and Settings\Muut\Tulostinymp„rist”
2008-08-09 20:41 . 2008-08-09 20:41 <KANSIO> dr------- C:\Documents and Settings\Muut\Suosikit
2008-08-09 20:41 . 2008-08-09 20:41 <KANSIO> dr------- C:\Documents and Settings\Muut\Omat tiedostot
2008-08-09 20:41 . 2008-06-25 22:06 <KANSIO> d--h----- C:\Documents and Settings\Muut\Mallit
2008-08-09 20:41 . 2008-06-25 05:54 <KANSIO> dr------- C:\Documents and Settings\Muut\K„ynnist„-valikko
2008-08-09 20:41 . 2008-08-09 20:41 <KANSIO> d-------- C:\Documents and Settings\Muut\Application Data\Grisoft
2008-08-09 20:41 . 2008-08-09 20:41 <KANSIO> d-------- C:\Documents and Settings\Muut
2008-08-09 19:21 . 2008-08-09 19:21 <KANSIO> d-------- C:\Program Files\Java
2008-08-09 19:21 . 2008-08-09 19:21 <KANSIO> d-------- C:\Program Files\Common Files\Java
2008-08-09 19:21 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 17:44 . 2008-08-09 17:44 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 17:44 . 2008-08-09 17:44 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 17:44 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 17:44 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 17:20 . 2008-08-09 17:20 <KANSIO> d-------- C:\Documents and Settings\J„rjestelm„nvalvoja
2008-08-09 13:35 . 2008-08-09 13:35 80,384 --a------ C:\WINDOWS\system32\tcxfcptc.VIR000
2008-08-09 13:32 . 2008-08-09 13:32 2,048 --a------ C:\WINDOWS\system32\nbxtregj.exe
2008-08-09 13:29 . 2008-08-09 13:29 96,768 --a------ C:\WINDOWS\system32\mkyhbs.VIR
2008-08-08 14:53 . 2008-08-08 14:53 2,048 --a------ C:\WINDOWS\system32\eogxtgtr.exe
2008-08-06 21:58 . 2008-08-06 21:58 2,048 --a------ C:\WINDOWS\system32\qwhsnbri.exe
2008-08-05 21:52 . 2008-08-05 21:52 2,048 --a------ C:\WINDOWS\system32\ainchtoo.exe
2008-08-02 01:17 . 2008-08-09 13:01 205 --a------ C:\WINDOWS\wininit.ini
2008-08-01 22:40 . 2008-08-01 22:40 <KANSIO> d-------- C:\Documents and Settings\LocalService\Omat tiedostot
2008-08-01 21:37 . 2008-08-01 21:37 <KANSIO> d-------- C:\Program Files\QuickTime
2008-08-01 21:37 . 2008-08-01 21:37 <KANSIO> d-------- C:\Program Files\iPod
2008-08-01 21:37 . 2008-08-01 21:37 <KANSIO> d-------- C:\Program Files\Bonjour
2008-08-01 21:37 . 2008-08-01 21:37 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-01 21:36 . 2008-08-01 21:36 <KANSIO> d-------- C:\Program Files\Common Files\Apple
2008-08-01 21:36 . 2008-08-01 21:36 <KANSIO> d-------- C:\Program Files\Apple Software Update
2008-08-01 21:36 . 2008-08-01 21:36 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-31 12:49 . 2008-08-09 19:29 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-31 12:49 . 2008-07-31 12:49 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-31 12:49 . 2007-05-30 15:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-07-30 17:24 . 2008-07-26 12:48 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-30 17:24 . 2008-07-26 12:48 18,335 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-30 17:23 . 2008-07-30 17:23 <KANSIO> d-------- C:\NVIDIA
2008-07-29 00:10 . 2008-07-29 00:10 <KANSIO> d-------- C:\Program Files\SystemRequirementsLab
2008-07-23 00:01 . 2008-07-23 00:01 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-19 16:38 . 2008-07-19 16:38 <KANSIO> d-------- C:\Program Files\Windows Media Connect 2
2008-07-19 16:37 . 2008-07-19 16:38 <KANSIO> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-19 14:17 . 2008-07-26 12:48 195,235 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-19 13:10 . 2007-11-14 16:18 553 --a------ C:\WINDOWS\USetup.iss
2008-07-18 19:51 . 2008-07-18 20:24 <KANSIO> d-------- C:\Temp
2008-07-18 19:51 . 2008-03-27 18:52 2,097,152 --a------ C:\Temp\autorun.bin
2008-07-18 19:51 . 2008-01-08 18:43 769,536 --a------ C:\Temp\SFDNWIN.exe
2008-07-17 23:42 . 2008-07-23 15:24 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-17 23:42 . 2008-08-09 21:18 186,117 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-17 23:18 . 2008-07-17 23:19 <KANSIO> d-------- C:\WINDOWS\NV40562324.TMP
2008-07-17 20:49 . 2008-07-17 20:50 <KANSIO> d-------- C:\Program Files\SpywareBlaster
2008-07-17 20:49 . 2008-08-09 14:33 <KANSIO> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 20:49 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-07-17 20:49 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-17 13:39 . 2008-07-18 11:51 <KANSIO> d-------- C:\Program Files\Yahoo!
2008-07-17 13:38 . 2008-07-17 13:39 <KANSIO> d-------- C:\Program Files\CCleaner
2008-07-17 13:19 . 2008-07-17 13:19 <KANSIO> d-------- C:\Program Files\PowerQuest
2008-07-17 13:17 . 2008-07-17 13:38 <KANSIO> d-------- C:\seka
2008-07-17 12:54 . 2008-07-17 12:54 <KANSIO> d-------- C:\Program Files\mediaplayer
2008-07-17 12:50 . 2008-07-17 12:50 <KANSIO> d-------- C:\Program Files\ffdshow
2008-07-17 12:50 . 2006-10-02 13:44 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-07-17 12:50 . 2006-08-05 12:06 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-16 19:10 . 2008-07-18 11:50 <KANSIO> d-------- C:\Program Files\WhatPulse
2008-07-16 15:24 . 2008-07-22 16:07 <KANSIO> d-------- C:\bittorrent lataukset
2008-07-16 15:15 . 2008-07-16 15:15 <KANSIO> d-------- C:\Program Files\DNA
2008-07-16 15:15 . 2008-07-16 15:15 <KANSIO> d-------- C:\Program Files\BitTorrent
2008-07-15 19:40 . 2008-07-15 19:40 <KANSIO> d-------- C:\Program Files\Creative
2008-07-15 19:40 . 2008-07-16 13:31 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-07-15 19:40 . 2000-05-22 16:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-07-15 19:40 . 2006-10-06 14:17 53,248 --------- C:\WINDOWS\Ctregrun.exe
2008-07-15 19:40 . 1999-12-13 09:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-07-15 19:40 . 1999-11-18 09:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-07-14 21:40 . 2008-08-01 22:53 <KANSIO> d-------- C:\Program Files\DC++
2008-07-14 19:51 . 2008-04-13 21:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-12 22:10 . 2008-04-13 21:45 26,112 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-07-12 22:10 . 2008-04-13 21:45 26,112 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-07-12 22:10 . 2008-07-12 22:10 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-12 22:10 . 2008-07-12 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-12 22:08 . 2008-07-12 22:08 <KANSIO> d-------- C:\Program Files\PC Connectivity Solution
2008-07-12 22:08 . 2008-07-12 22:08 <KANSIO> d-------- C:\Program Files\Nokia
2008-07-12 22:08 . 2008-07-12 22:08 <KANSIO> d-------- C:\Program Files\DIFX
2008-07-12 22:08 . 2008-07-12 22:08 <KANSIO> d-------- C:\Program Files\Common Files\PCSuite
2008-07-12 22:08 . 2008-07-12 22:08 <KANSIO> d-------- C:\Program Files\Common Files\Nokia
2008-07-12 22:08 . 2008-08-05 21:21 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-12 22:08 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-12 22:08 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-12 22:08 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-12 22:08 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-12 22:08 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-07-12 22:08 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-07-12 22:08 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-07-12 22:08 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-07-12 22:03 . 2008-07-12 22:03 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-07-12 17:22 . 2008-07-12 17:26 <KANSIO> d-------- C:\Program Files\Windows Live
2008-07-12 17:22 . 2008-07-12 17:23 <KANSIO> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-12 17:22 . 2008-07-12 17:22 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 17:54 --------- d-----w C:\Program Files\SpeedFan
2008-08-09 17:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-09 11:33 --------- d-----w C:\Program Files\mIRC
2008-08-09 09:51 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-08-01 19:33 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-01 19:30 109,249 ----a-w C:\Program Files\MSWINSCK.OCX
2008-08-01 19:16 --------- d-----w C:\Program Files\Steam
2008-07-26 09:48 6,097,536 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-07-19 10:09 --------- d-----w C:\Program Files\Realtek
2008-07-18 08:52 --------- d-----w C:\Program Files\COMODO
2008-07-15 16:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 15:13 --------- d-----w C:\Program Files\Activision
2008-07-04 19:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-04 19:06 --------- d-----w C:\Program Files\PokerStars
2008-07-03 15:03 4,745,216 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-07-03 14:51 16,876,032 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-06-30 20:19 --------- d-----w C:\Program Files\Alwil Software
2008-06-28 10:28 --------- d-----w C:\Program Files\Winamp
2008-06-27 20:53 --------- d-----w C:\Program Files\VentriloMIX
2008-06-27 08:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-26 17:38 --------- d-----w C:\Program Files\Driver Cleaner Pro
2008-06-26 15:16 --------- d-----w C:\Program Files\Futuremark
2008-06-25 23:21 --------- d-----w C:\Program Files\PC Wizard 2008
2008-06-25 22:59 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-06-25 22:59 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-06-25 20:49 --------- d-----w C:\Program Files\GameSpy
2008-06-25 20:38 --------- d-----w C:\Program Files\Electronic Arts
2008-06-25 19:49 21,504 ----a-w C:\WINDOWS\jestertb.dll
2008-06-25 19:38 --------- d-----w C:\Program Files\Marvell
2008-06-25 19:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-25 19:37 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-25 19:36 --------- d-----w C:\Program Files\Intel
2008-06-25 19:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-25 18:15 --------- d-----w C:\Program Files\U-ABIT
2008-06-25 15:58 --------- d-----w C:\Program Files\GetRight
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 14:42 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2008-06-19 14:27 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe
2008-06-19 14:20 57,344 ----a-w C:\WINDOWS\Alcmtr.exe
2008-06-18 16:01 77,824 ----a-w C:\WINDOWS\SoundMan.exe
2008-06-14 17:34 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:12 15360]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 14:20 401408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-07-26 12:48 13570048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-07-26 12:48 86016]
"!AVG Anti-Spyware"="H:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 17:51 16876032 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-07-26 12:48 1657376 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:12 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"H:\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 17:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 17:37]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 19:12]
S3 ABIT-IO;ABIT-IO;C:\Program Files\U-ABIT\abitEQ\ABIT-IO.sys [2005-12-08 14:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-09 12:51]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
'Ajoitetut teht„v„t'-kansion sis„lt”

2008-08-09 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C66D64E-332E-4F75-93CF-852191373937} - C:\WINDOWS\system32\ljJYRHAQ.dll
BHO-{EF8820EB-F11E-4DD6-BC6C-D99084691C18} - C:\WINDOWS\system32\vtUmNHAQ.dll
ShellExecuteHooks-{EF8820EB-F11E-4DD6-BC6C-D99084691C18} - C:\WINDOWS\system32\vtUmNHAQ.dll
Notify-vtUmNHAQ - vtUmNHAQ.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 22:17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-09 22:18:38 - machine was rebooted [™SY]
ComboFix-quarantined-files.txt 2008-08-09 19:18:36

Pre-Run: 32,998,223,872 tavua vapaana
Post-Run: 32,928,440,320 tavua vapaana

244 --- E O F --- 2008-07-20 08:44:44

 

Avasti on pudonnut pois päältä
asenna se uudelleen !!!

---------------------------------------------------

Tämä vielä pois HJT:llä:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

-----------------------------------------------------

Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK
*************************************************************
******************************************
Käynnistä Malwarebytes Karanteeni välileti ja tyhjennä roskat.
**********************************************************

Spybotin voit palauttaa actiivitilaan taas.

Testaa toimiiko kone nyt OK.
.