Backdoor.Win32.Frauder.eo. HJT-loki

Koneelle tuli virus... Backdoor.Win32.Frauder.eo Tollanen, ja nyt se pitäs saada mand nopeasti pois. Fsecure kyllä poistaa sen mutta ongelma ei lähde :/

Elikkäs lokit tuli tehtyä hijackthis ohjelmalla. Näyttää tältä!

Edit: HJT-loki päivitetty

Malwaressin loki

 

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

Combofixistä tullut loki

ComboFix 08-09-16.05 - nico 2008-09-19 8:25:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1035.18.2630 [GMT 3:00]
Sijainti: F:\Mozilla lataukset\ComboFix.exe
* Uusi palautuspiste luotu
* Resident AV is active


VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Ohjelmat\Antivirus XP 2008\Uninstall.lnk

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-08-19 to 2008-09-19 )))))))))))))))))
.

2008-09-18 22:55 . 2008-09-18 22:55 0 --a------ C:\WINDOWS\system32\17.tmp
2008-09-18 22:43 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-18 22:43 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-17 17:47 . 2008-09-17 17:47 <KANSIO> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-09-17 17:45 . 2008-09-17 17:45 <KANSIO> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-09-15 10:02 . 2008-09-15 10:02 <KANSIO> d-------- C:\WINDOWS\system32\js
2008-09-15 10:02 . 2008-09-15 10:02 <KANSIO> d-------- C:\WINDOWS\system32\images
2008-09-15 10:02 . 2008-09-15 10:02 <KANSIO> d-------- C:\WINDOWS\system32\html
2008-09-15 10:02 . 2008-09-15 10:02 <KANSIO> d-------- C:\WINDOWS\system32\css
2008-09-15 10:02 . 2008-09-15 10:02 <KANSIO> d-------- C:\Program Files\Business Objects
2008-09-15 10:02 . 2008-09-15 10:02 177 --a------ C:\WINDOWS\ODBC.INI
2008-09-15 09:59 . 2008-09-15 09:59 <KANSIO> d-------- C:\Program Files\MSXML 6.0
2008-09-15 09:57 . 2008-09-17 17:47 <KANSIO> d-------- C:\Program Files\Microsoft SQL Server
2008-09-15 09:57 . 2008-09-15 09:57 <KANSIO> d-------- C:\Program Files\Microsoft Device Emulator
2008-09-15 09:55 . 2008-09-15 09:56 <KANSIO> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-09-15 09:55 . 2008-09-15 09:55 <KANSIO> d-------- C:\Program Files\Microsoft Synchronization Services
2008-09-15 09:55 . 2008-09-15 09:55 <KANSIO> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-09-15 09:49 . 2008-09-15 09:49 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-09-15 09:44 . 2008-09-15 09:44 <KANSIO> d-------- C:\WINDOWS\symbols
2008-09-15 09:42 . 2008-09-15 10:00 <KANSIO> d-------- C:\Program Files\Microsoft.NET
2008-09-15 09:42 . 2008-09-15 09:42 <KANSIO> d-------- C:\Program Files\Microsoft SDKs
2008-09-15 09:42 . 2008-09-15 09:45 <KANSIO> d-------- C:\Program Files\HTML Help Workshop
2008-09-15 09:42 . 2008-09-15 09:49 <KANSIO> d-------- C:\Program Files\Common Files\Merge Modules
2008-09-15 09:42 . 2008-09-15 09:42 <KANSIO> d-------- C:\Program Files\CE Remote Tools
2008-09-15 09:41 . 2008-09-15 09:41 <KANSIO> d-------- C:\Program Files\Microsoft Web Designer Tools
2008-09-15 09:41 . 2008-09-15 09:41 <KANSIO> dr-h----- C:\MSOCache
2008-09-15 09:40 . 2008-09-17 17:48 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-15 09:39 . 2008-09-15 09:39 <KANSIO> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-15 09:39 . 2008-09-15 09:39 <KANSIO> d-------- C:\Program Files\Reference Assemblies
2008-09-15 09:39 . 2008-09-15 09:45 <KANSIO> d-------- C:\Program Files\MSBuild
2008-09-15 09:39 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-07 01:50 . 2008-09-07 01:56 <KANSIO> d-------- C:\Documents and Settings\nico\Application Data\Sony
2008-09-07 01:50 . 2008-09-07 01:50 <KANSIO> d-------- C:\Documents and Settings\nico\Application Data\Publish Providers
2008-09-07 01:49 . 2008-09-07 01:49 <KANSIO> d-------- C:\Program Files\Vstplugins
2008-09-07 01:49 . 2008-09-07 01:49 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-08-24 21:26 . 2008-08-24 21:26 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-24 21:24 . 2008-08-24 21:24 <KANSIO> d-------- C:\WINDOWS\nview
2008-08-24 21:24 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-08-24 21:24 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-24 21:24 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-24 21:24 . 2008-09-19 08:20 1,710 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-24 21:07 . 2008-09-15 15:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-24 21:07 . 2008-08-24 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-24 20:32 . 2008-08-24 20:32 <KANSIO> d-------- C:\Program Files\Nvidia Omega Drivers
2008-08-24 20:32 . 2007-12-05 08:41 5,611,520 --a------ C:\WINDOWS\system32\nvdispsr.dll
2008-08-24 20:32 . 2007-12-05 08:41 3,715,072 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2008-08-24 20:32 . 2007-12-05 08:41 3,334,144 --a------ C:\WINDOWS\system32\nvgamesr.dll
2008-08-24 20:32 . 2007-12-05 08:41 2,854,912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2008-08-24 20:32 . 2007-12-05 08:41 2,519,040 --a------ C:\WINDOWS\system32\nvwssr.dll
2008-08-24 20:32 . 2008-05-16 14:01 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll
2008-08-24 20:32 . 2008-08-24 20:32 472,576 --a------ C:\WINDOWS\Nvidia Omega Drivers v2.169.21 Uninstall.exe
2008-08-24 20:32 . 2007-12-05 08:41 458,752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2008-08-23 17:50 . 2008-08-23 17:50 315 --a------ C:\WINDOWS\doom3.ini

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 20:33 --------- d-----w C:\Program Files\XoftSpySE
2008-09-18 19:43 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 16:12 --------- d-----w C:\Documents and Settings\nico\Application Data\uTorrent
2008-09-07 19:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 22:49 --------- d-----w C:\Program Files\Vstplugins
2008-09-06 21:17 --------- d-----w C:\Documents and Settings\nico\Application Data\dvdcss
2008-09-06 20:17 --------- d-----w C:\Documents and Settings\nico\Application Data\Ahead
2008-08-26 03:42 --------- d-----w C:\Program Files\uTorrent
2008-08-24 18:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-08-13 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-13 17:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 18:16 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-08-11 11:37 --------- d-----w C:\Documents and Settings\nico\Application Data\Bioshock
2008-08-09 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 19:04 --------- d-----w C:\Documents and Settings\nico\Application Data\AdobeUM
2008-08-08 13:14 --------- d-----w C:\Program Files\CyberLink
2008-08-08 13:14 --------- d-----w C:\Program Files\Common Files\CyberLink
2008-08-08 13:14 --------- d-----w C:\Documents and Settings\nico\Application Data\CyberLink
2008-08-08 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-08 13:12 29,480 ----a-w C:\WINDOWS\system32\msxml3a.dll
2008-08-05 14:40 --------- d-----w C:\Documents and Settings\nico\Application Data\U3
2008-08-02 09:39 --------- d-----w C:\Program Files\RevConnect
2008-08-01 13:53 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-08-01 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-07-29 19:51 --------- d-----w C:\Documents and Settings\nico\Application Data\BSplayer Pro
2008-07-24 17:09 --------- d-----w C:\Documents and Settings\nico\Application Data\Nokia
2008-07-21 14:50 --------- d-----w C:\Program Files\Microsoft DirectX SDK (June 2008)
2008-07-21 14:46 140,296 ----a-w C:\WINDOWS\dxsdkuninst.exe
2008-07-21 12:59 --------- d-----w C:\Documents and Settings\nico\Application Data\Microsoft Games
2008-07-18 19:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 19:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 19:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 19:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 19:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 19:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 19:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 19:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 19:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 19:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:28 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:44 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:47 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-05 12:46 22,328 ----a-w C:\Documents and Settings\nico\Application Data\PnkBstrK.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"ABIT uGuruIII"="C:\Program Files\U-ABIT\abitEQ\ABITEQ.exe" [2007-02-01 421888]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Logitech SetPoint Event Manager (UNICODE)"="C:\Program Files\Logitech\SetPoint\SetPoint.exe" [2005-08-04 528384]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2004-09-09 118832]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-12-27 81920]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 36352]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [2004-03-31 823296]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"ToniArts EasyCleaner"="C:\Program Files\ToniArts\EasyCleaner\EasyClea.exe" [2004-06-20 2107392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 C:\WINDOWS\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 F:\basa\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Pelit\\krysis\\Bin32\\Crysis.exe"=
"F:\\Pelit\\krysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Valve\\Steam\\SteamApps\\solitaryman\\counter-strike\\hl.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18821:TCP"= 18821:TCP:BitComet 18821 TCP
"18821:UDP"= 18821:UDP:BitComet 18821 UDP

R0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 137216]
R0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 5248]
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2004-11-10 68752]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-05-15 12:07 61424]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-01-05 16423]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 48720]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2004-09-10 48688]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 16048]
R3 ABIT-IO;ABIT-IO;C:\Program Files\U-ABIT\abitEQ\ABIT-IO.sys [2005-12-08 4608]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;F:\Visual studio 2008\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 3004416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
'Ajoitetut tehtävät'-kansion sisältö
.
.
------- Täydentävä tarkistus -------
.
FireFox -: Profile - C:\Documents and Settings\nico\Application Data\Mozilla\Firefox\Profiles\eastrbin.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.fi/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 08:32:07
Windows 5.1.2600 Service Pack 3 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- Prosesseihin ladatut DLLt ---------------------

PROSESSI: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Valmistumisajankohta: 2008-09-19 8:35:12
ComboFix-quarantined-files.txt 2008-09-19 05:34:57

Pre-Run: 6,249,672,704 tavua vapaana
Post-Run: 6,363,115,520 tavua vapaana

232 --- E O F --- 2008-09-17 14:48:29

 

Päivitä Malwarebytes' Anti-Malware ja aja täysi scannaus

===============

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

 

Valmista! Entäs tuo combofixin loki? Näytti hyvältä vai joutuuko tekemää muutoksia... Malwaressi päivitetty nyt vaa ajamaa full scanni. Siinä meneeki sitte jonku aikaa >.<

Kiitoksia näistä tiedoista jo

Edit: Malwaresin loki

Eli puhdas on! Vihdoin...

Tosin, f secure tossa valitteli että löyty taas joku uus viiiirus... Poistin sen koneelta. Sellanen bugi ku Backdoor.Win32.Frauder.fb

Viimeks oli sama paska mutta eri loppunen, sillon oli ....eo. Mistäköhän näitä tulee nyt näin paljon?

Edit2: Ja se viimesin virus oli c:\system volume information.... kohteessa, en saanu tarkkaa paikkaa missä se oli ylös, mutta nyt on ainaki pois koneelta.

 

se oli varmaan tuolla

c:\system volume information...restore

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

 

Valmista tuli, eli muuten näyttää kaikki olevan okei?

Kiitoksia hirveesti

 

scannaa uusi hjt:n loki

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:26, on 19.9.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\basa\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Pelit\Ruff-Rose\TRose.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
F:\Pelit\Ruff-Rose\TRose.exe
C:\Program Files\Common Files\Logitech\WebColct\WebColct.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [ToniArts EasyCleaner] "C:\Program Files\ToniArts\EasyCleaner\EasyClea.exe" -s -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\abitEQ\ABITEQ.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199472822777
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199522309406
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 11172 bytes

 

otetaas tuolla ajo

Escan
Ohjeet tuolla sivulla.
http://koti.mbnet.fi/pattaya1/escanmwav.htm
lataa tuosta
http://www.spywareinfo.dk/download/mwav.exe
päivitä tuosta
http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat
laita täpit merkkauksien mukaan
http://koti.mbnet.fi/pattaya1/eScan6.jpg

scannaa

jos ala luukkuun tulee jotain niin kopioi se näin:
Käytä komentoa Ctrl+A.
Kopioi rivit komennolla Ctrl+C.
Liitä rivit komennolla Ctrl+V.

Laita virus log tänne.

 

File C:\Documents and Settings\nico\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\nico\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File F:\Mozilla lataukset\mirc617.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.617. No Action Taken.
File F:\Mozilla lataukset\setup(2).exe tagged as not-a-virus:FraudTool.Win32.AntiSpyware.c. No Action Taken.
File F:\Valve\addons\amxmodx\modules\sqlite_amxx.dll tagged as not-a-virus:AdWare.Win32.Beginto.l. No Action Taken.
File F:\Valve\Uusi kansio\addons\amxmodx\modules\sqlite_amxx.dll tagged as not-a-virus:AdWare.Win32.Beginto.l. No Action Taken.
File F:\Vastaanotetut tiedostot\mirc612.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.612. No Action Taken.

Tässähän Tämä