Tässä tämä. Kiitos kaikille etukäteen. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:54:09, on 15.2.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe C:\Program Files\AdsGone\AdsGone.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\uTorrent\utorrent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://wwwmail.joensuu.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\AdsGone.exe O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Startup: OneNote 2007 -näyttöleikkeet ja Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 10993 bytes
1.Lataa combofix.exe työpöydällesi yhdestä linkistä: combofix1 combofix2 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
ComboFix 08-02-16.2 - Hannu 2008-02-16 16:13:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.612 [GMT 2:00] Running from: C:\Documents and Settings\Hannu Helander\Työpöytä\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Hannu Helander\Application Data\macromedia\Flash Player\#SharedObjects\EXVFC5WJ\www.broadcaster.com C:\Documents and Settings\Hannu Helander\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Hannu Helander\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\hosts C:\WINDOWS\system32\driver C:\WINDOWS\system32\driver\bcm43xx.cat C:\WINDOWS\system32\driver\RNDISMP.sys C:\WINDOWS\system32\driver\RNDISMPK.sys C:\WINDOWS\system32\driver\usb8023.sys C:\WINDOWS\system32\driver\usb8023k.sys C:\WINDOWS\system32\drivers\core.cache.dsk . . . . poisto epäonnistui C:\WINDOWS\system32\lsprst7.dll C:\WINDOWS\system32\prsgrc.dll C:\WINDOWS\system32\drivers\core.cache.dsk . . . . poisto epäonnistui ----- BITS: Possible infected sites ----- hxxp://sync.avustaja.sonera.fi . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NM -------\LEGACY_NPF -------\nm -------\NPF ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-01-16 to 2008-02-16 ))))))))))))))))) . 2008-02-15 19:02 . 2008-02-15 19:02 <KANSIO> d-------- C:\WINDOWS\system32\regdacl 2008-02-15 19:02 . 2008-02-15 19:02 <KANSIO> d-------- C:\_backupD 2008-02-15 19:02 . 2008-02-15 17:48 280,286 --a------ C:\win32delfkil.exe 2008-02-15 19:02 . 2008-02-15 19:02 90,112 --a------ C:\WINDOWS\system32\regdacl.exe 2008-02-15 19:02 . 2008-02-15 19:02 53,248 --a------ C:\WINDOWS\system32\process.exe 2008-02-15 19:02 . 2008-02-15 19:02 16,384 --a------ C:\WINDOWS\system32\restart.exe 2008-02-15 19:02 . 2008-02-15 19:02 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2008-02-15 17:53 . 2008-02-15 17:53 <KANSIO> d-------- C:\Program Files\Trend Micro 2008-02-12 21:57 . 2008-02-12 21:57 <KANSIO> d-------- C:\Program Files\Common Files\SupportSoft 2008-02-10 14:07 . 2008-02-10 14:07 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2008-02-09 12:15 . 2008-02-09 12:20 <KANSIO> d-------- C:\Program Files\Porrasturvat - Stair Dismount 2008-02-08 22:49 . 2008-02-11 20:46 <KANSIO> d-------- C:\Program Files\AdsGone 2008-02-08 22:49 . 2004-03-09 00:00 260,880 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX 2008-02-08 22:49 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX 2008-02-08 22:49 . 2008-02-16 16:01 84 --a------ C:\WINDOWS\WinNetOptimize98ag.cfg 2008-02-08 21:15 . 2008-02-08 21:08 691,545 --a------ C:\WINDOWS\unins000.exe 2008-02-08 21:15 . 2008-02-08 21:15 3,458 --a------ C:\WINDOWS\unins000.dat 2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-01-25 19:15 . 2008-01-25 19:15 <KANSIO> d-------- C:\illusion 2008-01-16 07:43 . 2008-01-16 07:43 <KANSIO> d-------- C:\Documents and Settings\LocalService\K„ynnist„-valikko . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-15 15:57 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\uTorrent 2008-02-14 15:36 --------- d-----w C:\Program Files\Bonjour 2008-02-14 15:34 --------- d-----w C:\Program Files\QuickTime Alternative 2008-02-10 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-02-09 18:42 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-02-08 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-08 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-08 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-01-27 16:32 --------- d-----w C:\Program Files\MSN Messenger 2008-01-13 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel 2008-01-13 19:23 --------- d-----w C:\Program Files\SPSSInc 2008-01-13 19:23 --------- d-----w C:\Program Files\Common Files\SPSS 2008-01-13 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SPSS 2008-01-13 12:09 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\BSplayer PRO 2008-01-13 12:06 86,144 ----a-w C:\WINDOWS\system32\drivers\AMG544.sys 2008-01-13 12:06 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-13 12:05 --------- d-----w C:\Program Files\Webteh 2008-01-13 10:14 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\SSH 2008-01-11 18:52 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\CyberLink 2008-01-11 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink 2008-01-11 18:50 --------- d-----w C:\Program Files\RegCure 2008-01-11 18:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-11 18:44 --------- d-----w C:\Program Files\CyberLink 2007-12-28 14:11 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\Bioshock 2007-12-27 20:40 --------- d-----w C:\Program Files\seal 2007-12-26 15:59 --------- d-----w C:\Program Files\WinAce 2007-12-25 21:41 --------- d-----w C:\Program Files\Common Files\NSV 2007-12-25 15:22 --------- d-----w C:\Documents and Settings\Hannu Helander\Application Data\Locktime 2007-12-25 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Locktime 2007-12-22 11:42 --------- d-----w C:\Program Files\Common Files\Stardock 2007-12-21 14:19 --------- d-----w C:\Program Files\Stardock 2007-11-14 18:56 22,328 ----a-w C:\Documents and Settings\Hannu Helander\Application Data\PnkBstrK.sys 2007-11-03 09:42 604 ---ha-w C:\Program Files\STLL Notifier . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 19:00 15360] "AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 11:12 517632] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="" [] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 21:35 53248] "Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 15:39 204800] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-09-15 19:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-15 19:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 19:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 19:00 455168] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 14:00 345088] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 11:11 421888] "Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 21:12 579584] "RTHDCPL"="RTHDCPL.EXE" [2006-05-17 22:27 16207872 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 02:04 2879488 C:\WINDOWS\SkyTel.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:07 761946] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-06-23 05:59 602112] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 13:40 413696] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632] "NWEReboot"="" [] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [ ] "MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-09-13 09:54 190024] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 19:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="LogonUI.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=MsgPlusLoader.dll R1 AMG544;AMG544;C:\WINDOWS\system32\drivers\AMG544.sys [2008-01-13 14:06] R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 06:52] R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12] R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 10:21] R2 DritekPortIO;Dritek General Port I/O;C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2005-12-23 00:13] R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 12:59] R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 12:59] R3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2006-04-07 19:17] R3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2006-03-08 16:10] S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [] S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys [] S3 iatmunin;iatmunin;C:\DOCUME~1\HANNUH~1\LOCALS~1\Temp\iatmunin.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afc09976-3fea-11db-9b37-0016d41564a0}] \Shell\AutoRun\command - setupSNK.exe . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-02-15 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe "2008-02-08 20:49:36 C:\WINDOWS\Tasks\AdsGone.job" - C:\Program Files\AdsGone\AdsGone.exe "2008-02-09 18:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-16 14:20:08 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2008-01-11 18:42:43 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-16 16:21:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\SoftwareDistribution\Download\03e6196b9532e165de32d8f71a486661\update\update.exe . ************************************************************************** . Completion time: 2008-02-16 16:25:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-16 14:25:30 . 2008-01-13 21:17:02 --- E O F ---
aja combofix uudestaan vikasiedossa. näin vikasietotilaan: sammuta ja käynnistä käynnistyksen yhteydessä hakkaa F8 nappia valitse nuolinäppäimellä vikasietotila paina enter ja enter valitse käyttäjätilisi paina kyllä Jossakin koneissa hakataan F8:sin sijasta F5:tä
Kun olen valinnut vikasietotilan menee ruutu pimeäksi ja viiva vilkkuu vasemmassa yläreunassa mutta mitään ei tapahdu. Olen antanut koneen olla näin reilun puoli tuntia mutta vikasietotila ei vain lähde päälle... outoa...
scannaa hjt:llä merkkaa paina Fix checked R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE ========== Escan Ohjeet tuolla sivulla. http://koti.mbnet.fi/pattaya1/escanmwav.htm lataa tuosta http://www.spywareinfo.dk/download/mwav.exe päivitä tuosta http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat laita täpit merkkauksien mukaan http://koti.mbnet.fi/pattaya1/eScan6.jpg scannaa jos ala luukkuun tulee jotain niin kopioi se näin: Käytä komentoa Ctrl+A. Kopioi rivit komennolla Ctrl+C. Liitä rivit komennolla Ctrl+V. Laita virus log tänne. ============ Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi. Käynnistä koneesi vikasietotilaan: sammuta ja käynnistä käynnistyksen yhteydessä hakkaa F8 nappia valitse nuolinäppäimellä vikasietotila paina enter ja enter valitse käyttäjätilisi paina kyllä Jossakin koneissa hakataan F8:sin sijasta F5:tä " Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix. " Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman. " Paina Y käynnistääksesi skriptin. " Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot". " Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen. " Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta. " Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished". " Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle. " Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.
Escan logi File C:\Documents and Settings\Hannu\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\Documents and Settings\Hannu\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed. File C:\Documents and Settings\Hannu\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-7fa2058c-44c2c774.zip infected by "Trojan-Downloader.Java.OpenConnection.ap" Virus. Action Taken: File Deleted.
en pääse konetta käynnistymään kuin normaalissa tilassa. Pop uppeja tulee nykyään aiempaa enemmän ja popup killer ei enää estä kaikkia niistä varmaan formatointi kohta edessä...