Hijackthis logi. Pahoja ongelmia.

Tässä:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:49, on 16.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {03B8D947-850F-4A32-B07F-FCB679F635E8} - C:\WINDOWS\system32\myztibvi.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7ABFAC7-A0B0-48D3-9D33-92AB045D0630} - c:\windows\system32\hpyamnf.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Sonera] "C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe" /P Sonera
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O9 - Extra button: Lapsilukko... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Lapsilukko... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236981705906
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sbadpzod - C:\WINDOWS\SYSTEM32\hpyamnf.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 12245 bytes

 

Lataa Malwarebytes' Anti-Malware työpöydällesi.

Jos linkki ei toimi, voit ladata myös seuraavista linkeistä:
Linkki1
Linkki2

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Päivitä Malwarebytes' Anti-Malware ja Käynnistä Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Lopeta.
* Jos päivitys löytyy, ohjelma lataa ja asentaa uusimman version. Jos päivityksien lataaminen ei onnistu, voit ladata päivitykset tästä. Tuplaklikkaa mbam-rules.exe asentaaksesi päivitykset.
* Kun ohjelma on latautunut ja päivitykset tehty, valitse Suorita täysi tarkistus ja klikkaa Tarkista.
* Kun tarkistus on valmis, klikkaa OK ja sitten Näytä tulokset nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Poista valitut.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi.[/list]

Huom. Jos Mbam ei pystynyt poistamaan tiedostoa, se pyytää sinua käynnistämään koneesi uudelleen. Käynnistä koneesi silloin uudelleen heti. Mbam voi tehdä muutoksia rekisteriisi osana puhdistusta. Jos käytät suojausohjelmaa, joka havaitsee rekisterin muutokset, salli Mbamin tehdä muutokset.

----------------------------------------------------------------------------------

* Lähetä lokin sisältö seuraavassa viestissäsi
+ uusi hjt-loki.
.

 

Nyt on ajettu Malwarebytes. F-secure 2010 näkee myös jatkuvasti trojan.boaxxe.p virusta. Ei pysty poistamaan, estää vain. Malware bytesillä Trojan.vundo.h on tullu tässä aina käynnistyksen jälkeen uudestaan.

Malware logi:

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 185025
Kulunut aika: 42 minute(s), 12 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 1
Saastuneita rekisteriavaimia: 3
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 2

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> Delete on reboot.

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\EasyBurning\compare.exe (Malware.Packer) -> Quarantined and deleted successfully.



Hijack-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:42, on 17.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {03B8D947-850F-4A32-B07F-FCB679F635E8} - C:\WINDOWS\system32\myztibvi.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7ABFAC7-A0B0-48D3-9D33-92AB045D0630} - c:\windows\system32\hpyamnf.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sonera] "C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe" /P Sonera
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236981705906
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sbadpzod - C:\WINDOWS\SYSTEM32\hpyamnf.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

 

Ja lisäyksenä kone ei ole oma, joten ei ole niin vapaat kädet poistamaan kaikkea.

 

Ei poisteta mitään, mutta lähetä silti
MB'AM logi kokonaisuudessaan.
.

 

Eikös se tuolla ylhäällä ollu? Kokonaisuudessaan? Uudestaan lähti tarkistus.

 

En minä täällä peeloile !!!

Tietokantaversion haluan tietää ja
Scannin ajo ajankohdan + muut tiedot.

Kysy samalla lupa poistaa tuo Vundo, joka
ei MB'AM:llä lähtenyt.
.

 

Minähä se vaan en ymmärtäny. pahoittelut.
Tässä uudet ajologit.

Juu poistetaan vaan Vundo, miten sen saisi täydellisesti pois?

MalwareLog1:

Malwarebytes' Anti-Malware 1.41
Tietokantaversio: 2973
Windows 5.1.2600 Service Pack 3

17.10.2009 15:43:20
logi1

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 183662
Kulunut aika: 28 minute(s), 26 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 1
Saastuneita rekisteriavaimia: 3
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 1

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> No action taken.

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> No action taken.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> No action taken.


Log2:

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 183662
Kulunut aika: 28 minute(s), 26 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 1
Saastuneita rekisteriavaimia: 3
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 1

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> Delete on reboot.

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03b8d947-850f-4a32-b07f-fcb679f635e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\myztibvi.dll (Trojan.Vundo.H) -> Delete on reboot.

 

Harvinaista, ettei Mamba tunne Vundoa.

* Lataa OTM by OldTimer.
* Tallenna se työpöydällesi.
* Tuplaklikkaa OTM.exe käynnistääksesi sen.
* Kopioi (CTRL+C) alla olevasta laatikosta kaikki teksti.

Code:

:files
c:\windows\system32\hpyamnf.dll
C:\WINDOWS\system32\myztibvi.dll
:commands 
[emptytemp] 

* Palaa takaisin OtmoveIt3, paina oikeanpuoleista hiiren nappia Paste Instructions for Items to be Move-ikkunassa (Keltaisen palkin alla) ja paina Liitä.
* Paina punaista MoveIt! -nappia.
* Kopioi (CTRL+C) ja liitä (CTRL+V) Results-ikkunaan (Vihreän palkin alla) tullut teksti seuraavaan viestiisi.
* Sulje OTM.

Jos jotain tiedostoa/kansiota ei voitu siirtää heti, ohjelma ehdottaa koneen uudelleenkäynnistystä. Vastaa ehdotukseen Yes, jolloin OtMoveIt käynnistää koneesi uudelleen.

*********************************************************

Lataa SystemLook by. jpshortstuff TÄÄLTÄ. ja tallenna se työpöydälle.

Tupla-klikkaa SystemLook.exe ajaaksesi sen.

Kopioi(CTRL+C) alla olevasta laatikosta kaikki teksti, tekstialueeseen.

Code:

:regfind
sbadpzod

:filefind 
hpyamnf.*
myztibvi.*

:dir
C:\WINDOWS\system32\drivers\etc /s

Klikkaa nappulaa Look aloittaaksesi skannauksen.

Kun skannaus on valmis avautuu muistio joka sisältää lokitiedot
Klikkaa lokia hiiren oikealla painikkeella ja valitse "Valitse kaikki"
Kopio ja liitä se seuraavaan viestiisi.
(Loki löytyy myös työpöydältäsi nimellä SystemLook.txt)

*******************************************************************************

Lähetä =>

SystemLook.txt
OTMoveIt logi.
HJT logi
.

 

Selvä toimenpiteet suoritettu. OTMoveit teki virheen sovelluksessa, mutta suoritti loppuun.Kone jäi totaali jumiin, piti käynnistää kylmätappo menetelmällä. Toivottavasti tämä on se logi mikä sitten hyppäsi työpöydälle käynnistyksen jälkeen.

OTMlog:

All processes killed
========== FILES ==========
LoadLibrary failed for c:\windows\system32\hpyamnf.dll
c:\windows\system32\hpyamnf.dll NOT unregistered.
File move failed. c:\windows\system32\hpyamnf.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\myztibvi.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\myztibvi.dll scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 524288 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33250 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 2853263 bytes

User: Matti
File delete failed. C:\Documents and Settings\Matti\Local Settings\Temp\9B7397.dmp scheduled to be deleted on reboot.
->Temp folder emptied: 343334494 bytes
File delete failed. C:\Documents and Settings\Matti\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 26565922 bytes
->Java cache emptied: 38053296 bytes
->FireFox cache emptied: 63426600 bytes

User: Järjestelmänvalvoja
->Temp folder emptied: 524288 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2187479 bytes
%systemroot%\System32 .tmp files removed: 2832854 bytes
Windows Temp folder emptied: 845169505 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1264,23 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10172009_162219

Files moved on Reboot...
LoadLibrary failed for c:\windows\system32\hpyamnf.dll
c:\windows\system32\hpyamnf.dll NOT unregistered.
File move failed. c:\windows\system32\hpyamnf.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\myztibvi.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\myztibvi.dll scheduled to be moved on reboot.
File C:\Documents and Settings\Matti\Local Settings\Temp\9B7397.dmp not found!

Registry entries deleted on Reboot...

Systemlooklog:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:34 on 17/10/2009 by Matti (Administrator - Elevation successful)

========== regfind ==========

Searching for "sbadpzod"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbadpzod]

========== filefind ==========

Searching for "hpyamnf.*"
C:\WINDOWS\system32\hpyamnf.dll ------ 102912 bytes [09:00 02/03/2006] [09:00 02/03/2006] 414DB27454BD53B15D6FF1FF88BD7333
C:\WINDOWS\system32\hpyamnf.dll.bak --a--- 102912 bytes [09:00 02/03/2006] [09:00 02/03/2006] (Unable to calculate MD5)

Searching for "myztibvi.*"
C:\WINDOWS\system32\myztibvi.dll --a--- 132608 bytes [09:00 02/03/2006] [09:00 02/03/2006] C90969307B9480DF3196156BE3A2A044

========== dir ==========

C:\WINDOWS\system32\drivers\etc - Parameters: "/s"

---Files---
hosts --a--- 665 bytes [17:00 15/09/2004] [17:00 15/09/2004]
hosts.msn --a--- 665 bytes [14:33 26/02/2008] [17:00 15/09/2004]
lmhosts.sam --a--- 3705 bytes [17:00 15/09/2004] [17:00 15/09/2004]
networks --a--- 416 bytes [17:00 15/09/2004] [17:00 15/09/2004]
protocol --a--- 829 bytes [17:00 15/09/2004] [17:00 15/09/2004]
services --a--- 7151 bytes [17:00 15/09/2004] [17:00 15/09/2004]

No folders found.

-=End Of File=-

HJTlog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:41, on 17.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {03B8D947-850F-4A32-B07F-FCB679F635E8} - C:\WINDOWS\system32\myztibvi.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7ABFAC7-A0B0-48D3-9D33-92AB045D0630} - c:\windows\system32\hpyamnf.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sonera] "C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe" /P Sonera
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236981705906
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sbadpzod - C:\WINDOWS\SYSTEM32\hpyamnf.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11457 bytes


Ja f-secureki hyppäs taas väliin estämään käynnistyksen jälkeen Trojan.boaxxe.P :tä.

 

OTM logi oli oikea !!!
mutta hommiaan se ei hoitanut.
1.2 Gt tempissä tauhkaa
HOSTS suoja 5 vuotta vanha

-------------------------------------------------------------------------

Netti irti seinästä ja sammuta ajon ajaksi F-Secure

* Tuplaklikkaa OTM.exe käynnistääksesi sen.
* Kopioi (CTRL+C) alla olevasta laatikosta kaikki teksti.

Code:

:files
C:\WINDOWS\system32\myztibvi.dll
C:\WINDOWS\system32\hpyamnf.dll
C:\WINDOWS\system32\hpyamnf.dll.bak
:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbadpzod] 
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03b8d947-850f-4a32-b07f-fcb679f635e8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03b8d947-850f-4a32-b07f-fcb679f635e8}]

* Palaa takaisin OtmoveIt3, paina oikeanpuoleista hiiren nappia Paste Instructions for Items to be Move-ikkunassa (Keltaisen palkin alla) ja paina Liitä.
* Paina punaista MoveIt! -nappia.
* Kopioi (CTRL+C) ja liitä (CTRL+V) Results-ikkunaan (Vihreän palkin alla) tullut teksti seuraavaan viestiisi.
* Sulje OTM.

Jos jotain tiedostoa/kansiota ei voitu siirtää heti, ohjelma ehdottaa koneen uudelleenkäynnistystä. Vastaa ehdotukseen Yes, jolloin OtMoveIt käynnistää koneesi uudelleen.

*********************************************************

Poista ne rivit jotka ovat vielä jäljellä:

(HJT sammuttaa ohjelman ei poista)

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä sammuta ne.(fix Chekked)

O2 - BHO: (no name) - {03B8D947-850F-4A32-B07F-FCB679F635E8} - C:\WINDOWS\system32\myztibvi.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {E7ABFAC7-A0B0-48D3-9D33-92AB045D0630} - c:\windows\system32\hpyamnf.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O20 - Winlogon Notify: sbadpzod - C:\WINDOWS\SYSTEM32\hpyamnf.dll

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* OTMoveIt logi. raportti
*
* ???
*

 

OTlogi:

========== FILES ==========
C:\WINDOWS\system32\myztibvi.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\myztibvi.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\hpyamnf.dll
C:\WINDOWS\system32\hpyamnf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hpyamnf.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\hpyamnf.dll.bak scheduled to be moved on reboot.
========== REGISTRY ==========
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbadpzod\ scheduled to be deleted on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03b8d947-850f-4a32-b07f-fcb679f635e8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03b8d947-850f-4a32-b07f-fcb679f635e8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03b8d947-850f-4a32-b07f-fcb679f635e8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03b8d947-850f-4a32-b07f-fcb679f635e8}\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 10172009_183127

Files moved on Reboot...
C:\WINDOWS\system32\myztibvi.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\myztibvi.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\hpyamnf.dll
C:\WINDOWS\system32\hpyamnf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hpyamnf.dll scheduled to be moved on reboot.
File C:\WINDOWS\system32\hpyamnf.dll.bak not found!

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbadpzod\ scheduled to be deleted on reboot.


HJTlogi:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:30, on 17.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {03B8D947-850F-4A32-B07F-FCB679F635E8} - C:\WINDOWS\system32\myztibvi.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7ABFAC7-A0B0-48D3-9D33-92AB045D0630} - c:\windows\system32\hpyamnf.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sonera] "C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe" /P Sonera
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236981705906
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: sbadpzod - C:\WINDOWS\SYSTEM32\hpyamnf.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11009 bytes

 

Jatketaan huomenna
.

 

Tämä sopii hyvin. Kiitoksia tähän astisista!

 

Ole hyvä ja lataa Combofix yhdestä alla olevista linkeistä:

Linkki 1
Linkki 2
Linkki 3

* TÄRKEÄÄ !!! Tallenna ComboFix.exe työpöydällesi

* Sulje/ota pois päältä kaikki virustorjunta- ja haittaohjelmien poisto-ohjelmat, jotta ne eivät häiritse ComboFixin ajoa.

* Tuplaklikkaa Combofix.exe ja noudata ohjeita.

* Osana skannausta Combofix tarkistaa onko palautuskonsoli asennettuna. Nykypäivän haittaohjelmien takia on erittäin suositeltua olla asennettuna palautuskonsoli ennen haittaohjelmien poistoa. Windowsin palautuskonsoli mahdollistaa käynnistyksen erityiseen palautustilaan. Palautuskonsolin kautta voimme auttaa sinua helpommin mikäli haittaohjelmien poiston yhteydessä ilmenee ongelmia.

* Seuraa ohjeita ja salli Combofixin ladata ja asentaa Microsoftin palautuskonsoli, ja kun pyydetään, hyväksy ohjelman takuuehdot asentaaksesi palautuskonsolin.

**Huomaa: Jos palautuskonsoli on jo asennettuna, Combofix jatkaa eteenpäin.



Kun Microsoftin palautuskonsoli on asennettu, sinun pitäisi nähdä seuraava viesti:



Klikkaa Kyllä jatkaaksesi skannausta.

Kun ComboFix on valmis, se luo raportin. Ole hyvä ja kopioi/liitä seuraavat raportit vastaukseesi:
C:\ComboFix.txt
Uusi HijackThis-loki


Varoitus: ÄLÄ aja ComboFixia ilman valvontaa. Se ei ole lelu ja sitä ei tule käyttää rutiininomaisesti päivittäin.

Jos tarvitset apua, katso yksityiskohtaisempi ohje:
http://www.bleepingcomputer.com/combofix/fi/combofixin-kayttoohje

-------------------------------------------------------

Lataa GMER ja tallenna se työpöydällesi:
* Pura se työpöydälle ja tuplaklikkaa tiedostoa GMER.exe
* Klikkaa rootkit-välilehteä ja sitten klikkaa scan.
* Älä rastita "Show All" boksia skannauksen aikana!
* Kun skannaus on valmis, klikkaa Copy.
* Tämä kopioi lokin leikepöydälle (voit tallentaa lokin varmuuden vuoksi tekstitiedostoon).
* Liitä loki sitten viestiketjuusi.

=>
C:\ComboFix.txt
GMER logi
Uusi HijackThis-loki
.

 

Noniin päivää taas.

Combofixlog:

ComboFix 09-10-17.01 - Matti 18.10.2009 14:54.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.358.1035.18.766.346 [GMT 3:00]
Sijainti: c:\documents and settings\Matti\Työpöytä\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ezeuwngx.sys
c:\windows\system32\drivers\nzlccgdt.sys
c:\windows\system32\hpyamnf.dll
c:\windows\system32\myztibvi.dll
c:\windows\system32\ucdrisw.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Ajurit/Palvelut )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EZEUWNGX
-------\Legacy_GMZSXSSR
-------\Service_ezeuwngx
-------\Service_gmzsxssr


((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-09-18 to 2009-10-18 )))))))))))))))))
.

2009-10-18 03:01 . 2009-10-18 03:01 -------- d-----w- c:\documents and settings\Matti\Local Settings\Application Data\scxtonpn
2009-10-18 03:01 . 2009-10-18 03:01 -------- d-----w- c:\documents and settings\Matti\Application Data\scxtonpn
2009-10-18 01:56 . 2009-10-18 01:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\scxtonpn
2009-10-18 01:56 . 2009-10-18 01:56 -------- d-----w- c:\documents and settings\NetworkService\Application Data\scxtonpn
2009-10-17 13:22 . 2009-10-17 13:22 -------- d-----w- C:\_OTM
2009-10-17 10:18 . 2009-10-17 10:18 -------- d-----w- c:\documents and settings\Matti\Application Data\dvdcss
2009-10-17 09:44 . 2008-10-16 11:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-10-17 09:22 . 2009-10-17 09:22 -------- d-----w- C:\FOUND.004
2009-10-16 22:54 . 2009-10-16 22:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-16 22:09 . 2009-10-16 22:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-10-16 22:08 . 2009-10-16 22:15 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-10-16 18:00 . 2009-10-16 18:00 -------- d-----w- c:\documents and settings\Matti\Application Data\Malwarebytes
2009-10-16 18:00 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 18:00 . 2009-10-16 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 18:00 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 18:00 . 2009-10-16 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:34 . 2009-10-16 17:34 -------- d-----w- c:\program files\Trend Micro
2009-10-16 17:06 . 2009-10-16 17:06 -------- d-----w- c:\documents and settings\Matti\Tracing
2009-10-16 16:59 . 2009-10-16 16:59 -------- d-----w- c:\program files\Microsoft
2009-10-16 16:57 . 2009-10-16 16:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-16 16:56 . 2009-10-16 16:56 -------- d-----w- c:\program files\Windows Live
2009-10-16 16:49 . 2009-10-16 16:49 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-16 16:10 . 2009-10-16 16:10 -------- d-----w- C:\FOUND.003
2009-10-16 16:03 . 2009-10-16 16:03 -------- d-----w- C:\FOUND.002
2009-10-11 07:20 . 2009-10-11 07:20 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 11:59 . 2006-09-28 14:47 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-16 23:04 . 2006-09-28 14:47 90228 ----a-w- c:\windows\system32\perfc00B.dat
2009-10-16 23:04 . 2006-09-28 14:47 426088 ----a-w- c:\windows\system32\perfh00B.dat
2009-10-16 17:06 . 2007-03-12 15:02 37176 ----a-w- c:\documents and settings\Matti\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 05:36 . 2006-03-02 09:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:36 . 2006-03-02 09:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2006-03-02 09:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2006-03-02 09:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 13:21 . 2009-08-30 13:21 -------- d-----w- c:\program files\MSBuild
2009-08-30 13:21 . 2009-08-30 13:21 -------- d-----w- c:\program files\Reference Assemblies
2009-08-26 08:01 . 2006-03-02 09:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:00 . 2006-03-02 09:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:59 . 2006-03-02 09:00 2191488 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:28 . 2004-09-14 13:08 2068352 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 13:44 . 2009-07-26 13:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-25 02:23 . 2008-12-21 05:23 411368 ----a-w- c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 53248]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-08-09 151552]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-15 208952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 766041]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-09-07 479232]
"Sonera"="c:\program files\Sonera\InternetAvustaja\bin\sprtcmd.exe" [2007-08-19 197880]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-30 442368]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-16 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-08-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-10-05 235936]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matti^Käynnistä-valikko^Ohjelmat^Käynnistys^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Matti\Käynnistä-valikko\Ohjelmat\Käynnistys\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [17.10.2009 1:08 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [25.3.2008 23:01 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [17.10.2009 1:07 68064]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [25.3.2008 22:59 101496]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [17.10.2009 1:07 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [25.3.2008 22:59 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [25.3.2008 22:59 25184]
.
'Ajoitetut tehtävät'-kansion sisältö

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:57]
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.fi/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\documents and settings\Matti\Application Data\Mozilla\Firefox\Profiles\odmv8khn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\documents and settings\Matti\Application Data\Mozilla\Firefox\Profiles\odmv8khn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOXIN KÄYTÄNNÖT ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - POISTETUT JÄMÄRIVIT - - - -

BHO-{03B8D947-850F-4A32-B07F-FCB679F635E8} - c:\windows\system32\myztibvi.dll
HKLM-Run-LaunchApp - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 15:01
Windows 5.1.2600 Service Pack 3 FAT NTAPI

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="CBF5E3D223B895CBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A6A0AC4980AC7933A2D97226D213B555BE70912F1F453B90DF5597476BE871E191E3616D57DC7596FAA25F2BA5BCCA2E0D0F3ABD8E98A4E487FE1830EB619C1759993B883E6E3539C0DE727E7984ADD1463AD1C8A9F928170B2F3DF7DCE29C855809CA5CEB4D1F1B8D26E98983947414D74DE1D30ABC72C2B913A0F8CDDF3A6F64D0533F842FB9C7DEABD3379C828068812AE803E0F2E267B8DDCBB1E20DF2FCA6938C27400A3FB282A0381BB226E9A955B458226DF8106581433F46516479B89EF7A330EB981E2F1B3D8E69C59B7D933BD5969E88E84105DFFD6C7C6727B0129BA8381B68DB78741F3EC47A6DC139C9717AFD899A26726F754C3BBF0253B45D45D35D4B2714A41F5A623A4C50BED0D00612DA19A155D5B236EF069E15B2D2D1152D9BC8B3CB2F306B6DC6FD2DF92D10DB9272A7325ECEC2EAAB9C4C284D0C0A576BEFBFA94A540C4426B0D5551FE7582CF37732F06F75F4314DC19F56F01585B0C749FE3723887BAB5AB6BB2D1FD1D8823316DB977A9784799FAB944E31D7A814028C7BA226EFA93D58883E2FAD6DA7BD506B69F5B3B38E887587485464F2B9CC5C11CCC3EA67A867F24C8C67C2733E93518A45EC148116762472FE402337E4781E233007CDFCEAEC831B7CF79ACE79893EF67D74D86602B0847F1E7ACCA9B809900282EC6D71CAE4E3810616B59F9B7C23ADC49404011CF776B6320603052AC20463C908AC3D82B87500C78AD8B8499C919BEEEC5A211361D99268F32CB50FC149EDAE82330A35A91C0D80338AA18C6D9CA1F631E34AF8551402956B715DA272B9BD7A98EB376548BD101701989552C65F17FB256E3745118FE83028C25106962DE39F988556FB7CC6E693F891056B53F3C63D230D52D024BA1D52F9D19CBB4483633069732EC47F276223354B130F14FC6CA39B113DDB7485E9BA44937B2B6420B4E5826DB9F0E2524816E2DB17D45C9EBB378E97CC863A660E4D7DC3DF1F37E7C31B6EEE261507C0D061C1211DBB54805BA6157A885903D6BD1030DE6FC7CB47704F4F35D7A8A36CA99EA8BB6423F6D062C1565D2DBC2ED51F2E7D28033809AC0FA8D8C5E4884355730A810E5F5295BEE1819124AC8172E34EF6972528E8A889E66DD36517F4C500C284C74138F1D1FE5A7E1AF7A958570659DC46A0A133B75435891B216D145C74A0130DC0C610254CC27656467DD73946C2F6E428E3D71A89298D21C699EA0E3D8B60F7BD9E9CDA61034B3E41B4FA4A330201618E187A03A6E7AC686A0468366AF236BF2B006E13FE7C0362DB109F8D5E03D7416A9D21FDAE083F896345DC04103C07B4C264BD406A7E4864518308"
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(608)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(484)
c:\program files\f-secure internet security\hips\fshook32.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_fin.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Muut prosessit ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\ACER\ACER ARCADE\KERNEL\TV\CLCAPSVC.EXE
c:\program files\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVER.EXE
c:\program files\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVICE.EXE
c:\program files\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSGK32ST.EXE
c:\program files\F-SECURE INTERNET SECURITY\COMMON\FSMA32.EXE
c:\program files\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSGK32.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\F-SECURE INTERNET SECURITY\COMMON\FSHDLL32.EXE
c:\program files\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\acer\EMPOWERING TECHNOLOGY\ELOCK\SERVICE\ELOCKSERV.EXE
c:\program files\ACER\ACER ARCADE\KERNEL\TV\CLSCHED.EXE
c:\program files\F-SECURE INTERNET SECURITY\FWES\PROGRAM\FSDFWD.EXE
c:\program files\F-SECURE INTERNET SECURITY\ANTI-VIRUS\FSSM32.EXE
c:\combofix\CF18376.exe
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
c:\program files\LAUNCH MANAGER\QTZGACER.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsav32.exe
c:\docume~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
.
**************************************************************************
.
Valmistumisajankohta: 2009-10-18 15:06 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2009-10-18 12:06

Ennen ajoa: 8 949 465 088 tavua vapaana
Ajon jälkeen: 8 896 888 832 tavua vapaana

WindowsXP-KB310994-SP2-Home-BootDisk-FIN.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /usepmtimer /NoExecute=OptIn

238 --- E O F --- 2009-09-13 17:50


GMERlog:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-18 15:30:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Matti\LOCALS~1\Temp\kwlyafow.sys


---- System - GMER 1.0.15 ----

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

? C:\ComboFix\catchme.sys Määritettyä polkua ei löydy. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Määritettyä tiedostoa ei löydy. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009A000C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009A100C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009A200C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009A300C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009A400C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 009AA00C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 009A700C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 009A500C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 009A600C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009A800C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[148] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 009A900C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B8100C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8200C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00B8300C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00B8700C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00B8500C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00B8600C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00B8800C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00B8400C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00B8A00C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[324] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00B8900C
.text C:\WINDOWS\explorer.exe[484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A4000C
.text C:\WINDOWS\explorer.exe[484] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A4100C
.text C:\WINDOWS\explorer.exe[484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A4200C
.text C:\WINDOWS\explorer.exe[484] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00A4300C
.text C:\WINDOWS\explorer.exe[484] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00A4700C
.text C:\WINDOWS\explorer.exe[484] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00A4500C
.text C:\WINDOWS\explorer.exe[484] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00A4600C
.text C:\WINDOWS\explorer.exe[484] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A4800C
.text C:\WINDOWS\explorer.exe[484] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A4400C
.text C:\WINDOWS\explorer.exe[484] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A4A00C
.text C:\WINDOWS\explorer.exe[484] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A4900C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003E000C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003E100C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003E200C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 003E300C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003E400C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003E900C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003E700C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003E500C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003E600C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003E800C
.text C:\Documents and Settings\Matti\Työpöytä\gmer.exe[516] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 003EA00C
.text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA000C
.text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00CA100C
.text C:\WINDOWS\system32\winlogon.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA200C
.text C:\WINDOWS\system32\winlogon.exe[552] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00CA300C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00CA700C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00CA500C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00CA600C
.text C:\WINDOWS\system32\winlogon.exe[552] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00CA800C
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00CA400C
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00CAA00C
.text C:\WINDOWS\system32\winlogon.exe[552] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00CA900C
.text C:\WINDOWS\system32\lsass.exe[608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\lsass.exe[608] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BE100C
.text C:\WINDOWS\system32\lsass.exe[608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE200C
.text C:\WINDOWS\system32\lsass.exe[608] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00BE300C
.text C:\WINDOWS\system32\lsass.exe[608] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00BE700C
.text C:\WINDOWS\system32\lsass.exe[608] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00BE500C
.text C:\WINDOWS\system32\lsass.exe[608] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00BE600C
.text C:\WINDOWS\system32\lsass.exe[608] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BE800C
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00BE400C
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00BEA00C
.text C:\WINDOWS\system32\lsass.exe[608] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00BE900C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01EB000C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01EB100C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01EB200C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 01EB300C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01EB400C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 01EBA00C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 01EB900C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 01EB700C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 01EB500C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 01EB600C
.text C:\WINDOWS\system32\Ati2evxx.exe[756] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 01EB800C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D0100C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D0200C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00D0300C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D0400C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D0A00C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00D0900C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D0700C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D0500C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D0600C
.text C:\WINDOWS\system32\Ati2evxx.exe[976] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D0800C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009B000C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009B100C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B200C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009B300C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 009B700C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 009B500C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 009B600C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009B800C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009B400C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 009BA00C
.text C:\Program Files\Acer\Acer Arcade\PCMService.exe[1308] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 009B900C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D4100C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D4200C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00D4300C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D4700C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D4500C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D4600C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D4800C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D4400C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D4A00C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1436] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00D4900C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069000C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0069100C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0069200C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0069300C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0069700C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0069500C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0069600C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0069800C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0069400C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1680] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0069900C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0080000C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0080100C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080200C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0080300C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0080700C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0080500C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0080600C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0080800C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0080400C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0080A00C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1728] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 0080900C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 015A000C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 015A100C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015A200C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 015A300C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 015A400C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 015AA00C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 015A700C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 015A500C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 015A600C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 015A800C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe[1760] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 015A900C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A4000C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A4100C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A4200C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00A4300C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A4400C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A4A00C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00A4700C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00A4500C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00A4600C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A4800C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A4900C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003F000C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003F100C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003F200C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 003F300C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F400C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003F900C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003F700C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003F500C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003F600C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe[1812] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F800C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 029F000C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 029F100C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 029F200C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 029F300C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 029F700C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 029F500C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 029F600C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 029F800C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 029F400C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 029FA00C
.text C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe[1848] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 029F900C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02FE000C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 02FE100C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02FE200C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 02FE300C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 02FE700C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 02FE500C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 02FE600C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02FE800C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 02FE900C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 02FE400C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1916] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 02FEA00C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006B000C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 006B100C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006B200C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 006B300C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 006B700C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 006B500C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 006B600C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 006B800C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 006B400C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1980] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 006B900C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C2000C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00C2100C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C2200C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00C2300C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00C2400C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00C2A00C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00C2700C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00C2500C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00C2600C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00C2800C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[2104] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00C2900C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003D000C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003D100C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003D200C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 003D300C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003D400C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003D900C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003D700C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003D500C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003D600C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003D800C
.text C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe[2168] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 003DA00C
.text C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE[2180] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0098000C
.text C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE[2180] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0098100C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 022D000C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 022D100C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022D200C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 022D300C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 022D700C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 022D500C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 022D600C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 022D800C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 022D400C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 022DA00C
.text C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe[2268] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 022D900C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01A0000C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01A0100C
.text C:\WINDOWS\RTHDCPL.EXE[2540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A0200C
.text C:\WINDOWS\RTHDCPL.EXE[2540] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 01A0300C
.text C:\WINDOWS\RTHDCPL.EXE[2540] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01A0400C
.text C:\WINDOWS\RTHDCPL.EXE[2540] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 01A0A00C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 01A0700C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 01A0500C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 01A0600C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 01A0800C
.text C:\WINDOWS\RTHDCPL.EXE[2540] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 01A0900C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003E000C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003E100C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003E200C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 003E300C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003E700C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003E500C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003E600C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003E800C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003E400C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003E900C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2680] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 003EA00C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A0000C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A0100C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A0200C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00A0300C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00A0700C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00A0500C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00A0600C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A0800C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A0900C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A0400C
.text C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe[3404] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A0A00C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A3100C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A3200C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00A3300C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A3400C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A3A00C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00A3700C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00A3500C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00A3600C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A3800C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A3900C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3988] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 7E2A5255 C:\WINDOWS\system32\SHDOCVW.dll (Shell Doc -objekti ja Control-kirjasto/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016cedff850 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cedff850
Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\0016cedff850 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION CBF5E3D223B895CBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A6A0AC4980AC7933A2D97226D213B555BE70912F1F453B90DF5597476BE871E191E3616D57DC7596FAA25F2BA5BCCA2E0D0F3ABD8E98A4E487FE1830EB619C1759993B883E6E3539C0DE727E7984ADD1463AD1C8A9F928170B2F3DF7DCE29C855809CA5CEB4D1F1B8D26E98983947414D74DE1D30ABC72C2B913A0F8CDDF3A6F64D0533F842FB9C7DEABD3379C828068812AE803E0F2E267B8DDCBB1E20DF2FCA6938C27400A3FB282A0381BB226E9A955B458226DF8106581433F46516479B89EF7A330EB981E2F1B3D8E69C59B7D933BD5969E88E84105DFFD6C7C6727B0129BA8381B68DB78741F3EC47A6DC139C9717AFD899A26726F754C3BBF0253B45D45D35D4B2714A41F5A623A4C50BED0D00612DA19A155D5B236EF069E15B2D2D1152D9BC8B3CB2F306B6DC6FD2DF92D10DB9272A7325ECEC2EAAB9C4C284D0C0A576BEFBFA94A540C4426B0D5551FE7582CF37732F06F75F4314DC19F56F01585B0C749FE3723887BAB5AB6BB2D1FD1D8823316DB977A9784799FAB944E31D7A814028C7BA226EFA93D58883E2FAD6DA7BD506B69F5B3B38E887587485464F2B9CC5C11CCC3EA67A867F24C8C67C2733E93518A45EC14811

---- EOF - GMER 1.0.15 ----


HJTlog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:56, on 18.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\DOCUME~1\Matti\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sonera] "C:\Program Files\Sonera\InternetAvustaja\bin\sprtcmd.exe" /P Sonera
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236981705906
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10314 bytes

 

Tuo pöpö ei aina lähde pois ollenkaan !!!
Meillä taisi olla tuuria.

----------------------------------------------------------

* Tuplaklikkaa OTM.exe käynnistääksesi sen.
* Kopioi (CTRL+C) alla olevasta laatikosta kaikki teksti.

Code:

:files
C:\Documents and Settings\Matti\Local Settings\Temp\kwlyafow.sys

* Palaa takaisin OtmoveIt3, paina oikeanpuoleista hiiren nappia Paste Instructions for Items to be Move-ikkunassa (Keltaisen palkin alla) ja paina Liitä.
* Paina punaista MoveIt! -nappia.
* Kopioi (CTRL+C) ja liitä (CTRL+V) Results-ikkunaan (Vihreän palkin alla) tullut teksti seuraavaan viestiisi.
* Sulje OTM.

Jos jotain tiedostoa/kansiota ei voitu siirtää heti, ohjelma ehdottaa koneen uudelleenkäynnistystä. Vastaa ehdotukseen Yes, jolloin OtMoveIt käynnistää koneesi uudelleen.

*********************************************************

Kirjoita windowsin käynnistävalikon Aloita haku-kenttään ComboFix.exe /u paina OK

**********************************************************

* Vanha HOSTS tiedosto poistetaan. Käynnistä kone vikasietotilaan => OHJE
Tämä C:\WINDOWS\system32\drivers\etc\HOSTS tiedosto pois
* Käynnistä koneesi normaalitilaan.
* Lataa HOSTS: Täältä Työpöydällesi.
* Pura: hosts.zip C:\WINDOWS\system32\drivers\etc kansioon.


Lopuksi Voit varmistaa, että siellä on HOSTS niminen tiedosto ilman tiedostopäätettä. Koko n.700 kt.
Suoja activoituu seuraavan käynnistyksen yhteydessä.(ei kuormita muistia)

Houstiin päivitykset: Täältä
Mitä HOSTS tekee: Opas Täällä

-----------------------------------------------------

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä sammuta ne.(fix Chekked)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

lähetä =>

OTMoveIt logi.
Testaile toimiiko ???
.

 

OTMlog:

========== FILES ==========
File/Folder C:\Documents and Settings\Matti\Local Settings\Temp\kwlyafow.sys not found.

OTM by OldTimer - Version 3.0.0.6 log created on 10182009_164914

Päästiinkös sitä puhtaaksi pöpöistä?
Kone tuntuu jo paljon paljon paremmalta. Iso kiitos siitä omistajalta ja minulta.

Nyt vaan niin oodefragilla kone läpi ja sitä rataa?

 

Kyllä se on nyt OK
Perus-siivoilua vailla (ja kovaa käyttöä)

.

 

Hieno homma! Tuhannet kiitokset. Joo, olipahan tää kone hurjassa kunnossa.