Hijackthis lokia tarjolla, Avast löytää troijalaisia ja matoja eikä puhdistus auta

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:42, on 27.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\IXP003.TMP\IRVBWX~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\CMD.EXE
C:\WINDOWS\TEMP\IXP004.TMP\lsass.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sirkka\Työpöytä\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101490044046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219150956502
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA4C770-877E-47F6-8B10-743A16BE0B31}: NameServer = 85.255.116.154,85.255.112.16
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Nykyinen kotisivu - About:Home

--
End of file - 6348 bytes

 

Käynnistä Hijackthis ja merkitse seuraavat rivit

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA4C770-877E-47F6-8B10-743A16BE0B31}: NameServer = 85.255.116.154,85.255.112.16
O24 - Desktop Component 0: Nykyinen kotisivu - About:Home

Merkittyäsi rivit paina Fix Checked.


Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Päivitä Malwarebytes' Anti-Malware ja Käynnistä Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Lopeta.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Suorita täysi tarkistus ja klikkaa Tarkista.
* Kun skanni on valmis, klikkaa OK ja sitten Näytä tulokset nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Poista valitut.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.

 

Malwarebytes' Anti-Malware 1.30
Tietokantaversio: 1306
Windows 5.1.2600 Service Pack 3

27.10.2008 22:13:10
mbam-log-2008-10-27 (22-13-10).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 129640
Kulunut aika: 59 minute(s), 13 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 12
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 11
Saastuneita hakemistoja: 1
Saastuneita tiedostoja: 11

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdizh.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b755f700-a61f-46c9-9994-517829c2e6cc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b755f700-a61f-46c9-9994-517829c2e6cc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b755f700-a61f-46c9-9994-517829c2e6cc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{aba4c770-877e-47f6-8b10-743a16be0b31}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b755f700-a61f-46c9-9994-517829c2e6cc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.154,85.255.112.16 -> Quarantined and deleted successfully.

Saastuneita hakemistoja:
C:\Documents and Settings\Sirkka\Local Settings\Application Data\qip (Rogue.Multiple) -> Quarantined and deleted successfully.

Saastuneita tiedostoja:
C:\Documents and Settings\Sirkka\Local Settings\Application Data\qip\data.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bn29.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bn42.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bn83.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bnb3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bneC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bneD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bng3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bns4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\bny2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sirkka\Local Settings\Temp\laf126.tmp (Trojan.Zlob) -> Quarantined and deleted successfully.



Ja uusi HJT-loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:55, on 27.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\TEMP\IXP001.TMP\IRVBWX~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Sirkka\Työpöytä\HiJackThis.exe
C:\WINDOWS\System32\CMD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\IXP002.TMP\lsass.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP001.TMP\"
O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP002.TMP\"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101490044046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219150956502
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6233 bytes

 

Ettehän ole unohtaneet minua...

 

Ei olla unohdettu

Lataa CCleaner tästä

- Asennuksessa poista merkki/rasti kohdasta "asenna Yahoo! toolbar/työkalupalkki".
- Asennuksen jälkeen aukaise CCleaner.
- Valitse vasemmalta pystyrivistä Options.
- Valitse viereisestä pystyrivistä Settings.
- Language kohtaan valitse Suomi.

- Käynnistä CCleaner.
- Valitse Valinnat.
- Paina Lisäasetukset.
- Ota ruksi pois kohdasta "Poista vain yli 48 tuntia vanhat tiedostot Windowsin tilapäiskansioista".

Puhdistaja

- Valitse vasemmalta pystyrivistä Puhdistaja.
- Paina alhaalta Tutki.
Nyt CCleaner tutkii, mitä voidaan poistaa (tempit, cookiessit jne.).
- Kun tutkiminen on valmis, paina Aja CCleaner.
Nyt CCleaner poistaa löydetyt tempit, cookiessit jne.

Rekisterin virheiden korjaus

- Valitse vasemmalta pystyrivistä Rekisteri.
- Paina alhaalta Etsi rekisterin virheitä.
- Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet.
- Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä. Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon.
- Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet.
- Saat vielä varmistus kysymyksen, paina Ok.
- Kun virheet on korjattu, paina Sulje.

Nyt voit suljea CCleanerin painamalla oikealta ylhäältä punaista rastia.


Skannaa koneesi Kaspersky Online Skannerilla

* Lue läpi vaatimukset ja yksityisyyssäännökset ja klikkaa Accept.
* Skannerin ja virustietokannan lataus alkaa. Sinulta kysytään sallitko Kasperskyltä tulevan ohjelman asentamisen. Klikkaa Aja/Run.
* Kun lataus on valmis, klikkaa Settings.
* Varmistu, että seuraavat kohdat on valittu. Jos ne eivät ole, valitse ne ja klikkaa Save:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
* Klikkaa Oma Tietokone, My Computer Scan-kohdan alapuolelta.
* Kun tarkistus on valmis, tulokset näytetään. Klikkaa View Scan Report.
* Näet listan saastuneista kohteista. Klikkaa Save Report As....
* Tallenna tiedosto työpöydällesi. Muuta Tiedostotyyppi/Files of type muotoon Tekstitiedosto/Text file(.txt) ennen kuin klikkaat Save.
* Kopioi ja liitä tiedoston sisältö seuraavaan vastaukseesi uuden HijackThis-lokin kera

 

Ajoin ccleanerin ja poistelin juttuja. Kaspersky Online tuntui jumahtavan, kerran se kaatoikin firefoxin... Olisko muuta vaihtoehtoa? Avast löysi uudestaan samoja möhkiäisiä. Alla uusin HJT-loki:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:12, on 28.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sirkka\Työpöytä\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101490044046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219150956502
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5796 bytes

 

Koneelle pitäisi saada palomuuri ja mistä päin Avast! ne löytää?

1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe

Avaa Combofix.exe ja seuraa näyttöön tulevia ohjeita

Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

 

ComboFix 08-10-28.01 - Sirkka 2008-10-28 21:19:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1035.18.184 [GMT 2:00]
Sijainti: C:\Documents and Settings\Sirkka\Työpöytä\ComboFix.exe
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Mahdollisesti saastuneet sivut -----

hxxp://zinbob.110mb.com
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-09-28 to 2008-10-28 )))))))))))))))))
.

2008-10-28 16:54 . 2008-10-28 16:54 <KANSIO> d-------- C:\Program Files\CCleaner
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Documents and Settings\Sirkka\Application Data\Malwarebytes
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 19:58 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 19:58 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-26 22:01 . 2008-10-26 22:01 51,200 --a------ C:\WINDOWS\system32\tordus.exe
2008-10-26 13:00 . 2008-10-26 13:00 <KANSIO> d-------- C:\temp\Windows.Genuine.Advantage.Validation.v1.8.32.0.CRACKED-iND
2008-10-24 07:23 . 2008-10-15 18:37 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 03:32 . 2008-10-24 03:32 11,264 --a------ C:\WINDOWS\system32\lakpoint.exe
2008-10-24 01:19 . 2008-10-24 01:19 11,264 --a------ C:\WINDOWS\system32\saniuscheck.exe
2008-10-19 06:32 . 2008-10-19 06:32 319,074 --a------ C:\WINDOWS\system32\today.exe
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT6.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT5.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT4.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT3.tmp
2008-10-15 14:50 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 14:49 . 2008-09-15 17:27 1,846,656 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 14:46 . 2008-08-14 15:25 2,191,488 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 14:46 . 2008-08-14 15:25 2,147,840 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 14:46 . 2008-08-14 15:25 2,068,352 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 14:46 . 2008-08-14 15:24 2,026,496 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 11:27 --------- d-----w C:\Documents and Settings\Sirkka\Application Data\uTorrent
2008-10-24 05:25 30 ----a-w C:\Documents and Settings\Sirkka\jagex_runescape_preferences.dat
2008-10-21 14:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2007-11-15 18:09 20,048 ----a-w C:\Documents and Settings\Sirkka\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 14:01 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\MSHist012008051620080517\index.dat
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 200704]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CnxDslTaskBar"="C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe" [2003-05-12 454656]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Sirkka\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
PowerReg Scheduler.exe [2005-02-05 256000]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-12-24 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Terminal Reality\\4x4 Evolution\\4x4.exe"=
"C:\\Program Files\\Electronic Arts\\Sports Car GT\\Spcar.exe"=
"C:\\Codemasters\\Blade of Darkness\\Bin\\Blade.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Rune\\System\\Rune.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Documents and Settings\\Sirkka\\Työpöytä\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 CnxTgN;Conexant AccessRunner PCI ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-05-12 103364]
R3 CnxTgP;Conexant AccessRunner PCI ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgP.sys [2003-05-12 444079]
R3 CnxTgR;Conexant AccessRunner PCI ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTgR.sys [2003-05-12 107944]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys [ ]
.
.
------- Täydentävä tarkistus -------
.
FireFox -: Profile - C:\Documents and Settings\Sirkka\Application Data\Mozilla\Firefox\Profiles\m8kxpjhf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://elisa.net/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 21:24:28
Windows 5.1.2600 Service Pack 3 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


C:\Documents and Settings\Sirkka\Local Settings\Application Data\Microsoft\Messenger\sirkka_liisa@hotmail.com\SharingMetadata\Working\database_BEA0_458F_A045_4ED9\fsrtmp.log 131072 bytes
C:\Documents and Settings\Sirkka\Local Settings\Application Data\Microsoft\Messenger\sirkka_liisa@hotmail.com\SharingMetadata\Working\database_BEA0_458F_A045_4ED9\tmp.edb 131072 bytes

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************
.
------------------------ Muut prosessit ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-10-28 21:32:19 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2008-10-28 19:32:08

Ennen ajoa: 15 162 028 032 tavua vapaana
Ajon jälkeen: 15,153,573,888 tavua vapaana

132 --- E O F --- 2008-10-24 17:52:48





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33:18, on 28.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sirkka\Työpöytä\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101490044046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219150956502
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5183 bytes

Tuossapa taas noita, sattuipa vain omaankin silmään tuttuja kavereita kuten tordus.exe ja saniuscheck noista ainakin se avast herjailee... Niin ja on koneessa winkkarin oma palomuuri käytössä.

 

C:\temp\Windows.Genuine.Advantage.Validation.v1.8.32.0.CRACKED-iND

Mahtaakohan olla aito winukka?

 

Aitoudesta en mene takuuseen (ei ole oma kone)... Alettaisiinko olla voiton puolella vai vieläkö siellä on mököjä jäljellä?

 

Juuh aikalailla tarkastetaan nyt viellä noi muutamat tiedostot ennen kuin poistellaan niitä.

Lähetä seuraavat tiedostot Tänne ja kerro tulokset.

C:\WINDOWS\system32\tordus.exe
C:\WINDOWS\system32\lakpoint.exe
C:\WINDOWS\system32\saniuscheck.exe
C:\WINDOWS\system32\today.exe

 

File: today.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 463ce212163a44b2cdfbf57e326400cd
Packers detected:
-
Scanner results
Scan taken on 29 Oct 2008 04:26:17 (GMT)
A-Squared
Found nothing
AntiVir
Found DR/Agent.hgz, TR/Dldr.VB.hte, TR/Dldr.VB.htd
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.DownLoad.8664
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Agent.akad
G DATA
Found Win32:Trojan-gen
Ikarus
Found Virus.Trojan.Win32.Agent.akad
Kaspersky Anti-Virus
Found Trojan.Win32.Agent.akad
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Agent.akad

lakpoint.exe oli puhdas, sanius/tordus ei löynyt system kansiosta

 

Jeps eli poistetaan.

1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe

Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)




Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

 

Huh huh, kohta kyllä formatoin ton koneen ja laitan winkkarin uusiksi... Ei oikein hyvältä näytä, vähän väliä tulee herjaa dllstä mitä ei löydy tjs ja sitten avast löysi taas jotain...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34:20, on 29.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sirkka\Työpöytä\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [a0454e76] rundll32.exe "C:\WINDOWS\system32\mratfrrt.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101490044046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219150956502
O20 - AppInit_DLLs: ufvpen.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4935 bytes





ComboFix 08-10-29.06 - Sirkka 2008-10-29 15:51:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1035.18.100 [GMT 2:00]
Sijainti: C:\Documents and Settings\Sirkka\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: C:\Documents and Settings\Sirkka\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
C:\WINDOWS\system32\saniuscheck.exe
C:\WINDOWS\system32\today.exe
C:\WINDOWS\system32\tordus.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\asnqcm.dll
C:\WINDOWS\system32\bnphtpou.dll
C:\WINDOWS\system32\ddcArRkj.dll
C:\WINDOWS\system32\gciqdfnj.dll
C:\WINDOWS\system32\jkRrAcdd.ini
C:\WINDOWS\system32\jkRrAcdd.ini2
C:\WINDOWS\system32\jpgvboom.ini
C:\WINDOWS\system32\moobvgpj.dll
C:\WINDOWS\system32\qcptknar.dll
C:\WINDOWS\system32\today.exe
C:\WINDOWS\system32\ufvpen.dll
C:\WINDOWS\system32\uopthpnb.ini

----- BITS: Mahdollisesti saastuneet sivut -----

hxxp://zinbob.110mb.com
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-09-28 to 2008-10-29 )))))))))))))))))
.

2008-10-29 16:19 . 2008-10-29 16:20 319,074 --ah----- C:\WINDOWS\system32\BIT9.tmp
2008-10-29 16:19 . 2008-10-29 16:19 313,344 --a------ C:\WINDOWS\system32\byXRhggE.dll
2008-10-29 16:19 . 2008-10-29 16:23 343 --ahs---- C:\WINDOWS\system32\EgghRXyb.ini2
2008-10-29 16:19 . 2008-10-29 16:24 343 --ahs---- C:\WINDOWS\system32\EgghRXyb.ini
2008-10-29 15:36 . 2008-10-29 15:36 34,304 --a------ C:\WINDOWS\system32\vtUolMdA.dll
2008-10-29 15:36 . 2008-10-29 15:36 34,304 --a------ C:\WINDOWS\system32\ssqRJcyA.dll
2008-10-29 15:36 . 2008-10-29 15:36 34,304 --a------ C:\WINDOWS\system32\opnoPHbX.dll
2008-10-29 15:36 . 2008-10-29 15:36 34,304 --a------ C:\WINDOWS\system32\geBsQgGV.dll
2008-10-29 06:24 . 2008-10-29 06:24 34,304 --a------ C:\WINDOWS\system32\ssqNExwv.dll
2008-10-29 06:24 . 2008-10-29 06:24 34,304 --a------ C:\WINDOWS\system32\mlJYrsrS.dll
2008-10-29 06:24 . 2008-10-29 06:24 34,304 --a------ C:\WINDOWS\system32\ddcButur.dll
2008-10-29 06:24 . 2008-10-29 06:24 34,304 --a------ C:\WINDOWS\system32\ddcBRhiJ.dll
2008-10-29 03:04 . 2008-10-29 03:04 75,788 ---h----- C:\WINDOWS\system32\BIT8.tmp
2008-10-29 03:00 . 2008-10-29 03:00 35,852 --a------ C:\WINDOWS\system32\lakpoint.exe
2008-10-28 16:54 . 2008-10-28 16:54 <KANSIO> d-------- C:\Program Files\CCleaner
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Documents and Settings\Sirkka\Application Data\Malwarebytes
2008-10-27 19:58 . 2008-10-27 19:58 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 19:58 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 19:58 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-24 07:23 . 2008-10-15 18:37 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT7.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT6.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT5.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT4.tmp
2008-10-19 06:32 . 2008-10-19 06:32 319,074 ---h----- C:\WINDOWS\system32\BIT3.tmp
2008-10-15 14:50 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 14:49 . 2008-09-15 17:27 1,846,656 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 14:46 . 2008-08-14 15:25 2,191,488 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 14:46 . 2008-08-14 15:25 2,147,840 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 14:46 . 2008-08-14 15:25 2,068,352 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 14:46 . 2008-08-14 15:24 2,026,496 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 20:27 --------- d-----w C:\Documents and Settings\Sirkka\Application Data\uTorrent
2008-10-24 05:25 30 ----a-w C:\Documents and Settings\Sirkka\jagex_runescape_preferences.dat
2008-10-21 14:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-15 15:27 1,846,656 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 08:12 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 13:25 2,191,488 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:25 2,068,352 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-15 18:09 20,048 ----a-w C:\Documents and Settings\Sirkka\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 14:01 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-28_21.31.37.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 15:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-07-19 14:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 15:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2008-07-19 14:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 15:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-07-19 15:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
- 2008-01-17 15:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-01-17 17:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
- 2008-07-19 14:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 15:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 15:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 15:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
- 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-07-19 15:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-10-29 13:36:34 34,304 ----a-w C:\WINDOWS\system32\vtUolMdA.dll
+ 2008-10-24 02:53:38 102,912 ------w C:\WINDOWS\Temp\IXP000.TMP\IRVBWX~1.EXE
+ 2008-10-23 16:44:32 118,784 ------w C:\WINDOWS\Temp\IXP001.TMP\lsass.exe
- 2008-10-28 19:23:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_674.dat
+ 2008-10-29 13:57:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_674.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{299B5FAC-2168-4A5D-A67D-AA4C8F8055DA}]
2008-10-29 06:24 34304 --a------ C:\WINDOWS\system32\mlJYrsrS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6387F7C2-CEA0-4703-B7BF-ECBBA6E853F8}]
2008-10-29 16:19 313344 --a------ C:\WINDOWS\system32\byXRhggE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6ca89a3f-8821-42da-ba9d-da0b76ea9051}]
2008-10-29 16:23 128000 --a------ C:\WINDOWS\system32\jskhgl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-09-18 200704]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CnxDslTaskBar"="C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe" [2003-05-12 454656]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Sirkka\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
PowerReg Scheduler.exe [2005-02-05 256000]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-12-24 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{299B5FAC-2168-4A5D-A67D-AA4C8F8055DA}"= "C:\WINDOWS\system32\mlJYrsrS.dll" [2008-10-29 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYrsrS]
2008-10-29 06:24 34304 C:\WINDOWS\system32\mlJYrsrS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ufvpen.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\byXRhggE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Terminal Reality\\4x4 Evolution\\4x4.exe"=
"C:\\Program Files\\Electronic Arts\\Sports Car GT\\Spcar.exe"=
"C:\\Codemasters\\Blade of Darkness\\Bin\\Blade.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Rune\\System\\Rune.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Documents and Settings\\Sirkka\\Työpöytä\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 CnxTgN;Conexant AccessRunner PCI ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-05-12 103364]
R3 CnxTgP;Conexant AccessRunner PCI ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgP.sys [2003-05-12 444079]
R3 CnxTgR;Conexant AccessRunner PCI ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTgR.sys [2003-05-12 107944]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys [ ]
.
- - - - POISTETUT JÄMÄRIVIT - - - -

BHO-{A1D5F9E5-A20D-474E-8BE5-AFA2A1607239} - C:\WINDOWS\system32\ddcArRkj.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 16:19:44
Windows 5.1.2600 Service Pack 3 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


C:\WINDOWS\system32\jskhgl.dll 128000 bytes executable
C:\WINDOWS\system32\vkugvlfb.dll 128000 bytes executable

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

PROSESSI: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\mlJYrsrS.dll

PROSESSI: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\mratfrrt.dll
-> C:\WINDOWS\system32\byXRhggE.dll
.
------------------------ Muut prosessit ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Temp\IXP000.TMP\IRVBWX~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Temp\IXP001.TMP\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-10-29 16:28:04 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2008-10-29 14:27:48
ComboFix2.txt 2008-10-28 19:32:20

Ennen ajoa: 15 119 441 920 tavua vapaana
Ajon jälkeen: 15,146,426,368 tavua vapaana

214 --- E O F --- 2008-10-24 17:52:48

 

Antaa olla ei koneessa ole mitään sen suurempia back up juttuja tarpeen, joten asennan winkkarin uusiksi. Ajoin huvikseni Malwarebytes' Anti-Malware äsken ja se löysi ~45 uutta tartuntaa.

Kiitoksia avusta mutta täällä päässä ei enää jaksa yrittää...

 

jep tämän takia olisi pitänyt olla se palomuuri muu kuin windows:in oma kun se ei estä mitään.

 

Joo ei ainakaan siinä tapauksessa että käyttäjä on kohtuu tumpelo, joka hyväksyy mitä sattuu netissä... Kiitti joka tapauksessa vaivannäöstä!

 

Eipä mittään