HJT logi

Joniko90 · Jan 3, 2007

Koneessa on ilmennyt ongelmia. kaiken näköisiä pop up ikkunoita ja viruksia.

HJT logi:

Logfile of HijackThis v1.99.1
Scan saved at 20:09:32, on 3.1.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Video ActiveX Object\pmsngr.exe
C:\Program Files\Video ActiveX Object\isamonitor.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Video ActiveX Object\pmmon.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\dfndrff_130.exe
C:\kybrdff_e130.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\windows_e57.exe
C:\Program Files\Common Files\{945ABED8-06FF-1035-0921-050509020166}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\svchosts.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\kybrdff_e143.exe
c:\dfndrff_143.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yourstartingpage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL (file missing)
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{345ABED8-06FE-1035-0921-050509020166}\MyToolBar.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Blondes] C:\Program Files\hbt\Dialers\Blondes\Blondes.exe /dontdial
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [cdde0d6e] RUNDLL32.EXE w00ff2d3.dll,n 004e0d6a0000000a00ff2d3
O4 - HKLM\..\Run: [defender] c:\\dfndrff_143.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e143.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e57.exe
O4 - HKLM\..\Run: [{945ABED8-06FF-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FF-1035-0921-050509020166}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [{945ABED8-06FE-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020166}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e57.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Discipl2Setup.exe] C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\TEMPOR~1\Content.IE5\8CJGFVAX\DISCIP~1.EXE /r
O8 - Extra context menu item: &Google-haku - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Käännä englanninkielinen sana - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Linkit taaksepäin - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Samankaltaisia sivuja - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Välimuistissa oleva kuvakaappaus sivusta - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9rdTMxMw\command.exe
(file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

hannu71 · Jan 3, 2007

1. Lataa combofix.exe tiedosto työpöydällesi.
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

Lataa SmitfraudFix (by S!Ri) työpöydällesi.

Tuplaklikkaa tiedostoa SmitfraudFix.exe

Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
Postita tämän tekstitiedoston sisältö viestiketjuusi.

**Jos työkalu ei käynnisty työpöydältä niin siirrä SmitfraudFix.exe suoraan järjestelmäaseman juureen (yleensä C:). Kokeile sitten käynnistää ohjelma uudestaan sieltä.

Huomaa : process.exe filun tunnistaa jotkut Anti-virus ohjelmat (AntiVir, Dr.Web, Kaspersky) "Haittakaluna"; se ei ole virus, vaan ohjelma joka pysäyttää prosesseja. A/V ohjelmat eivät pysty tunnistamaan hyvän ja pahan käytön tälläisten ohjelmian väliltä, silloin ne saattavat varoittaa käyttäjää.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

lähetä:
combofix logi
smitfraud loki
uusi hjt-loki

Joniko90 · Jan 6, 2007

Pieni viivästys oli, mutta tässä nämä logit:

ComboFix:

K„ytt„j„ - 07-01-06 13:49:25,31 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\K„ytt„j„\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{CFE389D0-53BE-48F8-AC17-49B412AD6F84}]
@=""

[HKEY_CLASSES_ROOT\clsid\{CFE389D0-53BE-48F8-AC17-49B412AD6F84}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{CFE389D0-53BE-48F8-AC17-49B412AD6F84}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{CFE389D0-53BE-48F8-AC17-49B412AD6F84}\InprocServer32]
@="C:\\WINDOWS\\system32\\uxnphost.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{2F67E768-D89B-4020-9496-DE6BA600215D}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F67E768-D89B-4020-9496-DE6BA600215D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F67E768-D89B-4020-9496-DE6BA600215D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2F67E768-D89B-4020-9496-DE6BA600215D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{77BE29D3-1ABF-4AA1-A946-B5CBCCB0556F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{77BE29D3-1ABF-4AA1-A946-B5CBCCB0556F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{77BE29D3-1ABF-4AA1-A946-B5CBCCB0556F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{77BE29D3-1ABF-4AA1-A946-B5CBCCB0556F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{7E89AAE6-DB60-4516-9701-05894BE1D1CD}]
@=""

[HKEY_CLASSES_ROOT\clsid\{7E89AAE6-DB60-4516-9701-05894BE1D1CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{7E89AAE6-DB60-4516-9701-05894BE1D1CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{7E89AAE6-DB60-4516-9701-05894BE1D1CD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{D7B28B84-7D97-4FD5-BB11-ED54A01749EC}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D7B28B84-7D97-4FD5-BB11-ED54A01749EC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{D7B28B84-7D97-4FD5-BB11-ED54A01749EC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D7B28B84-7D97-4FD5-BB11-ED54A01749EC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\system32\adi3d1ag.dll
C:\WINDOWS\system32\apivvaxx.dll
C:\WINDOWS\system32\awioglxx.dll
C:\WINDOWS\system32\aztiveds.dll
C:\WINDOWS\system32\decompos.dll
C:\WINDOWS\system32\dn2601fse.dll
C:\WINDOWS\system32\dnp0017me.dll
C:\WINDOWS\system32\ennul1591.dll
C:\WINDOWS\system32\ezentlog.dll
C:\WINDOWS\system32\f60o0gd3e60.dll
C:\WINDOWS\system32\fpno0353e.dll
C:\WINDOWS\system32\g022lafo1d2c.dll
C:\WINDOWS\system32\hr6s05j7e.dll
C:\WINDOWS\system32\hrnm0551e.dll
C:\WINDOWS\system32\hyd.dll
C:\WINDOWS\system32\idpeers.dll
C:\WINDOWS\system32\ifclass.dll
C:\WINDOWS\system32\iGsacct.dll
C:\WINDOWS\system32\ilrop.dll
C:\WINDOWS\system32\j4l4le3q1h.dll
C:\WINDOWS\system32\jst500.dll
C:\WINDOWS\system32\jtr6079se.dll
C:\WINDOWS\system32\kt6ml7j11.dll
C:\WINDOWS\system32\kt6ql7j51.dll
C:\WINDOWS\system32\ktdsmsno.dll
C:\WINDOWS\system32\ktn2l75o1.dll
C:\WINDOWS\system32\ktpul7791.dll
C:\WINDOWS\system32\l2l6lc3s1f.dll
C:\WINDOWS\system32\lvn0095me.dll
C:\WINDOWS\system32\lvpu0979e.dll
C:\WINDOWS\system32\m0280afued280.dll
C:\WINDOWS\system32\mv6ql9j51.dll
C:\WINDOWS\system32\mwjint40.dll
C:\WINDOWS\system32\n24s0ch7ef4.dll
C:\WINDOWS\system32\n88olil318q.dll
C:\WINDOWS\system32\o284lclq1fqe.dll
C:\WINDOWS\system32\pbchdprf.dll
C:\WINDOWS\system32\r2p80c7uef.dll
C:\WINDOWS\system32\s6pu0g79e6.dll
C:\WINDOWS\system32\sondcmsg.dll
C:\WINDOWS\system32\uql.dll
C:\WINDOWS\system32\wbploc.dll
C:\WINDOWS\system32\guard.tmp

Granting sedebugprivilege to Administrators ... successful

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\teller2.chk
C:\dfndrff_130.exe
C:\dfndrff_143.exe
C:\dfndrff_145.exe
C:\dfndrff_e16.exe
C:\dfndrff_e17.exe
C:\dfndrff_e37.exe
C:\dfndrff_e40.exe
C:\dfndrff_e41.exe
C:\dfndrff_e42.exe
C:\dfndrff_e48.exe
C:\dfndrff_e53.exe
C:\dfndrff_e56.exe
C:\dfndrff_e57.exe
C:\deskbar_e13.exe
C:\deskbar_e145.exe
C:\deskbar_e37.exe
C:\deskbar_e39.exe
C:\deskbar_e41.exe
C:\deskbar_e42.exe
C:\deskbar_e48.exe
C:\deskbar_e53.exe
C:\deskbar_e55.exe
C:\kybrdff_e130.exe
C:\kybrdff_e143.exe
C:\kybrdff_e145.exe
C:\kybrdff_e16.exe
C:\kybrdff_e37.exe
C:\kybrdff_e40.exe
C:\kybrdff_e41.exe
C:\kybrdff_e42.exe
C:\kybrdff_e48.exe
C:\kybrdff_e53.exe
C:\kybrdff_e56.exe
C:\kybrdff_e57.exe
C:\nwnmff_e16.exe
C:\nwnmff_e17.exe
C:\nwnmff_e37.exe
C:\nwnmff_e40.exe
C:\nwnmff_e41.exe
C:\nwnmff_e42.exe
C:\nwnmff_e53.exe
C:\nwnmff_e56.exe
C:\Documents and Settings\K„ytt„j„\setup9X.exe
C:\ac3_0010.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\WindowsUpdate\howyvykaf.html
C:\dollarrev.exe
C:\mc44a48.exe
C:\windows.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\IntCodec
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Program Files\winupdates
C:\Program Files\Common Files\{345ABED8-06FE-1035-0921-050509020166}
C:\Program Files\Common Files\{345ABED8-06FF-1035-0921-050509020166}
C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020166}
C:\WINDOWS\Sm9rdTMxMw
C:\Program Files\PrintView
C:\Program Files\Common Files\{945ABED8-06FF-1035-0921-050509020166}

((((((((((((((((((((((((((((((( Files Created from 2006-12-06 to 2007-01-06 ))))))))))))))))))))))))))))))))))

2007-01-06 13:52 <DIR> d-------- C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}
2007-01-04 11:44 86,528 --a------ C:\WINDOWS\bnetunin.exe
2007-01-03 22:45 <DIR> d-------- C:\Documents and Settings\K„ytt„j„\.limewire
2007-01-03 19:48 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-03 19:48 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-03 19:48 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-03 19:48 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-03 19:48 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-03 19:47 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-03 19:47 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-03 19:47 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-03 19:25 <DIR> dr--s---- C:\WINDOWS\assembly
2007-01-01 21:46 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-28 13:43 25,600 --a------ C:\WINDOWS\system32\im64tmp.dll
2006-12-27 15:56 <DIR> d-------- C:\Program Files\AviSynth 2.5
2006-12-27 15:53 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2006-12-27 15:53 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2006-12-21 17:32 <DIR> d-------- C:\Program Files\Video ActiveX Object
2006-12-19 20:41 <DIR> d-------- C:\Program Files\ReflexiveArcade
2006-12-16 13:33 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-15 21:00 <DIR> d-------- C:\Program Files\TryMedia
2006-12-14 21:30 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-14 21:30 <DIR> d-------- C:\Documents and Settings\K„ytt„j„\Application Data\Mozilla

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-06 13:52 -------- d-------- C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}
2007-01-06 13:52 -------- d-------- C:\Program Files\Common Files
2007-01-06 13:50 -------- d--h----- C:\Program Files\WindowsUpdate
2007-01-03 19:57 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-03 15:02 -------- d-------- C:\Program Files\Internet Explorer
2007-01-01 21:59 93509 --a------ C:\WINDOWS\system32\install.exe
2006-12-27 23:49 -------- d-------- C:\Program Files\Incomplete
2006-12-27 15:58 -------- d---s---- C:\Documents and Settings\K„ytt„j„\Application Data\Microsoft
2006-12-22 13:11 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-12-22 13:11 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-12-22 13:11 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-12-20 20:31 -------- d-------- C:\Program Files\MSN
2006-12-19 16:47 -------- d-------- C:\Program Files\Outlook Express
2006-12-19 16:47 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-28 21:07 61440 --a------ C:\WINDOWS\diabswun.exe
2006-11-24 09:58 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-19 18:50 32768 --a------ C:\WINDOWS\system32\setup9x.exe
2006-11-19 18:50 204 --a------ C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
2006-11-15 09:19 32768 --a------ C:\WINDOWS\system32\dr.exe
2006-11-14 10:43 446464 --a------ C:\windows_e57.exe
2006-11-14 10:42 32768 --a------ C:\mc44a57.exe
2006-11-13 13:40 438272 --a------ C:\windows_e56.exe
2006-11-13 13:40 32768 --a------ C:\mc44a56.exe
2006-11-10 10:44 430080 --a------ C:\windows_e53.exe
2006-11-10 10:44 20480 --a------ C:\mc44a53.exe
2006-11-08 07:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-05 00:00 19456 --a------ C:\DXC9.exe
2006-11-05 00:00 143360 --a------ C:\yz02.exe
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-29 20:17 24576 --a------ C:\mc44a42.exe
2006-10-28 20:56 13651 --a------ C:\WINDOWS\system32\appmgr32.dll
2006-10-28 10:02 24576 --a------ C:\mc44a41.exe
2006-10-28 10:02 192 --a------ C:\WINDOWS\system32\ggg.bat
2006-10-27 14:10 16384 --a------ C:\mc44a39.exe
2006-10-25 18:33 16384 --a------ C:\mc44a37.exe
2006-10-19 15:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 21:06 24296 --a------ C:\WINDOWS\icont.exe
2006-10-13 14:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 14:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 14:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-08 09:33 236457 -r--s---- C:\WINDOWS\system32\qddwipes.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"Discipl2Setup.exe"="C:\\DOCUME~1\\KYTTJ~1\\LOCALS~1\\Temp\\TEMPOR~1\\Content.IE5\\8CJGFVAX\\DISCIP~1.EXE /r"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"UMonit"="C:\\WINDOWS\\system32\\UMonit.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"PowerManager"="C:\\Program Files\\Power Manager\\PM.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"SMSERIAL"="sm56hlpr.exe"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"Blondes"="C:\\Program Files\\hbt\\Dialers\\Blondes\\Blondes.exe /dontdial "
"csr"="csrrs.exe"
"cdde0d6e"="RUNDLL32.EXE w00ff2d3.dll,n 004e0d6a0000000a00ff2d3"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"windows"="C:\\\\windows_e57.exe"
"{945ABED8-06FF-1035-0921-050509020166}"="\"C:\\Program Files\\Common Files\\{945ABED8-06FF-1035-0921-050509020166}\\Update.exe\" mc-110-12-0000137"
"{945ABED8-06FE-1035-0921-050509020166}"="\"C:\\Program Files\\Common Files\\{945ABED8-06FE-1035-0921-050509020166}\\Update.exe\" mc-110-12-0000137"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"{945ABED8-06FE-1035-0921-050509020001}"="\"C:\\Program Files\\Common Files\\{945ABED8-06FE-1035-0921-050509020001}\\Update.exe\" mc-110-12-0000137"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"csr"="csrrs.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexem.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\howyvykaf.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,e0,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"isamonitor.exe"="C:\\Program Files\\Video ActiveX Object\\isamonitor.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

Completion time: 07-01-06 13:53:33.37
C:\ComboFix.txt ... 07-01-06 13:53

SmitfaudFix:

SmitFraudFix v2.132

Scan done at 13:56:04,26, la 06.01.2007
Run from C:\Documents and Settings\K„ytt„j„\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\icont.exe FOUND !
C:\WINDOWS\keyboard1.dat FOUND !
C:\WINDOWS\newname.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\svchosts.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\K„ytt„j„

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\K„ytt„j„\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KYTTJ~1\FAVORI~1

C:\DOCUME~1\KYTTJ~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\KYTTJ~1\Desktop\Remove Spyware.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video ActiveX Object\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexem.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\howyvykaf.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\windows\\system32\\ldcore.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Hjt logi:

Logfile of HijackThis v1.99.1
Scan saved at 13:59:38, on 6.1.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows_e57.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}\Update.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yourstartingpage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL (file missing)
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Blondes] C:\Program Files\hbt\Dialers\Blondes\Blondes.exe /dontdial
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [cdde0d6e] RUNDLL32.EXE w00ff2d3.dll,n 004e0d6a0000000a00ff2d3
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e57.exe
O4 - HKLM\..\Run: [{945ABED8-06FF-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FF-1035-0921-050509020166}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [{945ABED8-06FE-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020166}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{945ABED8-06FE-1035-0921-050509020001}] "C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Discipl2Setup.exe] C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\TEMPOR~1\Content.IE5\8CJGFVAX\DISCIP~1.EXE /r
O8 - Extra context menu item: &Google-haku - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Käännä englanninkielinen sana - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Linkit taaksepäin - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Samankaltaisia sivuja - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Välimuistissa oleva kuvakaappaus sivusta - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Tässä nämä.

-kemisti- · Jan 7, 2007

hannu71 siirsi tämän mulle, joten jatketaan

Paljon hommaa edessä.

Ota ensin rekisteristä näin varmuuskopio:

Suorita -> regedit -> ok. Sitten Tiedosto -> Vie. Kirjoita sille joku nimi ja sitten Tallenna(ja laita muistiin, mihin tallensit sen).

Sitten tallenna tämä alla oleva tekstinpätkä nimellä fix.reg vaikka muistiossa ja vaikka työpöydälle (tallennusmuoto kaikki tiedostot)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

Tuplaklikkaa ja paina kyllä ja ok.

Poista ohjauspaneelista, jos on:

Blondes
Ipwindows

Fixaa nämä:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yourstartingpage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{345AB~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Blondes] C:\Program Files\hbt\Dialers\Blondes\Blondes.exe /dontdial
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [cdde0d6e] RUNDLL32.EXE w00ff2d3.dll,n 004e0d6a0000000a00ff2d3
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e57.exe
O4 - HKLM\..\Run: [{945ABED8-06FF-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FF-1035-0921-050509020166}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [{945ABED8-06FE-1035-0921-050509020166}] "C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020166}\Update.exe"
O4 - HKLM\..\Run: [{945ABED8-06FE-1035-0921-050509020001}] "C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)

Lataa tuosta Brute Force Uninstaller työpöydällesi.
[*]Oikea-klikkaa BFU zippiä työpöydälläsi, ja valitse Pura kaikki.
[*]Klikkaa "Seuraava"
[*]Boksissa missä valita mihin haluat tiedostot purkaa,
[*]Klikkaa "Selaa"
[*]Klikkaa + merkkiä oman tietokoneen vieressä
[*]Klikkaa "Paikallinen Levy (C" tai mikä sinun tärkein levysi onkin
[*]Klikkaa "Tee uusi kansio"
[*]Kirjoita BFU
[*]Klikkaa "Seuraava", ja ÄLÄ rastita boksia "Näytä puretut tiedostot" ja klikkaa "Valmis".
OIKEA-KLIKKAA TÄSTÄ ja valitse "Save As" (Explorerissa "Save Target As") ladataksesi Alcra PLUS Poistajan.
Tallenna se samaan kansioon jonka teit aiemmin (c:\BFU).

Älä tee mitään tällä vielä!

Tallenna nämä ohjeet tekstitiedostoon tai tulosta nämä, muuten et pääse niihin käsiksi vikasietotilasta

Lataa AVG Anti-Spyware 7.5 ja tallenna ohjelma työpöydällesi.
[*]Kun olet ladannut ohjelman, kaksoisklikkaa asennuohjelman pikakuvaketta työpöydälläsi, asennus alkaa.
[*]Asennuksen jälkeen täytyy ohjelma käynnistää ja sen tunnisteet päivittää.
[*]Käynnistä AVG Anti-Spyware.
[*]Klikkaa "Update" kuvaketta päävalikossa. Sen jälkeen klikkaa "Update now" painiketta.
[*]Sitten klikkaa "Start Update" kuvaketta jolloin päivitys alkaa.
[*]Kun päivitykset on ladattu, klikkaa "Scanner" kuvaketta ikkunan ylälaidassa. Valitse sitten "Settings" välilehti.
[*]Kun "Settings" valikko on auennut, klikkaa "Recommended actions" ja sitten valitse "Quarantine".
[*]Sitten "Reports" valikon alta:
[*]Laita täppi kohtaan "Automatically generate report after every scan"
[*]Ota täppi pois kohdasta"Only if threats were found"

[*]Sitten klikkaa "Shield" kuvaketta ikkunan ylälaidassa
[*]"Resident shield is", muuta tila active:sta inactive:ksi
[*]Sulje ohjelma, ÄLÄ skannaa vielä.

Käynnistä koneesi vikasietotilaan naputtamalla F8 näppäintä käynnistyksen yhteydessä.

Klikkaa Käynnistä > Oma tietokone ja navigoi C:\BFU kansioon.
[*] Käynnistä Brute Force Uninstaller tupla-klikkaamalla BFU.exe
[*] Scriptline to execute kentässä kirjoita tai liitä c:\bfu\alcanshorty.bfu
[*] Klikkaa Execute ja anna sen tehdä työnsä. (Sinun pitäisi nähdä edistyspalkki jos teit tämän oikein.)
[*]Odota Complete script execution boksia ja klikkaa OK.
[*]Klikkaa exit lopettaaksesi Brute Force Uninstallerin.

Poista jos löytyy:

C:\Program Files\Common Files\{945ABED8-06FE-1035-0921-050509020001}
C:\Program Files\Ipwindows
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\setup9x.exe
C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
C:\WINDOWS\system32\dr.exe
C:\DXC9.exe
C:\yz02.exe
c:\windows\system32\ldcore.dll
C:\Program Files\Internet Explorer\kyzexem.html
C:\Program Files\hbt
C:\WINDOWS\v1201.exe

Tyhjennä roskis

Kun vikasietotilassa, tuplaklikkaa tiedostoa SmitfraudFix.exe
Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot.

Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet.

Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter".

Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin.
Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi.
Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt.

[*]Käynnistä AVG Anti-Spyware.
[*]Klikkaa "Scanner" kuvaketta ikkunan ylälaidassa ja valitse "Scan" välilehti. Sitten klikkaa "Complete System Scan".
[*]Ewido aloittaa nyt tietokoneen skannaamisen, ole kärsivällinen sillä skannaus vie aikaa.

Kun skannaus on valmis:
TÄRKEÄÄ : Älä klikkaa "Save Scan Report" ennen kuin klikkaat "Apply all Actions"
[*]Varmistu, että Set all elements to: näyttää Quarantine (1), jos ei, klikkaa linkkiä ja valitse Quarantine popup-valikosta.
[*]Sinulta kysytään mitä tehdä jos infektioita löytyi, valitse silloin "Apply all actions"

[*]Sitten klikkaa "Reports" kuvaketta ohjelma yläosasta.
[*]Klikkaa "Save report as" painiketta ikkunan vasemmassa alalaidassa ja tallenna raportti työpöydälle.
[*]Sulje ohjelma, käynnistä kone normaalisti ja lähetä AVG:n raportti viestikejuusi.

Aja combofix uudestaan

Lähetä:

- uusi HjT-loki
- avg anti-spywaren raportti
- smitfraudfixin loki
- combofixin loki

Log in or Sign up

HJT logi

Joniko90 Member

hannu71 Regular member

Joniko90 Member

-kemisti- Active member

Share This Page

Log in or Sign up

HJT logi

Joniko90 Member

hannu71 Regular member

Joniko90 Member

-kemisti- Active member

Share This Page

Useful Searches