HJT logia.

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by kverty, Jan 7, 2008.

  1. kverty

    kverty Member

    Joined:
    Jan 7, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:40:05, on 7.1.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\A4Tech\Mouse\Amoumain.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\program files\steam\steam.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerArchiver\PASTARTER.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\Program Files\BitComet\BitComet.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.fi/spbasic.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runepoli.org/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F7C5879B-9BA7-1C38-D8C7-AA17255DCED4} - C:\DOCUME~1\EETU&S~1\APPLIC~1\ABOUTU~1\Store deaf.exe (file missing)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fordeleteadminfrag] C:\Documents and Settings\All Users\Application Data\camptonsfordelete\Remotesecond.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
    O4 - HKCU\..\Run: [GunshipSetup.exe] C:\DOCUME~1\EETU&S~1\TYPYT~1\EETUNS~1\GUNSHI~1.EXE /r
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [logphone] C:\DOCUME~1\EETU&S~1\APPLIC~1\AXISME~1\EXTRALOGOPART.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/eng/poker_2_0_0_49.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
    O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


    Kiitos jo etukäteen.
     
    kverty, Jan 7, 2008
    #1
  2. kverty

    kverty Member

    Joined:
    Jan 7, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    BUMP kiitosta
     
    kverty, Jan 9, 2008
    #2
  3. kalminen

    kalminen Regular member

    Joined:
    May 4, 2007
    Messages:
    3,915
    Likes Received:
    0
    Trophy Points:
    46
    Smitti siellä on muiden lisäksi: (contrabandists)
    tämä ei poista vielä mitään:
    Lataa SmitfraudFix (by S!Ri) työpöydällesi.

    Tuplaklikkaa tiedostoa SmitfraudFix.exe

    Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa).
    Postita tämän tekstitiedoston sisältö viestiketjuusi.

    **Jos työkalu ei käynnisty työpöydältä niin siirrä SmitfraudFix.exe suoraan järjestelmäaseman juureen (yleensä C:). Kokeile sitten käynnistää ohjelma uudestaan sieltä.

    Huomaa: process.exe filun tunnistaa jotkut Anti-virus ohjelmat (AntiVir, Dr.Web, Kaspersky) "Haittakaluna"; se ei ole virus, vaan ohjelma joka pysäyttää prosesseja. A/V ohjelmat eivät pysty tunnistamaan hyvän ja pahan käytön tälläisten ohjelmian väliltä, silloin ne saattavat varoittaa käyttäjää.
    http://www.beyondlogic.org/consulting/processutil/processutil.htm

    Lähetä C:\rapport.txt. ja HJT:n logi
     
    kalminen, Jan 9, 2008
    #3
  4. kverty

    kverty Member

    Joined:
    Jan 7, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    SmitFraudFix v2.274

    Scan done at 15:24:30,99, to 10.01.2008
    Run from
    C:\Documents and Settings\**** & ****\Ty”p”yt„\SmitfraudFix
    OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\A4Tech\Mouse\Amoumain.exe
    C:\program files\steam\steam.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerArchiver\PASTARTER.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles






    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EETU


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Nykyinen kotisivu"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix.exe by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

    [HKEY_CLASSES_ROOT\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
    @="C:\WINDOWS\system32\dpfwu.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
    @="C:\WINDOWS\system32\dpfwu.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: PCI 10/100 Fast Ethernet Adapter(983)
    DNS Server Search Order: 62.78.102.50
    DNS Server Search Order: 62.78.102.10

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
    Tossa olis sitä tiedostoo.
     
    Last edited: Jan 10, 2008
    kverty, Jan 10, 2008
    #4
  5. kalminen

    kalminen Regular member

    Joined:
    May 4, 2007
    Messages:
    3,915
    Likes Received:
    0
    Trophy Points:
    46
    Samalla ohjelmalla jatketaan:
    Printtaa ohjeet ulos tai tallenna nämä tekstitiedostoon.

    Käynnistä kone vikasietotilaan => OHJE ja valitse tavallinen käyttäjätilisi.

    Kun vikasietotilassa, tuplaklikkaa tiedostoa SmitfraudFix.exe
    Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot.

    Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet.

    Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter".

    Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin.
    Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi.
    Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt.

    Varoitus : Ajamalla optio 2:n EI-tarttuneessa tietokoneessa, poistaa sinun työpöytäsi taustakuvan.
    ---------------------------
    1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
    combofix.exe
    combofix.exe

    2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
    3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
    Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

    Lähetä:
    C:\rapport.txt.
    (C:\ComboFix.txt)
    HJT: logi (otetaan viimeisenä ennen póstitusta.)
     
    kalminen, Jan 10, 2008
    #5
  6. kverty

    kverty Member

    Joined:
    Jan 7, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\A4Tech\Mouse\Amoumain.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\program files\steam\steam.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerArchiver\PASTARTER.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runepoli.org/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F7C5879B-9BA7-1C38-D8C7-AA17255DCED4} - C:\DOCUME~1\EETU&S~1\APPLIC~1\ABOUTU~1\Store deaf.exe (file missing)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fordeleteadminfrag] C:\Documents and Settings\All Users\Application Data\camptonsfordelete\Remotesecond.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
    O4 - HKCU\..\Run: [GunshipSetup.exe] C:\DOCUME~1\EETU&S~1\TYPYT~1\EETUNS~1\GUNSHI~1.EXE /r
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [logphone] C:\DOCUME~1\EETU&S~1\APPLIC~1\AXISME~1\EXTRALOGOPART.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/eng/poker_2_0_0_49.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
    O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

    --
    End of file - 8423 bytes


    ---------------------------------------------------------------------------------


    ComboFix 08-01-10.2 - **** & **** 2008-01-10 18:58:00.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.34 [GMT 2:00]
    Running from: C:\Documents and Settings\**** & ****\Työpöytä\ComboFix.exe
    * Created a new restore point
    .

    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2007-12-10 to 2008-01-10 )))))))))))))))))
    .

    2008-01-10 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-10 15:24 . 2008-01-10 18:42 3,156 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-10 15:23 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-10 15:23 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-10 15:23 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-10 15:23 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-10 15:23 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-10 15:23 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-07 18:39 . 2008-01-07 18:39 <KANSIO> d-------- C:\Program Files\Trend Micro
    2008-01-07 08:55 . 2008-01-10 18:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-07 08:55 . 2008-01-07 08:55 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-06 19:59 . 2008-01-06 20:25 <KANSIO> d-------- C:\Temp
    2008-01-06 19:56 . 2008-01-06 19:56 <KANSIO> d-------- C:\Program Files\ImTOO
    2008-01-01 19:11 . 2008-01-04 19:30 <KANSIO> d-------- C:\Program Files\TrackMania Nations ESWC
    2007-12-30 21:07 . 2008-01-10 15:10 <KANSIO> d-------- C:\Documents and Settings\**** & ****\Application Data\skypePM
    2007-12-30 21:07 . 2007-12-30 21:07 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-12-30 21:02 . 2008-01-10 16:08 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Skype
    2007-12-27 18:51 . 2007-12-27 18:51 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
    2007-12-27 18:51 . 2007-12-27 18:51 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
    2007-12-27 14:33 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
    2007-12-27 14:33 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
    2007-12-27 14:33 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
    2007-12-27 14:32 . 2007-12-27 14:32 <KANSIO> d-------- C:\Program Files\Windows Media Connect 2
    2007-12-27 14:30 . 2007-12-27 14:30 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
    2007-12-27 14:30 . 2007-12-27 14:31 <KANSIO> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-12-27 01:22 . 2007-12-27 01:23 <KANSIO> d-------- C:\Program Files\skiStunt
    2007-12-27 00:07 . 2007-12-27 00:07 <KANSIO> d-------- C:\Program Files\SystemRequirementsLab
    2007-12-27 00:06 . 2007-12-27 00:07 <KANSIO> d-------- C:\Documents and Settings\**** & ****\Application Data\SystemRequirementsLab
    2007-12-26 17:51 . 2007-12-26 17:51 <KANSIO> d-------- C:\Documents and Settings\**** & ****\Application Data\vlc
    2007-12-26 17:50 . 2007-12-26 17:50 <KANSIO> d-------- C:\Program Files\VideoLAN
    2007-12-26 16:54 . 2007-12-26 16:54 <KANSIO> d-------- C:\Program Files\A4Tech
    2007-12-14 15:44 . 2007-12-14 15:44 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\ConeXware

    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-10 16:51 --------- d-----w C:\Program Files\Steam
    2008-01-10 15:04 --------- d-----w C:\Program Files\DC++
    2008-01-07 16:38 --------- d-----w C:\Program Files\PowerArchiver
    2007-12-27 17:13 --------- d-----w C:\Documents and Settings\**** & ****\Application Data\AdobeUM
    2007-12-26 15:51 --------- d-----w C:\Documents and Settings\**** & ****\Application Data\vlc
    2007-12-20 14:22 --------- d-----w C:\Documents and Settings\**** & ****\Application Data\mIRC
    2007-12-20 13:25 --------- d-----w C:\Program Files\mIRC
    2007-12-01 11:13 --------- d-----w C:\Program Files\Microsoft Games
    2007-11-29 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3
    2007-11-29 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-27 13:28 --------- d-----w C:\Program Files\PowerISO
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2006-09-08 17:24 21,160 ----a-w C:\Documents and Settings\**** & ****\Application Data\GDIPFONTCACHEV1.DAT
    2006-02-18 08:42 21,592 ----a-w C:\Documents and Settings\*****\Application Data\GDIPFONTCACHEV1.DAT
    .

    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7C5879B-9BA7-1C38-D8C7-AA17255DCED4}]
    C:\DOCUME~1\****&S~1\APPLIC~1\ABOUTU~1\Store deaf.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GunshipSetup.exe"="C:\DOCUME~1\EETU&S~1\TYPYT~1\EETUNS~1\GUNSHI~1.exe" [ ]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
    "logphone"="C:\DOCUME~1\EETU&S~1\APPLIC~1\AXISME~1\EXTRALOGOPART.exe" [ ]
    "Steam"="c:\program files\steam\steam.exe" [2007-11-30 14:15 1266936]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16 171464]
    "PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-03-20 22:39 141352]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 01:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "C-Media Mixer"="Mixer.exe" [2002-01-28 10:16 1228800 C:\WINDOWS\mixer.exe]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2003-10-26 23:53 57344]
    "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-09-15 01:12 143360]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-01 14:36 77824]
    "fordeleteadminfrag"="C:\Documents and Settings\All Users\Application Data\camptonsfordelete\Remotesecond.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
    "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-10-26 03:51 122929]
    "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 10:57 684032]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 02:05 200704]
    "WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-12-26 17:08 196608]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-15 01:12 15360]
    "Symantec Network Driver Update Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [ ]
    "ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
    "Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]

    C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
    F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-10-25 17:42:27]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{dfa61db1-388e-4c87-8d56-540fa229bcb4}"= C:\WINDOWS\system32\dpfwu.dll [ ]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2004-08-27 10:10 86016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "contrabandists"= {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll [ ]

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 12:01]
    R1 tvtool;tvtool;D:\Romppeet\Tvtool\tvtool.sys [1996-04-03 11:33]
    R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-10-25 17:42]
    R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 15:37]
    R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 16:30]
    R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 15:37]
    R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2006-05-09 18:27]
    R3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-17 21:04]
    R3 FastNIC;PCI/CardBus 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\FastNIC.sys [2002-02-21 18:29]
    S2 PSTRIP;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS []
    S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 07:59]

    *Newly Created Service* - PROCEXP90
    .
    'Ajoitetut tehtävät'-kansion sisältö
    "2008-01-10 17:00:00 C:\WINDOWS\Tasks\A8FE802591A53B15.job"
    - c:\docume~1\eetu&s~1\applic~1\axisme~1\Dart debug name.exe
    "2008-01-10 13:07:24 C:\WINDOWS\Tasks\Scheduled scanning task.job"
    - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-Secure\ANTI-V~1\report.txt
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-10 19:06:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-10 19:10:22
    .
    2008-01-08 20:45:27 --- E O F ---



    SmitFraudFix v2.274

    Scan done at 18:41:55,48, to 10.01.2008
    Run from
    C:\Documents and Settings\Eetu & Sami\Ty”p”yt„\SmitfraudFix
    OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

    [HKEY_CLASSES_ROOT\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
    @="C:\WINDOWS\system32\dpfwu.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
    @="C:\WINDOWS\system32\dpfwu.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix.exe by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{FB35BF43-CF32-4F14-92A5-2CEA94614E9D}: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.78.102.50 62.78.102.10


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

    Tuli aika paljo tekstii.
     
    kverty, Jan 10, 2008
    #6
  7. kalminen

    kalminen Regular member

    Joined:
    May 4, 2007
    Messages:
    3,915
    Likes Received:
    0
    Trophy Points:
    46
    Sitten Lopille kyytiä:
    Lataa NoLop työpöydällesi yhdestä seuraavista linkeistä...
    Linkki 1
    Linkki 2
    Linkki 3
    [*]Sulje kaikki ohjelmat, koska tämä vaihe vaatii uudelleenkäynnistyksen
    [*]Tuplaklikkaa NoLop.exe ajaaksesi sen
    [*]Kirjoita tai kopioi/liitä huolellisesti seuraava merkkisarja tekstialueeseen, jossa lukee Insert CLSID Here.

    {F7C5879B-9BA7-1C38-D8C7-AA17255DCED4}

    [*]Klikkaa nappulaa "Search and Destroy"
    <<Tietokoneesi skannataan saastuneiden tiedostojen osalta>>
    [*] Kun skannaus on valmis, sinua pyydetään käynnistämään kone uudestaan, jos infektio löytyy. Klikkaa OK
    [*] Klikkaa "REBOOT"-painiketta.
    [*] NoLopin pitäisi antaa viesti. Jos ei, tuplaklikkaa ohjelmaa ja se valmistuu. Lähetä C:\NoLop.log-tiedoston sisältö uuden HijackThis-lokin kera.
    -- Jos saat seuraavan virheen, "mscomctl.ocx or one of its dependencies are not correctly registered," lataa mscomctl.ocx
    ja tallenna se system32-hakemistoosi (yleensä c:\Windows\system32). Tämän jälkeen aja ohjelma uudestaan.
    -----------------------------
    Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
    Käynnistä HijackThis:Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F7C5879B-9BA7-1C38-D8C7-AA17255DCED4} - C:\DOCUME~1\EETU&S~1\APPLIC~1\ABOUTU~1\Store deaf.exe (file missing)
    O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/eng/poker_2_0_0_49.cab
    O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)
    O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll (file missing)

    Tyhjennä roskakori ja käynnistä koneesi uudelleen.

    Postita tänne seuraavat lokit:

    * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
    * C:\NoLop.log
    *
     
    kalminen, Jan 10, 2008
    #7

Share This Page