HJT-logini. Kone täynnä viruksia.

lintukala · Aug 13, 2007

Nyt ¤#Z$#:ttaa. Sori, jouduin laittamaan koneen vähäksi aikaa suoraan nettiin ilman kunnon palomuuria ja virussuojaa ja kone on sekaisin. Älkää kysykö miksi, ei tule toistumaan heh.

Toistin jotkut noista Hujon edellisistä ohjeista ja kone on nyt vähän paremmassa kunnossa mutta vieläkin tulee pop-uppeja ja outpost palomuuri blokkaa firefoxin käytön lähes koko ajan yms.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 17:54:06, on 13.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\owylksos.exe
C:\WINDOWS\system32\mspaint.exe
C:\Documents and Settings\---\Local Settings\Temporary Internet Files\Content.IE5\P4M7DQZF\hijackthis_self[1].exe
C:\HJT\skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E78EACB-B424-4BA0-A5F8-446E2788DF0B} - C:\WINDOWS\system32\awvvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\xhmvhrdj.dll
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\WINDOWS\system32\tuvwvut.dll
O2 - BHO: (no name) - {EE6C6C36-17B0-4402-A0AE-B2BFE08E36F2} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\mdmovqjk.dll",forkonce
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113135111304
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166809837250
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6E7DE9-75A1-446A-B6B7-EAB4B235FC41}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll
O20 - Winlogon Notify: tuvwvut - C:\WINDOWS\SYSTEM32\tuvwvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\owylksos.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

Auttaja · Aug 13, 2007

http://www.download.fi/tyopoytaohjelmat/haittaohjelmien_poisto/antivir.cfm

Asenna toi tietokoneelle.. ja laita sitten uusi hijackthis logi.. sitten vasta puhistetaan

lintukala · Aug 13, 2007

Auttaja said:

http://www.download.fi/tyopoytaohjelmat/haittaohjelmien_poisto/antivir.cfm

Asenna toi tietokoneelle.. ja laita sitten uusi hijackthis logi.. sitten vasta puhistetaan
Click to expand...

No asensin, mutta se on demoversio. Katsoin tuolta samalta lataus-sivulta että joku Avast oli saanut parempaa palautetta, eikö se olis hyvä? No kokeilen nyt tätä Aviraa.
En vielä skannannut mitään mutta tässä uusi hjt:

Logfile of HijackThis v1.99.1
Scan saved at 19:16:44, on 13.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir Workstation\sched.exe
C:\Program Files\AntiVir Workstation\avguard.exe
C:\Program Files\AntiVir Workstation\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiVir Workstation\avscan.exe
C:\Program Files\AntiVir Workstation\avcenter.exe
C:\HJT\skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\xhmvhrdj.dll
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\WINDOWS\system32\tuvwvut.dll
O2 - BHO: (no name) - {EE6C6C36-17B0-4402-A0AE-B2BFE08E36F2} - (no file)
O2 - BHO: (no name) - {F11FFA48-6982-4324-A035-017C238789CB} - C:\WINDOWS\system32\awvvs.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\mdmovqjk.dll",forkonce
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir Workstation\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113135111304
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166809837250
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6E7DE9-75A1-446A-B6B7-EAB4B235FC41}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll
O20 - Winlogon Notify: tuvwvut - C:\WINDOWS\SYSTEM32\tuvwvut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir Windows Workstation Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir Workstation\sched.exe
O23 - Service: AntiVir Windows Workstation Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir Workstation\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

Auttaja · Aug 13, 2007

AntiVir Personal Edition on ilmainen virustorjuntaohjelma, joka tarjoaa luotettavan suojan viruksia vastaan. Eli kyll se toimii... ei oo mikään demo...

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

lintukala · Aug 13, 2007

Kyllä tuo on demo versio, kokoversioon tarviaa jonkin lisenssikoodin. Tai sitten en nyt oikein osannut asentaa sitä oikein, on niin kuuma

"---" - 2007-08-13 19:27:01 [GMT 3:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bmaqghpa.exe
C:\WINDOWS\system32\fpgrxmox.exe
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\svvwa.bak2
C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\awvvs.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))

2007-08-13 18:50 72,462 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\firstlsp.reg.dat
2007-08-13 16:42 69,184 --a------ C:\WINDOWS\system32\xhmvhrdj.dll
2007-08-13 16:39 125,504 --a------ C:\WINDOWS\system32\mdmovqjk.dll
2007-08-12 22:18 <KANSIO> d-------- C:\Program Files\CDBurnerXP Pro 3
2007-08-12 19:54 <KANSIO> d--hs---- C:\found.002
2007-08-12 16:10 <KANSIO> d--hs---- C:\found.001
2007-08-12 14:02 <KANSIO> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-08-12 14:02 <KANSIO> d-------- C:\Program Files\Agnitum
2007-08-12 13:45 13,312 --a------ C:\Program Files\s2f.exe
2007-08-11 21:06 7,168 --a------ C:\Program Files\crack.exe
2007-08-11 21:06 43 --a------ C:\Program Files\RUNME.bat
2007-08-11 21:06 38,925 --a------ C:\Program Files\keygen.exe
2007-08-11 21:06 0 --a------ C:\Program Files\install.exe
2007-08-11 21:02 31,254 --a------ C:\WINDOWS\system32\qomjghh.dll
2007-08-11 21:02 31,254 --a------ C:\WINDOWS\system32\gebabby.dll
2007-08-11 21:02 20,480 --a------ C:\WINDOWS\system32\wineak32.dll
2007-08-11 20:58 31,254 --a------ C:\WINDOWS\system32\tuvwvut.dll
2007-07-30 20:21 <KANSIO> d-------- C:\DOCUME~1\ARIALS~1\.netbeans
2007-07-29 19:39 <KANSIO> d-------- C:\!KillBox
2007-07-29 19:25 <KANSIO> d-------- C:\Program Files\CCleaner
2007-07-29 15:47 <KANSIO> d-------- C:\Bases
2007-07-29 15:44 <KANSIO> d-------- C:\Kaspersky
2007-07-29 15:39 212 --a------ C:\delete.bat
2007-07-29 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 15:18 <KANSIO> d-------- C:\WINDOWS\ERUNT
2007-07-29 15:04 <KANSIO> d-------- C:\VundoFix Backups
2007-07-29 14:59 <KANSIO> d-------- C:\HJT
2007-07-29 13:22 <KANSIO> d-------- C:\WINDOWS\pss
2007-07-29 13:06 <KANSIO> d-------- C:\Program Files\InterMute
2007-07-28 19:41 615 --a------ C:\WINDOWS\eReg.dat
2007-07-28 19:41 <KANSIO> d-------- C:\Program Files\EA Games
2007-07-28 19:30 126,016 --a------ C:\WINDOWS\system32\tjlckxln.dll
2007-07-26 20:57 69,184 --a------ C:\WINDOWS\system32\agttpdid.dll
2007-07-23 18:04 126,016 --a------ C:\WINDOWS\system32\iiksgokx.dll
2007-07-23 17:57 126,016 --a------ C:\WINDOWS\system32\rjvvwctg.dll
2007-07-20 18:17 <KANSIO> dr------- C:\DOCUME~1\JRJEST~1.000\K„ynnist„-valikko
2007-07-20 18:17 <KANSIO> d--h----- C:\DOCUME~1\JRJEST~1.000\Tulostinymp„rist”
2007-07-20 18:17 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-20 18:17 <KANSIO> d-------- C:\DOCUME~1\JRJEST~1.000\Ty”p”yt„
2007-07-20 18:17 <KANSIO> d-------- C:\DOCUME~1\JRJEST~1.000\.netbeans
2007-07-20 18:16 <KANSIO> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 19:18:58 -------- d-----w C:\DOCUME~1\---\APPLIC~1\uTorrent
2007-08-05 10:03:52 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-29 12:12:34 503,296 ------w C:\WINDOWS\system32\winlogon.exe
2007-07-29 05:50:41 -------- d-----w C:\Program Files\Hidden Expedition Titanic
2007-07-20 15:17:06 -------- d-----w C:\Program Files\Soldier of Fortune II - Double Helix MP TEST
2007-07-20 15:17:06 -------- d-----w C:\Program Files\QuickTime
2007-07-20 15:16:25 -------- d-----w C:\Program Files\bfgclient
2007-07-20 15:15:59 -------- d-----w C:\Program Files\Insaniquarium Deluxe
2007-07-20 15:15:56 -------- d-----w C:\Program Files\Truck Dismount
2007-07-20 15:15:30 -------- d-----w C:\Program Files\Porrasturvat - Stair Dismount
2007-07-11 16:58:31 75,610 ----a-w C:\WINDOWS\system32\perfc00B.dat
2007-07-11 16:58:31 375,602 ----a-w C:\WINDOWS\system32\perfh00B.dat
2007-07-08 15:02:28 -------- d-----w C:\Program Files\Lavasoft
2007-07-03 14:02:33 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-07-02 15:31:34 -------- d-----w C:\DOCUME~1\---\APPLIC~1\OpenOffice.org2
2007-07-02 10:44:33 -------- d-----w C:\DOCUME~1\---\APPLIC~1\Zen Puzzle Garden
2007-06-28 21:27:22 -------- d-----w C:\Program Files\Soulseek
2007-06-27 12:15:11 -------- d-----w C:\Program Files\ffdshow
2007-06-25 19:20:20 -------- d-----w C:\Program Files\EphPod
2007-06-23 09:50:49 -------- d-----w C:\Program Files\Google
2007-06-20 18:40:36 -------- d-----w C:\Program Files\EA SPORTS
2007-06-20 18:39:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-20 18:39:02 -------- d-----w C:\Program Files\Shiny
2007-06-19 20:23:34 -------- d-----w C:\Program Files\Euroword2004
2007-06-17 08:54:38 -------- d-----w C:\Program Files\URUSoft
2007-06-17 08:33:09 -------- d-----w C:\Program Files\Electronic Arts
2007-06-16 12:11:55 -------- d-----w C:\DOCUME~1\---\APPLIC~1\BSplayer
2007-06-05 20:22:15 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-18 14:20:08 389,120 ------w C:\WINDOWS\Setup1.exe
2007-05-18 14:20:03 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-05-17 11:15:42 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-16 15:14:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-02 01:18:00 2,616,321 ----a-w C:\Program Files\FairyTreasure.exe
2006-12-10 17:35:39 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-09-26 15:18:22 20,294,259 ----a-w C:\Program Files\fm.exe
2006-07-21 00:37:52 4,277,249 ----a-w C:\Program Files\HidExpTitanic.exe
2005-03-03 14:40:49 309 ----a-w C:\Program Files\Windows_XP_Professional_SP1_and_SP2_serial_number.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
2007-08-13 16:42 69184 --a------ C:\WINDOWS\system32\xhmvhrdj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4EEFFED-93CD-4CF0-A0F3-50D139121FEE}]
2007-08-11 20:58 31254 --a------ C:\WINDOWS\system32\tuvwvut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE6C6C36-17B0-4402-A0AE-B2BFE08E36F2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 11:31 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 21:10]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-05-04 00:33]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-06-24 15:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-29 23:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-02 14:09]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 17:57]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 17:50]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 15:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"OutpostFeedBack"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe" [2006-05-11 12:05]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" [2006-03-30 10:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 17:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E4EEFFED-93CD-4CF0-A0F3-50D139121FEE}"= C:\WINDOWS\system32\tuvwvut.dll [2007-08-11 20:58 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvut]
tuvwvut.dll 2007-08-11 20:58 31254 C:\WINDOWS\system32\tuvwvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll

R0 uagp35;Microsoft AGPv3.5 -suodatin;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R1 VFILT;Outpost Firewall Kernel Driver;\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS
R2 EIO;EIO;\??\C:\WINDOWS\system32\drivers\EIO.sys
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
R3 HidUsb;Microsoft HID -luokkaohjain;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 dot4;MS IEEE-1284.4 -ohjain;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print;Print-luokan ohjain IEEE-1284.4:„„ varten;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 dot4usb;Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;USB-massamuistiohjain;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6621e95e-e30d-11d9-ac87-0011099159b9}]
AutoRun\command- F:\AutoRunMorrowind.exe
install\command- F:\Setup.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 19:33:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd3w\2]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 19:35:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 19:34
C:\ComboFix2.txt ... 2007-08-12 19:57
C:\ComboFix3.txt ... 2007-07-29 15:38

--- E O F ---

Hujo · Aug 14, 2007

Lataa VundoFix.exe työpöydällesi.

Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Remove Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

=================

1) Lataa VirtumundoBegone
2) Tallenna VirtumundoBeGone.exe työpöydällesi.
3) Aja VirtumundoBeGone.exe ja seuraa ohjeita. Älä huoli jos näet sinisen ruudun "Fatal Error" viestin, tämä on normaalia.
4) Kun työkalu on valmis, käynnistä kone uudelleen

Log in or Sign up

HJT-logini. Kone täynnä viruksia.

lintukala Member

Auttaja Guest

lintukala Member

Auttaja Guest

lintukala Member

Hujo Guest

Share This Page

Log in or Sign up

HJT-logini. Kone täynnä viruksia.

lintukala Member

Auttaja Guest

lintukala Member

Auttaja Guest

lintukala Member

Hujo Guest

Share This Page

Useful Searches