HJT-loki tarkistettavaks

Nyt olen käynyt läpi mm.ad-aware , spy-bot, AVG anti spyware, Vundofix ja sdfix ohjelmat. Ajattelin vielä tarkastuttaa tuon Hjt lokini.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08:02, on 23.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AVG\AVG Anti-Spyware 7.5\guard.exe
e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
e:\F-Secure\Anti-Virus\fsgk32st.exe
e:\F-Secure\Anti-Virus\FSGK32.EXE
e:\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
e:\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
e:\F-Secure\Common\FSMA32.EXE
e:\F-Secure\Common\FSMB32.EXE
e:\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\wscntfy.exe
e:\F-Secure\Common\FAMEH32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
E:\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
e:\F-Secure\Common\FNRB32.EXE
e:\F-Secure\Common\FIH32.EXE
e:\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\regsvr32.exe
e:\F-Secure\DFW\Program\fsdfwd.exe
E:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Leevi\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure TNB] "e:\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "e:\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [24c9f099] rundll32.exe "C:\WINDOWS\system32\arvoucfs.dll",b
O4 - HKLM\..\Run: [iteledyn] rundll32.exe "C:\Program Files\dorcfwxu\xmlmtivw.dll",Init
O4 - HKLM\..\Run: [qdwdybev] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qdwdybev.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F1.exe
O4 - HKLM\..\Run: [kfkfizov] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\kfkfizov.dll"
O4 - HKCU\..\Run: [Steam] "j:\counter strike sourse\steam.exe" -silent
O4 - HKCU\..\Run: [igndlm.exe] E:\Download manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Avaa uudessa Avant Browserissa - E:\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Etsi - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Korosta - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Lisää torjuttavien mainosten luetteloon - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB4A1DE-5908-4E68-9600-0E5907C44C5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - e:\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - e:\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - e:\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - e:\F-Secure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - e:\F-Secure\Common\FSMA32.EXE
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - E:\Temp\HDDTSvc.exe (file missing)
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.insanepwning.net/albums/00660_splash_1024x768.jpg

--
End of file - 7693 bytes

 

uudelleen nimeä E:\Leevi\Hijack\HijackThis.exe
vaikka leevi:ksi

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
combofix.exe
combofix.exe

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

lähetä:
uusi hjt-loki (leevi-loki)
combofixin raportti (C:\ComboFix.txt)

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:11, on 24.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AVG\AVG Anti-Spyware 7.5\guard.exe
e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
e:\F-Secure\Anti-Virus\fsgk32st.exe
e:\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
e:\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
e:\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
e:\F-Secure\Common\FSMA32.EXE
e:\F-Secure\Common\FSMB32.EXE
e:\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\wscntfy.exe
e:\F-Secure\Common\FAMEH32.EXE
e:\F-Secure\Common\FNRB32.EXE
e:\F-Secure\Common\FIH32.EXE
e:\F-Secure\DFW\Program\fsdfwd.exe
e:\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Ahead\InCD\InCD.exe
E:\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Pelit\Työpöytä\VundoFix.exe
E:\Avant Browser\avant.exe
C:\WINDOWS\Explorer.EXE
E:\Leevi\Hijack\asd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {158A95B4-1F79-3B06-78BF-0424CDB17C2E} - C:\Program Files\Gfzpnyhi\eehwozue.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73E00092-5539-4661-9B61-3A66FC0D772E} - C:\WINDOWS\system32\byxxxvv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {c1d42526-b708-a4b9-48b4-cee10688bfd8} - {8dfb8860-1eec-4b84-9b4a-807b62524d1c} - C:\WINDOWS\system32\vbneqsrt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xupqsqgu.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xupqsqgu.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure TNB] "e:\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "e:\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [24c9f099] rundll32.exe "C:\WINDOWS\system32\jfgeohep.dll",b
O4 - HKCU\..\Run: [Steam] "j:\counter strike sourse\steam.exe" -silent
O4 - HKCU\..\Run: [igndlm.exe] E:\Download manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Avaa uudessa Avant Browserissa - E:\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Etsi - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Korosta - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Lisää torjuttavien mainosten luetteloon - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB4A1DE-5908-4E68-9600-0E5907C44C5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: byxxxvv - C:\WINDOWS\SYSTEM32\byxxxvv.dll
O20 - Winlogon Notify: xupqsqgu - C:\WINDOWS\SYSTEM32\xupqsqgu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - e:\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - e:\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - e:\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - e:\F-Secure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - e:\F-Secure\Common\FSMA32.EXE
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - E:\Temp\HDDTSvc.exe (file missing)
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.insanepwning.net/albums/00660_splash_1024x768.jpg

--
End of file - 8135 bytes

ComboFix 07-11-19.3 - Pelit 2007-11-24 11:02:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.635 [GMT 2:00]
Running from: C:\Documents and Settings\Pelit\Työpöytä\ComboFix.exe
* Created a new restore point
.

Systeemioikeuksien saaminen epäonnistui

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Käynnistä-valikko\Live Safety Center.lnk
C:\Documents and Settings\All Users\Käynnistä-valikko\Online Security Guide.lnk
C:\Documents and Settings\Pelit\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Pelit\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Pelit\Suosikit\Online Security Guide.lnk
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\tnrtmwuk
C:\WINDOWS\system32\tnrtmwuk\bg1.gif
C:\WINDOWS\system32\tnrtmwuk\bgtop.gif
C:\WINDOWS\system32\tnrtmwuk\bottom1.gif
C:\WINDOWS\system32\tnrtmwuk\essentials.gif
C:\WINDOWS\system32\tnrtmwuk\icon1.ico
C:\WINDOWS\system32\tnrtmwuk\install1.gif
C:\WINDOWS\system32\tnrtmwuk\left1.gif
C:\WINDOWS\system32\tnrtmwuk\li.gif
C:\WINDOWS\system32\tnrtmwuk\logo.gif
C:\WINDOWS\system32\tnrtmwuk\main.htm
C:\WINDOWS\system32\tnrtmwuk\mainframe.htm
C:\WINDOWS\system32\tnrtmwuk\reinstall1.gif
C:\WINDOWS\system32\tnrtmwuk\right1.gif
C:\WINDOWS\system32\tnrtmwuk\s1.htm
C:\WINDOWS\system32\tnrtmwuk\s2.htm
C:\WINDOWS\system32\tnrtmwuk\s3.htm
C:\WINDOWS\system32\tnrtmwuk\SMTop1.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop2.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop3.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop4.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_off.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_on.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_off.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_on.gif
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk1.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk2.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk3.exe
C:\WINDOWS\system32\tnrtmwuk\top1.gif
C:\WINDOWS\system32\tnrtmwuk\top2.gif
C:\WINDOWS\system32\tnrtmwuk\turnoff1.gif
C:\WINDOWS\system32\tnrtmwuk\turnon1.gif
C:\WINDOWS\system32\xupqsqgu.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2007-10-24 to 2007-11-24 )))))))))))))))))
.

2007-11-24 10:58 81,472 --a------ C:\WINDOWS\system32\vbneqsrt.dll
2007-11-24 10:54 776,979 ---hs---- C:\WINDOWS\system32\pehoegfj.ini
2007-11-24 10:54 85,056 --a------ C:\WINDOWS\system32\jfgeohep.dll
2007-11-24 10:52 71,232 --a------ C:\WINDOWS\system32\gunnluaa.exe
2007-11-24 10:51 145,984 --a------ C:\WINDOWS\system32\kjmmranb.dll
2007-11-23 20:14 <KANSIO> d-------- C:\VundoFix Backups
2007-11-23 18:45 34,304 --a------ C:\WINDOWS\system32\gebxwwu.dll
2007-11-23 14:01 83,520 --a------ C:\WINDOWS\system32\kkeijabo.dll
2007-11-23 13:58 776,859 ---hs---- C:\WINDOWS\system32\sfcuovra.ini
2007-11-22 14:28 35,840 --a------ C:\WINDOWS\system32\opnopnl.dll
2007-11-22 14:23 35,840 --a------ C:\WINDOWS\system32\byxxxvv.dll
2007-11-20 23:14 <KANSIO> d-------- C:\Documents and Settings\Pelit\.java
2007-11-20 15:32 <KANSIO> d-------- C:\Program Files\DAEMON Tools
2007-11-18 11:47 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\IGN_DLM
2007-11-14 16:39 3,561 --a------ C:\WINDOWS\wmplayer.reg
2007-11-14 16:29 <KANSIO> d-------- C:\Program Files\uTorrent
2007-11-09 14:13 <KANSIO> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-25 18:03 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 14:12 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\Grisoft
2007-10-25 14:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-24 20:02 <KANSIO> d-------- C:\WINDOWS\ERUNT
2007-10-24 16:01 <KANSIO> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 13:11 --------- d-----w C:\Documents and Settings\Pelit\Application Data\uTorrent
2007-11-22 12:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 13:58 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-12 14:46 --------- d-----w C:\Program Files\Java
2007-10-23 12:32 --------- d-----w C:\Documents and Settings\Pelit\Application Data\vlc
2007-10-19 21:22 --------- d-----w C:\Program Files\Kellotus
2007-09-26 16:58 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Nokia Multimedia Player
2007-09-26 16:32 --------- d-----w C:\Program Files\Nokia
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\Nokia
2007-09-26 16:31 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Apple Computer
2006-05-31 15:56 336 -c-ha-w C:\Documents and Settings\Pelit\hpothb07.dat
2006-05-31 15:55 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-05-25 15:43 22,512 -c--a-w C:\Documents and Settings\Pelit\Application Data\GDIPFONTCACHEV1.DAT
2006-02-17 13:55 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2000-01-07 09:53 696,320 ----a-w C:\Program Files\Common Files\XCMHook.dll
2000-01-06 13:57 24,576 ----a-w C:\Program Files\Common Files\XCPCMenu.exe
.

(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
C:\Program Files\Gfzpnyhi\eehwozue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73E00092-5539-4661-9B61-3A66FC0D772E}]
2007-11-22 14:23 35840 --a------ C:\WINDOWS\system32\byxxxvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8dfb8860-1eec-4b84-9b4a-807b62524d1c}]
2007-11-24 10:58 81472 --a------ C:\WINDOWS\system32\vbneqsrt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-24 10:52 145984 --a------ C:\WINDOWS\system32\xupqsqgu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\xupqsqgu.dll [2007-11-24 10:52 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="j:\counter strike sourse\steam.exe" [2007-11-15 15:28]
"igndlm.exe"="E:\Download manager\DLM.exe" [2007-03-05 23:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-12 19:13]
"F-Secure TNB"="e:\F-Secure\TNB\TNBUtil.exe" [2002-11-15 11:00]
"F-Secure Manager"="e:\F-Secure\Common\FSM32.exe" [2002-12-05 16:24]
"QuickTime Task"="E:\qttask.exe" [2006-09-01 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"24c9f099"="C:\WINDOWS\system32\jfgeohep.dll" [2007-11-24 10:54]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-14 16:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{73E00092-5539-4661-9B61-3A66FC0D772E}"= C:\WINDOWS\system32\byxxxvv.dll [2007-11-22 14:23 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxxvv]
byxxxvv.dll 2007-11-22 14:23 35840 C:\WINDOWS\system32\byxxxvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xupqsqgu]
xupqsqgu.dll 2007-11-24 10:52 145984 C:\WINDOWS\system32\xupqsqgu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
j:\counter strike sourse\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"usnjsvc"=3 (0x3)
"sfrem02"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"IDriverT"=3 (0x3)
"CallerIP"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R0 FSDFW;F-Secure Distributed Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
R2 BackWeb Client - 7681197;F-Secure BackWeb;e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys
R2 F-Secure Filter;F-Secure File System Filter;\??\e:\F-Secure\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\e:\F-Secure\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\e:\F-Secure\Anti-Virus\Win2K\FSrec.sys
R2 FSpm;F-Secure Policy Manager;\??\e:\F-Secure\Common\FSPM.SYS
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S2 HDDTService;HDD Temperature;E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService
S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc
S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys
S3 BFAIFILT;BFAIFILT;C:\WINDOWS\system32\Drivers\bfaifilt.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 iMSPCLOj;iMSPCLOj;\??\C:\DOCUME~1\Pelit\LOCALS~1\Temp\iMSPCLOj.sys
S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\SF-620.sys
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S4 CallerIP;Visualware CallerIP;e:\CallerIP\cip-nt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d665f3c-5559-11db-be6e-000b6a6ce97b}]
\Shell\AutoRun\command - O:\LaunchU3.exe

.
'Ajoitetut teht„v„t'-kansion sis„lt”
"2007-11-20 13:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 11:13:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HDDTService]
"ImagePath"="E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService"
.
Completion time: 2007-11-24 11:17:30 - machine was rebooted
.
--- E O F ---

 

Kirjautuessani sisäään käyttäjä tiliini avaa windows selaimeen n. 1min välein jonkun seuraavista sivustoista:
http://securityonpage.com/?gai=hamm_h5_p...7237F87D17ED3B9
http://kukkakreck.com/cehpmoin/?cmp=hmr&...h5&uid=24c9f036 27BD39283A2B49B587237F87D17ED3B9
http://www.savetheinformation.com/v7/?ga...7237F87D17ED3B9
Lisäks ala palkis on tollanen keltanen kolmio joka ilmottelee et koneel olis viiruksii,spywaree ja koneen tehot ois laskenu sit jos siitä koittaa painaa nii se katoo ja avautuu taas noita linkkejä. sie on jta. bestseller antivirus ja locus ohjelmia ladattavaks.

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa CFScript ComboFix.exeen kuten alla.



Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.+ uusi hjt-loki

 

ComboFix 07-11-19.3 - Pelit 2007-11-24 15:06:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.635 [GMT 2:00]
Running from: C:\Documents and Settings\Pelit\Työpöytä\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pelit\Työpöytä\Työpöytä\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byxxxvv.dll
C:\WINDOWS\system32\gebxwwu.dll
C:\WINDOWS\system32\gunnluaa.exe
C:\WINDOWS\system32\jfgeohep.dll
C:\WINDOWS\system32\kkeijabo.dll
C:\WINDOWS\system32\opnopnl.dll
C:\WINDOWS\system32\vbneqsrt.dll
.

Systeemioikeuksien saaminen epäonnistui

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byxxxvv.dll
C:\WINDOWS\system32\gebxwwu.dll
C:\WINDOWS\system32\gunnluaa.exe
C:\WINDOWS\system32\jfgeohep.dll
C:\WINDOWS\system32\kkeijabo.dll
C:\WINDOWS\system32\opnopnl.dll
C:\WINDOWS\system32\vbneqsrt.dll

.
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2007-10-24 to 2007-11-24 )))))))))))))))))
.

2007-11-24 10:54 777,159 ---hs---- C:\WINDOWS\system32\pehoegfj.ini
2007-11-23 20:14 <KANSIO> d-------- C:\VundoFix Backups
2007-11-23 13:58 776,859 ---hs---- C:\WINDOWS\system32\sfcuovra.ini
2007-11-23 13:56 71,232 --a------ C:\WINDOWS\system32\vojjauxs.exe
2007-11-22 21:33 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-20 23:14 <KANSIO> d-------- C:\Documents and Settings\Pelit\.java
2007-11-20 15:32 <KANSIO> d-------- C:\Program Files\DAEMON Tools
2007-11-18 11:47 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\IGN_DLM
2007-11-14 16:39 3,561 --a------ C:\WINDOWS\wmplayer.reg
2007-11-14 16:29 <KANSIO> d-------- C:\Program Files\uTorrent
2007-11-14 15:59 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-14 15:59 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-14 15:59 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-11 22:55 19,544 --a------ C:\WINDOWS\hpoins01.dat
2007-11-11 22:55 16,606 --------- C:\WINDOWS\hpomdl01.dat
2007-11-09 14:13 <KANSIO> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-25 18:03 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 14:12 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\Grisoft
2007-10-25 14:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-24 20:02 <KANSIO> d-------- C:\WINDOWS\ERUNT
2007-10-24 16:01 <KANSIO> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 13:11 --------- d-----w C:\Documents and Settings\Pelit\Application Data\uTorrent
2007-11-22 12:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 13:58 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-12 14:46 --------- d-----w C:\Program Files\Java
2007-10-23 12:32 --------- d-----w C:\Documents and Settings\Pelit\Application Data\vlc
2007-10-19 21:22 --------- d-----w C:\Program Files\Kellotus
2007-09-26 16:58 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Nokia Multimedia Player
2007-09-26 16:32 --------- d-----w C:\Program Files\Nokia
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\Nokia
2007-09-26 16:31 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Apple Computer
2006-05-31 15:56 336 -c-ha-w C:\Documents and Settings\Pelit\hpothb07.dat
2006-05-31 15:55 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-05-25 15:43 22,512 -c--a-w C:\Documents and Settings\Pelit\Application Data\GDIPFONTCACHEV1.DAT
2006-02-17 13:55 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2000-01-07 09:53 696,320 ----a-w C:\Program Files\Common Files\XCMHook.dll
2000-01-06 13:57 24,576 ----a-w C:\Program Files\Common Files\XCPCMenu.exe
.

(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="j:\counter strike sourse\steam.exe" [2007-11-15 15:28]
"igndlm.exe"="E:\Download manager\DLM.exe" [2007-03-05 23:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-12 19:13]
"F-Secure TNB"="e:\F-Secure\TNB\TNBUtil.exe" [2002-11-15 11:00]
"F-Secure Manager"="e:\F-Secure\Common\FSM32.exe" [2002-12-05 16:24]
"QuickTime Task"="E:\qttask.exe" [2006-09-01 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"24c9f099"="C:\WINDOWS\system32\jfgeohep.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-14 16:12]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
j:\counter strike sourse\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"usnjsvc"=3 (0x3)
"sfrem02"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"IDriverT"=3 (0x3)
"CallerIP"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R0 FSDFW;F-Secure Distributed Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
R2 BackWeb Client - 7681197;F-Secure BackWeb;e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys
R2 F-Secure Filter;F-Secure File System Filter;\??\e:\F-Secure\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\e:\F-Secure\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\e:\F-Secure\Anti-Virus\Win2K\FSrec.sys
R2 FSpm;F-Secure Policy Manager;\??\e:\F-Secure\Common\FSPM.SYS
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S2 HDDTService;HDD Temperature;E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService
S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc
S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys
S3 BFAIFILT;BFAIFILT;C:\WINDOWS\system32\Drivers\bfaifilt.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 iMSPCLOj;iMSPCLOj;\??\C:\DOCUME~1\Pelit\LOCALS~1\Temp\iMSPCLOj.sys
S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\SF-620.sys
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S4 CallerIP;Visualware CallerIP;e:\CallerIP\cip-nt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d665f3c-5559-11db-be6e-000b6a6ce97b}]
\Shell\AutoRun\command - O:\LaunchU3.exe

.
'Ajoitetut teht„v„t'-kansion sis„lt”
"2007-11-20 13:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 15:14:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HDDTService]
"ImagePath"="E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService"
.
Completion time: 2007-11-24 15:17:37 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19:43, on 24.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
E:\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
E:\AVG\AVG Anti-Spyware 7.5\guard.exe
e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
e:\F-Secure\Anti-Virus\fsgk32st.exe
e:\F-Secure\Anti-Virus\FSGK32.EXE
e:\F-Secure\Anti-Virus\fssm32.exe
e:\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
e:\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\wscntfy.exe
e:\F-Secure\Common\FSMB32.EXE
e:\F-Secure\Common\FCH32.EXE
e:\F-Secure\Common\FAMEH32.EXE
e:\F-Secure\Common\FNRB32.EXE
e:\F-Secure\Common\FIH32.EXE
e:\F-Secure\Anti-Virus\fsav32.exe
e:\F-Secure\DFW\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Leevi\Hijack\asd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure TNB] "e:\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "e:\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [24c9f099] rundll32.exe "C:\WINDOWS\system32\jfgeohep.dll",b
O4 - HKCU\..\Run: [Steam] "j:\counter strike sourse\steam.exe" -silent
O4 - HKCU\..\Run: [igndlm.exe] E:\Download manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Avaa uudessa Avant Browserissa - E:\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Etsi - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Korosta - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Lisää torjuttavien mainosten luetteloon - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB4A1DE-5908-4E68-9600-0E5907C44C5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - e:\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - e:\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - e:\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - e:\F-Secure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - e:\F-Secure\Common\FSMA32.EXE
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - E:\Temp\HDDTSvc.exe (file missing)
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.insanepwning.net/albums/00660_splash_1024x768.jpg

--
End of file - 7437 bytes
Kas näin

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa CFScript ComboFix.exeen kuten alla.



Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

---------------------------------
Tallenna nämä ohjeet tekstitiedostoon tai tulosta nämä, muuten et pääse niihin käsiksi vikasietotilasta

Lataa AVG Anti-Spyware 7.5 ja tallenna ohjelma työpöydällesi.
[*]Kun olet ladannut ohjelman, kaksoisklikkaa asennuohjelman pikakuvaketta työpöydälläsi, asennus alkaa.
[*]Asennuksen jälkeen täytyy ohjelma käynnistää ja sen tunnisteet päivittää.
[*]Käynnistä AVG Anti-Spyware.
[*]Klikkaa "Update" kuvaketta päävalikossa. Sen jälkeen klikkaa "Update now" painiketta.
[*]Sitten klikkaa "Start Update" kuvaketta jolloin päivitys alkaa.

[*]Kun päivitykset on ladattu, klikkaa "Scanner" kuvaketta ikkunan ylälaidassa. Valitse sitten "Settings" välilehti.
[*]Kun "Settings" valikko on auennut, klikkaa "Recommended actions" ja sitten valitse "Quarantine".
[*]Sitten "Reports" valikon alta:
[*]Laita täppi kohtaan "Do not Automatically generate report"
[*]Ota täppi pois kohdasta"Only if threats were found"

[*]Sitten klikkaa "Shield" kuvaketta ikkunan ylälaidassa
[*]"Resident shield is", muuta tila active:sta inactive:ksi
[*]Sulje ohjelma, ÄLÄ skannaa vielä.
Käynnistä koneesi vikasietotilaan, Ohje!

HUOM! Älä käytä muita ohjelmia AVG skannauksen aikana, tämä saattaa häiritä skannausta.
[*]Kun vikasietotilassa, käynnistä AVG Anti-Spyware.
[*]Klikkaa "Scanner" kuvaketta ikkunan ylälaidassa ja valitse "Scan" välilehti. Sitten klikkaa "Complete System Scan".
[*]AVG aloittaa nyt tietokoneen skannaamisen, ole kärsivällinen sillä skannaus vie aikaa.

Kun skannaus on valmis:
TÄRKEÄÄ : Älä klikkaa "Save Scan Report" ennen kuin klikkaat "Apply all Actions"
[*]Varmistu, että Set all elements to: näyttää Quarantine (1), jos ei, klikkaa linkkiä ja valitse Quarantine popup-valikosta.
[*]Sinulta kysytään mitä tehdä jos infektioita löytyi, valitse silloin "Apply all actions"

[*]Sitten klikkaa "Reports" kuvaketta ohjelma yläosasta.
[*]Klikkaa "Save report as" painiketta ikkunan vasemmassa alalaidassa ja tallenna raportti työpöydälle.
[*]Sulje ohjelma, käynnistä kone normaalisti ja lähetä AVG Anti-Spyware:n raportti viestikejuusi.

lähetä:
uusi hjt-loki
avg:n antispywaren raportti
combofixin txt

 

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:17:57 25.10.2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll -> Adware.WinAD : Cleaned with backup (quarantined).
E:\BSplayer\SetupInstRe.exe/Setup.exe -> Dropper.Agent.asf : Cleaned with backup (quarantined).
E:\SetupInstRe.exe/Setup.exe -> Dropper.Agent.asf : Cleaned with backup (quarantined).
C:\Documents and Settings\Pelit\Cookies\pelit@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Pelit\Cookies\pelit@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\WINDOWS\Temp\Cookies\pelit@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

ComboFix 07-11-19.3 - Pelit 2007-11-25 21:48:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.645 [GMT 2:00]
Running from: C:\Documents and Settings\Pelit\Työpöytä\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pelit\Työpöytä\Työpöytä\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\vojjauxs.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vojjauxs.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2007-10-25 to 2007-11-25 )))))))))))))))))
.

2007-11-24 16:48 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\Atari
2007-11-24 16:01 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-24 10:54 777,159 ---hs---- C:\WINDOWS\system32\pehoegfj.ini
2007-11-23 20:14 <KANSIO> d-------- C:\VundoFix Backups
2007-11-23 13:58 776,859 ---hs---- C:\WINDOWS\system32\sfcuovra.ini
2007-11-22 21:33 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-20 23:14 <KANSIO> d-------- C:\Documents and Settings\Pelit\.java
2007-11-20 15:32 <KANSIO> d-------- C:\Program Files\DAEMON Tools
2007-11-18 11:47 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\IGN_DLM
2007-11-14 16:39 3,561 --a------ C:\WINDOWS\wmplayer.reg
2007-11-14 16:29 <KANSIO> d-------- C:\Program Files\uTorrent
2007-11-14 15:59 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-14 15:59 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-14 15:59 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-11 22:55 19,544 --a------ C:\WINDOWS\hpoins01.dat
2007-11-11 22:55 16,606 --------- C:\WINDOWS\hpomdl01.dat
2007-11-09 14:13 <KANSIO> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-25 18:03 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 14:12 <KANSIO> d-------- C:\Documents and Settings\Pelit\Application Data\Grisoft
2007-10-25 14:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 17:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 15:13 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-22 13:11 --------- d-----w C:\Documents and Settings\Pelit\Application Data\uTorrent
2007-11-14 13:58 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-12 14:46 --------- d-----w C:\Program Files\Java
2007-11-09 18:00 --------- d-----w C:\Program Files\MSN Messenger
2007-10-23 12:32 --------- d-----w C:\Documents and Settings\Pelit\Application Data\vlc
2007-10-19 21:22 --------- d-----w C:\Program Files\Kellotus
2007-10-18 15:58 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-09-28 11:26 25,088 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-09-26 16:58 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Nokia Multimedia Player
2007-09-26 16:32 --------- d-----w C:\Program Files\Nokia
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-09-26 16:32 --------- d-----w C:\Program Files\Common Files\Nokia
2007-09-26 16:31 --------- d-----w C:\Documents and Settings\Pelit\Application Data\Apple Computer
2007-09-05 21:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
2007-08-26 16:52 53,248 ----a-w C:\WINDOWS\system32\css.dll
2006-05-31 15:56 336 -c-ha-w C:\Documents and Settings\Pelit\hpothb07.dat
2006-05-31 15:55 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-05-25 15:43 22,512 -c--a-w C:\Documents and Settings\Pelit\Application Data\GDIPFONTCACHEV1.DAT
2006-02-17 13:55 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2000-01-07 09:53 696,320 ----a-w C:\Program Files\Common Files\XCMHook.dll
2000-01-06 13:57 24,576 ----a-w C:\Program Files\Common Files\XCPCMenu.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-24_15.15.49.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-11 11:04:38 190,696 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
+ 2007-11-25 16:00:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_944.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="j:\counter strike sourse\steam.exe" [2007-11-15 15:28]
"igndlm.exe"="E:\Download manager\DLM.exe" [2007-03-05 23:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-12 19:13]
"F-Secure TNB"="e:\F-Secure\TNB\TNBUtil.exe" [2002-11-15 11:00]
"F-Secure Manager"="e:\F-Secure\Common\FSM32.exe" [2002-12-05 16:24]
"QuickTime Task"="E:\qttask.exe" [2006-09-01 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-14 16:12]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 21:44:43]
hp psc 1000 series.lnk - E:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38]
hpoddt01.exe.lnk - E:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-19 16:36:46]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pelit^Käynnistä-valikko^Ohjelmat^Käynnistys^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=C:\Documents and Settings\Pelit\Käynnistä-valikko\Ohjelmat\Käynnistys\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
j:\counter strike sourse\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"usnjsvc"=3 (0x3)
"sfrem02"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"IDriverT"=3 (0x3)
"CallerIP"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R0 FSDFW;F-Secure Distributed Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
R2 BackWeb Client - 7681197;F-Secure BackWeb;e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys
R2 F-Secure Filter;F-Secure File System Filter;\??\e:\F-Secure\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\e:\F-Secure\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\e:\F-Secure\Anti-Virus\Win2K\FSrec.sys
R2 FSpm;F-Secure Policy Manager;\??\e:\F-Secure\Common\FSPM.SYS
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S2 HDDTService;HDD Temperature;E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService
S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc
S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys
S3 BFAIFILT;BFAIFILT;C:\WINDOWS\system32\Drivers\bfaifilt.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 iMSPCLOj;iMSPCLOj;\??\C:\DOCUME~1\Pelit\LOCALS~1\Temp\iMSPCLOj.sys
S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\SF-620.sys
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S4 CallerIP;Visualware CallerIP;e:\CallerIP\cip-nt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d665f3c-5559-11db-be6e-000b6a6ce97b}]
\Shell\AutoRun\command - O:\LaunchU3.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2007-11-20 13:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 21:50:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HDDTService]
"ImagePath"="E:\Temp\HDDTSvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService"
.
Completion time: 2007-11-25 21:50:55
C:\ComboFix2.txt ... 2007-11-24 15:17
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43:28, on 25.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
E:\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
e:\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
e:\F-Secure\Anti-Virus\FSGK32.EXE
e:\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\sessmgr.exe
e:\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
e:\F-Secure\Common\FSMA32.EXE
e:\F-Secure\Common\FSMB32.EXE
e:\F-Secure\Common\FCH32.EXE
e:\F-Secure\Common\FAMEH32.EXE
e:\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\wscntfy.exe
e:\F-Secure\DFW\Program\fsdfwd.exe
e:\F-Secure\Common\FIH32.EXE
e:\F-Secure\Anti-Virus\fsav32.exe
E:\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Leevi\Hijack\asd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure TNB] "e:\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "e:\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "j:\counter strike sourse\steam.exe" -silent
O4 - HKCU\..\Run: [igndlm.exe] E:\Download manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Avaa kaikki linkit tältä sivulta... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Avaa uudessa Avant Browserissa - E:\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Etsi - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Korosta - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Lisää torjuttavien mainosten luetteloon - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Torju kaikki kuvat samalta palvelimelta - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB4A1DE-5908-4E68-9600-0E5907C44C5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - e:\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - e:\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - e:\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - e:\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - e:\F-Secure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - e:\F-Secure\Common\FSMA32.EXE
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - E:\Temp\HDDTSvc.exe (file missing)
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.insanepwning.net/albums/00660_splash_1024x768.jpg

--
End of file - 7385 bytes

 

Avaa HijackThis, klikkaa do a system scan only, merkkaa nämä rivit. Sitten sulje kaikki muut ikkunat ja paina fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


tuo avg:as pisti karanteeniin/poisti mitkä löysi.
viell ongelmia?

 

Kiitoksia. Ei oo enää ollu ongelmia,

 

ok.oleppa hyvä.