Nyt loppuivat keinot kesken. Virtumonde ei lähde sitten millään. Lisäksi Smitfraud-c.toolbar888 löytyy aina vain uudestaan. Kaikki apu otetaan vastaan! Tässä HJT listaus: Logfile of HijackThis v1.99.1 Scan saved at 19:01:05, on 25.3.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe c:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Documents and Settings\All Users\viruskillers\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.elisa.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\siltpngc.dll",setvm O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0F2F3121-75E2-4C60-9977-C1ADC3D5F3DC} (IFIUploader Control) - http://web01.ifi.fi/Webupload/ActiveX/IfiUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160995259109 O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automattinen LiveUpdate-ajastustoiminto - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect -palvelu (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Tässäpä olisi logi: "Tomi" - 07-03-26 13:45:56 Service Pack 2 ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Tomi\Ty”p”yt„" ((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 )))))))))))))))))))))))))))))))))) 2007-03-25 14:53 2,324 --a------ C:\WINDOWS\system32\tmp.reg 2007-03-25 14:47 <KANSIO> d-------- C:\Program Files\Common Files\Java 2007-03-24 19:54 456,214 ---hs---- C:\WINDOWS\system32\pqtwa.bak1 2007-03-24 18:01 458,376 ---hs---- C:\WINDOWS\system32\ihkmp.bak1 2007-03-24 17:34 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\viruskillers 2007-03-23 11:07 123,972 --a------ C:\WINDOWS\system32\siltpngc.dll 2007-03-22 19:38 <KANSIO> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-03-22 19:37 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-03-22 19:37 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-03-22 19:37 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-03-22 19:37 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-03-22 19:37 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-03-22 19:37 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-03-22 19:37 19,728,080 --a------ C:\DOCUME~1\ALLUSE~1\sdsetup.exe 2007-03-22 19:37 <KANSIO> d-------- C:\Program Files\Spyware Doctor 2007-03-22 19:37 <KANSIO> d-------- C:\Program Files\Common Files\PC Tools 2007-03-22 19:37 <KANSIO> d-------- C:\DOCUME~1\Tomi\APPLIC~1\PC Tools 2007-03-22 19:37 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools 2007-03-22 19:02 50,688 --a------ C:\DOCUME~1\ALLUSE~1\ATF-Cleaner.exe 2007-03-22 18:30 3,495,536 --a------ C:\DOCUME~1\ALLUSE~1\Free-Spyware-Scanner-Install.exe 2007-03-22 18:30 <KANSIO> d-------- C:\Program Files\Enigma Software Group 2007-03-22 17:41 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-03-22 17:33 5,037,072 --a------ C:\DOCUME~1\ALLUSE~1\SPYBOT14.EXE 2007-03-22 16:49 13,198,504 --a------ C:\DOCUME~1\ALLUSE~1\ssftrialsnrsetup1_1914741474.exe 2007-03-22 16:04 <KANSIO> d-------- C:\Program Files\Trend Micro 2007-03-21 20:57 <KANSIO> d-------- C:\Program Files\Acoustica MP3 To Wave Converter PLUS 2007-03-09 14:58 <KANSIO> d-------- C:\DOCUME~1\Sirkku\APPLIC~1\Sun (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-26 13:21 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-03-25 14:46 -------- d-------- C:\Program Files\java 2007-03-25 12:30 76894 --a------ C:\WINDOWS\system32\perfc00b.dat 2007-03-25 12:30 377716 --a------ C:\WINDOWS\system32\perfh00b.dat 2007-03-25 00:16 -------- d-------- C:\Program Files\tomtools 2007-03-20 15:16 -------- d-------- C:\Program Files\norton internet security 2007-02-26 11:42 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll 2007-02-26 11:42 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-02-26 11:42 -------- d-------- C:\Program Files\symantec 2007-02-12 18:22 538256 --a------ C:\WINDOWS\system32\symneti.dll 2007-02-12 18:22 31888 --a------ C:\WINDOWS\system32\drivers\symids.sys 2007-02-12 18:22 28304 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2007-02-12 18:22 24720 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2007-02-12 18:22 196752 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2007-02-12 18:22 161424 --a------ C:\WINDOWS\system32\symredir.dll 2007-02-12 18:22 12944 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2007-02-12 18:22 110736 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2007-02-04 14:49 -------- d-------- C:\Program Files\microprose 2007-02-03 12:46 -------- d-------- C:\DOCUME~1\Tomi\APPLIC~1\leadertech 2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll 2006-12-27 17:21 54123 --a------ C:\DOCUME~1\Tomi\APPLIC~1\update_hp_redboxhprblog_hpsu.log 2006-12-15 23:55 0 --a------ C:\Program Files\Common Files\dht342 (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "VTTimer"="VTTimer.exe" "VTTrayp"="VTtrayp.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\"" "SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\siltpngc.dll\",setvm" "SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\Setup] "Aspi Update"="C:\\Temp\\aspi32.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SMSERIAL"="sm56hlpr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{28CEA1DA-2199-4AEE-BA75-9032C8450B66}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Suorita Norton QuickScan - Tomi.job C:\WINDOWS\tasks\Norton AntiVirus - Suorita t„ydellinen j„rjestelm„ntarkistus - Tomi.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-26 13:49:17
