Koneelleni pääsi pesimään samaan aikaan antivirus xp 2008 ja joku spyware&mal,siinäpä sitä onkin ollut tekemistä. Luin täältä ohjeita ja yritin toimia niiden mukaan.AVG Anti-spywarea en saanut toimimaan asennusvaiheessa ilmoitti muistipaikka häiriöstä ja tilttasi koko kone. Tässä lokeja joita olen saanut otettua. Toivottavasti ei näyttäisi oikein pahalle,mitähän nyt pitäisi vielä tehdä että kaikki pöpöt lähtisi Logfile of HijackThis v1.99.1 Scan saved at 12:53:24, on 23.7.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\system32\rundll32.exe C:\CloneCD\CloneCDTray.exe E:\PDVDServ.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Logitech\Gaming Software\LWEMon.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Registry Clean Expert\RCScheduler.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Gigabyte\Gigabyte GN-WPKG 802.11g WLan\GbConfig.exe C:\WINDOWS\System32\snmp.exe E:\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\F-Secure\Common\FSLAUNCH.EXE C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [RemoteControl] E:\PDVDServ.exe O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RegClean Expert Scheduler] "E:\Registry Clean Expert\RCScheduler.exe" /startup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /M "Stylus DX4800" /EF "HKCU" O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = ? O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG 802.11g WLan\GbConfig.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://kc.avustaja.sonera.fi/sdccommon/download/tgctlcm.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://194.137.218.62/activex/AMC.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe Malwarebytes' Anti-Malware 1.22 Tietokantaversio: 980 Windows 5.1.2600 Service Pack 2 12:47:38 23.7.2008 mbam-log-7-23-2008 (12-47-38).txt Tarkistustyyppi: Täysi tarkistus (C:\|) Tarkistetut kohteet: 86706 Kulunut aika: 15 minute(s), 21 second(s) Saastuneita muistiprosesseja: 0 Saastuneita muistimoduuleja: 0 Saastuneita rekisteriavaimia: 6 Saastuneita rekisteriarvoja: 2 Saastuneita rekisterikohteita: 2 Saastuneita hakemistoja: 12 Saastuneita tiedostoja: 10 Saastuneita muistiprosesseja: (Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriavaimia: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9b465d2-5da9-45df-8bcf-aefc5d1d766b} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f9b465d2-5da9-45df-8bcf-aefc5d1d766b} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\rhc3l1j0epa5 (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrqjcu (Trojan.Vundo) -> Quarantined and deleted successfully. Saastuneita rekisteriarvoja: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm4b9f3271 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{769d8280-a207-4eea-9963-f8b156c32855} (Trojan.Vundo) -> Quarantined and deleted successfully. Saastuneita rekisterikohteita: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebuvnha -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebuvnha -> Quarantined and deleted successfully. Saastuneita hakemistoja: C:\Program Files\rhc3l1j0epa5 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\kaitsu\Application Data\rhc3l1j0epa5\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully. Saastuneita tiedostoja: C:\WINDOWS\system32\geBuVNHA.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\AHNVuBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\AHNVuBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jgivrgme.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\emgrvigj.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssqrQJCu.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dekpsqmh.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\BM4b9f3271.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\fdkowvbp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\wnslvxtf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Tässä on vielä tämä combofix raportti ComboFix 08-07-22.4 - kaitsu 2008-07-23 13:05:27.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.1548 [GMT 3:00] Running from: C:\Documents and Settings\kaitsu\Työpöytä\Uusi kansio (3)\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Common Files\{38AC0~1 C:\Program Files\Common Files\{48AC0~1 C:\Program Files\Common Files\misc002 C:\Program Files\Common Files\misc002\DXC.exe C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\crunner C:\WINDOWS\system32\crunner\ICSharpCode.SharpZipLib.dll C:\WINDOWS\system32\crunner\Version.txt C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\temp\perflib_perfdata_1cc.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CLBDRIVER -------\Legacy_OULTRAF -------\Service_clbdriver -------\Service_oUltraf ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-06-23 to 2008-07-23 ))))))))))))))))) . 2008-07-23 10:59 . 2008-07-23 11:17 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-07-23 10:06 . 2008-07-23 10:11 3,716 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-23 10:05 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-07-23 10:04 . 2008-07-23 11:55 <KANSIO> d-------- C:\SmitfraudFix 2008-07-23 00:07 . 2008-07-23 00:07 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-23 00:07 . 2008-07-23 00:07 <KANSIO> d-------- C:\Documents and Settings\kaitsu\Application Data\Malwarebytes 2008-07-23 00:07 . 2008-07-23 00:07 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-23 00:07 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-23 00:07 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-23 00:03 . 2008-07-23 00:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-07-22 23:23 . 2004-09-15 15:00 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-07-04 00:00 . 2008-07-14 01:37 3,746 --a------ C:\error.htm 2008-07-04 00:00 . 2008-07-14 00:00 0 --a------ C:\infect.htm . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-03 16:42 --------- d-----w C:\Documents and Settings\kaitsu\Application Data\U3 2008-06-20 17:41 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 17:59 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2006-12-03 08:13 81,920 ------w C:\Documents and Settings\kaitsu\Application Data\ezpinst.exe 2006-12-03 08:13 47,360 ------w C:\Documents and Settings\kaitsu\Application Data\pcouffin.sys . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208] "RegClean Expert Scheduler"="E:\Registry Clean Expert\RCScheduler.exe" [2006-03-09 01:30 94208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-16 21:39 68856] "EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 07:00 98304] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2004-09-09 12:03 118832] "F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 11:57 684032] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 16:07 7110656] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 16:07 86016] "CloneCDElbyCDFL"="C:\CloneCD\ElbyCheck.exe" [2002-11-02 09:33 45056] "CloneCDTray"="C:\CloneCD\CloneCDTray.exe" [2002-12-02 17:17 73728] "RemoteControl"="E:\PDVDServ.exe" [2003-10-31 19:42 32768] "EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 07:00 98304] "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 11:38 892928] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328] "Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2007-09-25 16:03 93208] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "nwiz"="nwiz.exe" [2005-07-20 16:07 1519616 C:\WINDOWS\system32\nwiz.exe] "High Definition Audio -ominaisuussivun pikakuvake"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "SoundMan"="SOUNDMAN.EXE" [2004-10-13 09:01 77824 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2004-10-13 11:17 2742272 C:\WINDOWS\ALCWZRD.EXE] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 12:50 19968 C:\WINDOWS\LOGI_MWX.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.HFYU"= huffyuv.dll "msacm.avis"= ff_acm.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"= R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 13:43] R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2004-11-10 15:58] R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-09-17 04:29] R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-10-04 21:41] R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 19:14] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2004-09-10 19:14] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 15:32] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22fc0cf8-be82-11db-be6b-000fea7d5a0b}] \Shell\AutoRun\command - I:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce0c6642-491d-11dd-8093-000fea7d5a0b}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-07-23 00:04:32 C:\WINDOWS\Tasks\Scheduled scanning task.job" - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-Secure\ANTI-V~1\report.txt . - - - - ORPHANS REMOVED - - - - HKCU-Explorer_Run-{48AC0142-0C09-1035-1105-040801050166} - C:\Program Files\Common Files\{48AC0142-0C09-1035-1105-040801050166}\Update.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Search Page = hxxp://www.google.com R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://194.137.218.62/activex/AMC.cab C:\WINDOWS\Downloaded Program Files\setup.inf ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-23 13:11:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe C:\WINDOWS\system32\drivers\CDANTSRV.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\common\FSMA32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\F-Secure\common\FSMB32.EXE C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\snmp.exe C:\Program Files\F-Secure\common\FCH32.EXE C:\Program Files\F-Secure\common\FAMEH32.EXE C:\Program Files\F-Secure\common\FNRB32.exe C:\Program Files\F-Secure\FWES\program\fsdfwd.exe C:\Program Files\F-Secure\common\FIH32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Gigabyte\Gigabyte GN-WPKG 802.11g WLan\GbConfig.exe E:\WinZip\WZQKPICK.EXE C:\Program Files\F-Secure\Anti-Virus\FSAV32.exe C:\Program Files\F-Secure\FSGUI\fsguiexe.exe . ************************************************************************** . Completion time: 2008-07-23 13:14:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-23 10:13:59 Pre-Run: 6,525,915,136 tavua vapaana Post-Run: 6,651,711,488 tavua vapaana 171 --- E O F --- 2008-07-13 22:21:08
