Kone reistaillut XP:n asentamisen jälkeen.

_Sanooj · Oct 25, 2008

Kone kenkkuillut pahasti XP:n uudelleen asentamisen jälkeen ja troijalaisia löytynyt windowsin tiedostoista vähän väliä.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:23, on 25.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Opera\opera.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINDOWS\System32\dllcache\mlqm.exe (file missing)
O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\System32\dllcache\wintcps.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3361 bytes

Ja tässä vielä kaikki tiedostot joihin jotain päässy jotka ovat avastin karanteenissä.

21.10.2008 23:21:58 Tonttu 1620 Sign of "Win32:Virut" has been found in "D:\My Documents\Asennus ohjelmia\VundoFix.exe" file.
22.10.2008 15:06:30 Tonttu 1464 Sign of "Win32:Virut" has been found in "C:\WINDOWS\System32\mdm.exe" file.
22.10.2008 15:12:02 Tonttu 1488 Sign of "Win32:Virut" has been found in "C:\Program Files\Opera\opera.exe" file.
22.10.2008 15:18:06 Tonttu 1488 Sign of "Win32:Virut" has been found in "D:\My Documents\Asennus ohjelmia\VundoFix.exe" file.
22.10.2008 15:23:00 Tonttu 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\awdson.exe" file.
22.10.2008 15:35:36 Tonttu 1488 Sign of "Win32:Virut" has been found in "C:\WINDOWS\system32\iPodFixer.exe" file.
22.10.2008 15:49:39 Tonttu 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\nknlmk.exe" file.
22.10.2008 17:50:59 SYSTEM 1388 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\idbxultc.exe" file.
22.10.2008 17:51:50 SYSTEM 1388 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\okyqwcaj.exe" file.
22.10.2008 17:59:47 SYSTEM 1388 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\vpkyf.exe" file.
22.10.2008 18:00:35 SYSTEM 1388 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\prfjrsny.exe" file.
22.10.2008 18:05:56 SYSTEM 1388 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\unc.exe" file.
22.10.2008 18:08:37 SYSTEM 1388 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\wiasy.exe" file.
22.10.2008 18:09:20 SYSTEM 1388 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\yiegq.exe" file.
22.10.2008 18:09:21 SYSTEM 1388 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\yiegq.exe" file.
22.10.2008 19:01:01 SYSTEM 1404 Sign of "Win32:Crypt-CZG [Trj]" has been found in "C:\WINDOWS\system32\jewjb.exe" file.
22.10.2008 19:01:20 SYSTEM 1404 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\kyuazqqv.exe" file.
22.10.2008 19:01:28 SYSTEM 1404 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\yax.exe" file.
22.10.2008 19:03:19 SYSTEM 1404 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\pxntww.exe" file.
22.10.2008 19:06:09 SYSTEM 1404 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\kwuqso.exe" file.
22.10.2008 19:12:08 SYSTEM 1404 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\sifsj.exe" file.
22.10.2008 19:13:22 SYSTEM 1404 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\jwldds.exe" file.
22.10.2008 19:20:57 SYSTEM 1404 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\eryj.exe" file.
22.10.2008 19:29:45 SYSTEM 1404 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\kmllbvpv.exe" file.
22.10.2008 19:38:34 SYSTEM 1492 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\wcrmelz.exe" file.
22.10.2008 19:47:28 SYSTEM 1492 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\cpovpea.exe" file.
22.10.2008 19:56:16 SYSTEM 1492 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\wziryon.exe" file.
23.10.2008 17:19:58 SYSTEM 1488 Sign of "Win32:Agent-ACIM [Trj]" has been found in "C:\WINDOWS\system32\Tilesys.com" file.
23.10.2008 17:24:42 SYSTEM 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\qbpwkyd.exe" file.
23.10.2008 17:35:55 SYSTEM 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\lxjv.exe" file.
23.10.2008 17:43:49 SYSTEM 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\uwvgcwgj.exe" file.
23.10.2008 18:02:59 SYSTEM 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\zxjrxtr.exe" file.
23.10.2008 18:19:40 SYSTEM 1488 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\yuphhym.exe" file.
23.10.2008 19:17:23 SYSTEM 1492 Sign of "Win32:Agent-ACIM [Trj]" has been found in "C:\WINDOWS\system32\Tilesys.com" file.
23.10.2008 19:17:23 SYSTEM 1492 Sign of "Win32:Agent-ACIM [Trj]" has been found in "C:\WINDOWS\system32\Tilesys.com" file.
23.10.2008 19:46:25 SYSTEM 1500 Sign of "Win32:Agent-ACIM [Trj]" has been found in "C:\WINDOWS\system32\Tilesys.com" file.
24.10.2008 13:41:15 Tonttu 2076 Sign of "Win32:Virut" has been found in "C:\System Volume Information\_restore{1C4D67C1-9DDB-4AE2-B4B2-EFA69FD13092}\RP3\A0001159.exe" file.
24.10.2008 13:43:30 Tonttu 2076 Sign of "Win32:Agent-ACIM [Trj]" has been found in "C:\System Volume Information\_restore{1C4D67C1-9DDB-4AE2-B4B2-EFA69FD13092}\RP4\A0004183.com" file.
24.10.2008 13:49:54 Tonttu 2076 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
24.10.2008 13:50:09 Tonttu 2076 Sign of "Win32:VanBot-DU [Trj]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OXYFG9ER\84785_winhtb[1].exe\[eXPressor]" file.
24.10.2008 13:50:57 Tonttu 2076 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\emmlop.exe" file.
24.10.2008 13:51:00 Tonttu 2076 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\erbcstnr.exe" file.
24.10.2008 13:51:04 Tonttu 2076 Sign of "Win32:Crypt-XF [Trj]" has been found in "C:\WINDOWS\system32\gmkbjcrm.exe" file.
24.10.2008 14:09:16 Tonttu 2076 Sign of "Win32:Hupigon-LXL [Trj]" has been found in "D:\imaget\gtasanandreas\hlm-gtasa.iso" file.

Olen itse päivitellyt konetta koska kone ei jostain syystä lataile niitä päivityksiä vaikka ne ovat päällä. WIndows Malicious Software Removal Tool löysi virheitä mutta ei pystynyt poistamaan niistä kuin pari. Mitähän kannattaisi tehdä noiden kaikkien troijalaisten ja matojen suhteen? Kiitos avusta jo etukäteen! Täältä on ennenkin tullut kiitettävästi apua kun on ollut ongelmia koneen kanssa.

kalminen · Oct 25, 2008

En tunnistanut palomuuria koneeltasi.
Asennukset on syytä tehdä Järjestelmänvalvojan tunnuksilla
Asenna koneellesi YKSI palomuuriohjelma NYT:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

Jos käytät sisäänrakennettua Windowsin palomuuria, se ei ole suositeltua sillä se ei estä koneelta ulosmeneviä yhteyksiä.
Muista käyttää vain yhtä palomuuria kerrallaan.

-----------------------------------------------------------------

Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.

------------------------------------------------------------------

Tämän jälkeen lataa ja asennaJava SE Runtime Environment (JRE) 6 Update 10.
jre-6u10-windows-i586-p.exe => 15.?? MB

----------------------------------------------------------

1. Lataa combofix.exe työpöydällesi mistä tahansa alla olevasta linkistä:
Linkki 1
Linkki 2
Linkki 3

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

-----------------------------------------------------------------

Poista ne rivit jotka on jäljellä:
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINDOWS\System32\dllcache\mlqm.exe (file missing)
O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\System32\dllcache\wintcps.exe (file missing)

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
* Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
*

_Sanooj · Oct 26, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:24, on 26.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4237 bytes

ComboFix 08-10-25.01 - Tonttu 2008-10-26 15:16:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT 2:00]
Running from: C:\Documents and Settings\Tonttu\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ftpupd.exe
C:\WINDOWS\system32\qfitqaj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LOGITECH_QUICKCAM_MANAGER
-------\Legacy_MICROSOFT_WINDOWS_TCP_PROTOCOL
-------\Service_Logitech QuickCam Manager
-------\Service_Microsoft Windows TCP Protocol

((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-26 15:06 . 2008-10-26 15:06 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-26 13:11 . 2008-10-26 13:11 <DIR> d-------- C:\Program Files\Java
2008-10-26 13:11 . 2008-10-26 13:11 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-26 13:11 . 2008-10-26 13:11 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-26 13:00 . 2008-10-26 13:00 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\Comodo
2008-10-25 17:22 . 2008-10-25 17:22 <DIR> d-------- C:\Program Files\COMODO
2008-10-25 17:22 . 2008-10-25 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-10-25 17:22 . 2008-10-25 17:22 143,096 --a------ C:\WINDOWS\system32\guard32.dll
2008-10-25 17:22 . 2008-10-25 17:22 99,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-10-25 17:22 . 2008-10-25 17:22 31,504 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-10-25 13:34 . 2004-08-03 22:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-10-23 18:55 . 2008-10-23 18:55 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-10-23 18:49 . 2004-08-03 23:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-10-23 18:47 . 2008-10-23 18:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-23 18:46 . 2004-08-03 23:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-10-23 18:45 . 2004-07-17 10:40 19,528 --a------ C:\WINDOWS\002485_.tmp
2008-10-23 18:44 . 2008-10-23 18:44 <DIR> d-------- C:\WINDOWS\EHome
2008-10-22 18:09 . 2008-10-22 18:09 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\Malwarebytes
2008-10-22 18:09 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 18:08 . 2008-10-26 13:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-22 18:08 . 2008-10-22 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-22 18:08 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 17:06 . 2008-10-22 17:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-22 17:06 . 2008-10-22 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 16:54 . 2008-10-25 11:50 <DIR> d-------- C:\HJT
2008-10-22 14:33 . 2008-10-22 14:51 <DIR> d-------- C:\Program Files\Repair Registry Pro
2008-10-22 14:29 . 2008-10-22 14:29 <DIR> d-------- C:\Program Files\foobar2000
2008-10-22 14:29 . 2008-10-25 17:22 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\foobar2000
2008-10-22 14:17 . 2004-08-03 13:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-10-22 14:03 . 2001-08-23 18:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-10-22 14:02 . 2001-08-17 21:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-10-22 14:01 . 2004-08-03 13:07 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-10-22 13:58 . 2005-04-05 21:19 201,728 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-10-22 13:58 . 2005-04-05 21:22 33,536 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-10-21 21:38 . 2008-10-21 21:38 <DIR> d-------- C:\CCleaner backups
2008-10-21 21:37 . 2008-10-21 21:37 <DIR> d-------- C:\Program Files\CCleaner
2008-10-21 21:05 . 2008-10-21 21:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-21 16:05 . 2008-10-21 16:05 <DIR> d-------- C:\Program Files\Webteh
2008-10-21 15:48 . 2008-10-21 16:21 <DIR> d-------- C:\Program Files\a-squared Free
2008-10-21 15:45 . 2008-10-21 15:45 <DIR> d-------- C:\HOSTS
2008-10-20 23:02 . 2008-10-20 23:02 268 --ah----- C:\sqmdata00.sqm
2008-10-20 23:02 . 2008-10-20 23:02 244 --ah----- C:\sqmnoopt00.sqm
2008-10-20 22:57 . 2008-10-22 14:10 <DIR> d-------- C:\WINDOWS\nview
2008-10-20 22:57 . 2005-11-04 18:03 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-20 22:57 . 2008-10-26 15:21 41,237 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-20 22:57 . 2005-11-04 18:03 16,356 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-20 22:19 . 2008-10-22 14:19 <DIR> d-------- C:\Program Files\Opera
2008-10-20 22:06 . 2008-10-20 22:06 <DIR> d-------- C:\Documents and Settings\Tonttu\Contacts
2008-10-20 22:05 . 2008-10-20 22:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-20 22:05 . 2008-10-24 12:20 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-20 21:51 . 2008-10-20 21:51 <DIR> d--hs---- C:\found.000
2008-10-20 21:50 . 2008-10-20 21:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-20 21:49 . 2008-10-24 12:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-20 21:49 . 2005-02-25 05:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 12:06 --------- d-----w C:\Program Files\Symantec
2008-10-22 12:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-21 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-20 16:00 --------- d-----w C:\Documents and Settings\Tonttu\Application Data\Symantec
2008-10-20 15:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-20 15:47 --------- d-----w C:\Program Files\AMD
2008-10-20 15:46 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-10-20 15:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-20 15:46 --------- d-----w C:\Program Files\AvRack
2008-10-20 15:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-20 15:37 558,142 ----a-w C:\WINDOWS\java\Packages\6AAXN53R.ZIP
2008-10-20 15:37 155,995 ----a-w C:\WINDOWS\java\Packages\UUO07VDB.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-11-04 7307264]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-04 86016]
"COMODO Internet Security"="C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" [2008-10-25 1796856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-26 136600]
"nwiz"="nwiz.exe" [2005-11-04 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-10-25 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-10-25 31504]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-26 152984]
.
.
------- Supplementary Scan -------
.

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 15:21:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-26 15:22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 13:22:27

Pre-Run: 45 772 427 264 bytes free
Post-Run: 45,911,273,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

164 --- E O F --- 2008-10-20 19:50:35

Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.1.2600 Service Pack 2

26.10.2008 13:40:07
mbam-log-2008-10-26 (13-40-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 66189
Time elapsed: 20 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Siinä on lokia.

kalminen · Oct 26, 2008

******************************************
Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK
*************************************************************

Tyhjennä avastin karanteeni.

Päivitä Windows: SP3 ja IE7
http://www.microsoft.com/downloads/Search.aspx?displaylang=fi

Mikä on tilanne koneella ???
D:

_Sanooj · Oct 27, 2008

Kannattaisiko mun ensin tyhjentää avastin karanteeni ja sitten suorittaa tuo Combofix?

kalminen · Oct 27, 2008

Just niinpäin D:

_Sanooj · Oct 30, 2008

En voi sanoa että paraniko vai huononiko koneen tilanne. Windows ei nyt vaan pidä enään tästä XP:n kopiosta ja nyt on tuo aina niin ihana muistutus siitä että pitäisi hommata aito XP.

Laitan nyt tässä sitten samalla Combofixin lokin ja uuden HJT:n.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:18, on 30.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4457 bytes

* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\Tilesys.com

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-27 22:45 . 2008-10-27 22:45 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-10-27 22:45 . 2008-10-27 22:45 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-10-27 22:45 . 2008-10-27 22:45 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-10-27 22:45 . 2008-10-30 00:28 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-10-27 22:45 . 2008-10-27 22:45 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-10-27 17:01 . 2001-08-23 18:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-10-27 16:55 . 2008-10-27 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-10-27 16:54 . 2008-10-27 16:54 <DIR> d-------- C:\Program Files\Last.fm
2008-10-26 22:04 . 2008-06-13 13:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-26 22:02 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-26 22:01 . 2008-08-14 12:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-26 22:01 . 2008-08-14 12:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-26 22:01 . 2008-08-14 11:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-26 22:01 . 2008-08-14 11:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-26 22:01 . 2008-09-15 14:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-26 21:59 . 2008-04-11 21:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-26 21:59 . 2008-05-01 16:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-26 21:59 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-26 21:57 . 2008-10-15 18:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-26 19:42 . 2008-04-14 05:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-10-26 19:32 . 2008-04-13 22:58 2,940,928 -----c--- C:\WINDOWS\system32\dllcache\wmploc.dll
2008-10-26 19:31 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-10-26 19:31 . 2008-04-14 05:42 123,392 --------- C:\WINDOWS\system32\mplay32.exe
2008-10-26 19:31 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-10-26 19:28 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005609_.tmp
2008-10-26 15:48 . 2008-10-30 16:26 <DIR> d-------- C:\Pikakuvakkeet
2008-10-26 15:06 . 2008-10-26 15:06 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-26 13:11 . 2008-10-26 13:11 <DIR> d-------- C:\Program Files\Java
2008-10-26 13:11 . 2008-10-26 13:11 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-26 13:11 . 2008-10-26 13:11 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-26 13:00 . 2008-10-26 13:00 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\Comodo
2008-10-25 17:22 . 2008-10-25 17:22 <DIR> d-------- C:\Program Files\COMODO
2008-10-25 17:22 . 2008-10-25 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-10-25 17:22 . 2008-10-25 17:22 143,096 --a------ C:\WINDOWS\system32\guard32.dll
2008-10-25 17:22 . 2008-10-25 17:22 99,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-10-25 17:22 . 2008-10-25 17:22 31,504 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-10-23 18:55 . 2008-10-26 19:42 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-10-23 18:47 . 2008-10-26 19:33 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-23 18:46 . 2008-04-13 23:09 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-10-23 18:45 . 2004-07-17 10:40 19,528 --a------ C:\WINDOWS\002485_.tmp
2008-10-23 18:44 . 2008-10-26 19:26 <DIR> d-------- C:\WINDOWS\EHome
2008-10-22 18:09 . 2008-10-22 18:09 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\Malwarebytes
2008-10-22 18:09 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 18:08 . 2008-10-26 13:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-22 18:08 . 2008-10-22 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-22 18:08 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 17:06 . 2008-10-22 17:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-22 17:06 . 2008-10-22 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 16:54 . 2008-10-26 15:26 <DIR> d-------- C:\HJT
2008-10-22 14:33 . 2008-10-22 14:51 <DIR> d-------- C:\Program Files\Repair Registry Pro
2008-10-22 14:29 . 2008-10-22 14:29 <DIR> d-------- C:\Program Files\foobar2000
2008-10-22 14:29 . 2008-10-30 00:37 <DIR> d-------- C:\Documents and Settings\Tonttu\Application Data\foobar2000
2008-10-22 14:17 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-10-22 14:17 . 2007-07-30 19:19 216,408 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
2008-10-22 14:03 . 2008-04-14 05:39 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-10-22 14:02 . 2001-08-17 21:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-10-22 14:01 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-10-22 13:58 . 2005-04-05 21:19 201,728 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-10-22 13:58 . 2005-04-05 21:22 33,536 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-10-21 21:38 . 2008-10-21 21:38 <DIR> d-------- C:\CCleaner backups
2008-10-21 21:37 . 2008-10-21 21:37 <DIR> d-------- C:\Program Files\CCleaner
2008-10-21 21:05 . 2008-10-21 21:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-21 16:05 . 2008-10-21 16:05 <DIR> d-------- C:\Program Files\Webteh
2008-10-21 15:48 . 2008-10-21 16:21 <DIR> d-------- C:\Program Files\a-squared Free
2008-10-21 15:45 . 2008-10-21 15:45 <DIR> d-------- C:\HOSTS
2008-10-20 23:02 . 2008-10-20 23:02 268 --ah----- C:\sqmdata00.sqm
2008-10-20 23:02 . 2008-10-20 23:02 244 --ah----- C:\sqmnoopt00.sqm
2008-10-20 22:57 . 2008-10-22 14:10 <DIR> d-------- C:\WINDOWS\nview
2008-10-20 22:57 . 2005-11-04 18:03 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-20 22:57 . 2008-10-30 16:31 41,237 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-20 22:57 . 2005-11-04 18:03 16,356 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-20 22:19 . 2008-10-22 14:19 <DIR> d-------- C:\Program Files\Opera
2008-10-20 22:06 . 2008-10-20 22:06 <DIR> d-------- C:\Documents and Settings\Tonttu\Contacts
2008-10-20 22:05 . 2008-10-20 22:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-20 22:05 . 2008-10-26 20:02 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-20 21:51 . 2008-10-20 21:51 <DIR> d--hs---- C:\found.000
2008-10-20 21:50 . 2008-10-26 19:33 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-20 21:49 . 2008-10-26 22:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-20 21:49 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 14:32 8,192 ----a-w C:\WINDOWS\system32\yiegq.exe
2008-10-30 14:32 76,800 ----a-w C:\WINDOWS\system32\yax.exe
2008-10-30 14:32 33,792 ----a-w C:\WINDOWS\system32\zxjrxtr.exe
2008-10-30 14:32 33,792 ----a-w C:\WINDOWS\system32\yuphhym.exe
2008-10-22 12:06 --------- d-----w C:\Program Files\Symantec
2008-10-22 12:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-21 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-20 16:00 --------- d-----w C:\Documents and Settings\Tonttu\Application Data\Symantec
2008-10-20 15:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-20 15:47 --------- d-----w C:\Program Files\AMD
2008-10-20 15:46 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-10-20 15:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-20 15:46 --------- d-----w C:\Program Files\AvRack
2008-10-20 15:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-20 15:37 558,142 ----a-w C:\WINDOWS\java\Packages\6AAXN53R.ZIP
2008-10-20 15:37 155,995 ----a-w C:\WINDOWS\java\Packages\UUO07VDB.ZIP
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-11-04 7307264]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-04 86016]
"COMODO Internet Security"="C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" [2008-10-30 1797880]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-26 136600]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-10-25 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-10-25 31504]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-26 152984]
.
.
------- Supplementary Scan -------
.

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 16:37:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-10-30 16:38:24
ComboFix-quarantined-files.txt 2008-10-30 14:38:22
ComboFix2.txt 2008-10-26 13:22:32

Pre-Run: 47 147 716 608 bytes free
Post-Run: 47,138,504,704 bytes free

177 --- E O F --- 2008-10-27 14:12:16

kalminen · Oct 31, 2008

Sun pitää hankkia laillinen Windows.
Se on turvallisin ratkaisu.
D:

_Sanooj · Oct 31, 2008

Onko sitten muilta osilta mitään tehtävissä? Tarkoitan siis että löytykö enään paljoa korjattavaa?

LolzZz · Oct 31, 2008

Sen ilmoittelijan saat pois tällä: http://www.softpedia.com/get/Tweak/Uninstallers/RemoveWGA.shtml

_Sanooj · Nov 1, 2008

Ja näin sai windows potkun munille ^^ Kiitosta!
Löytykö noista lokeista tosiaan mitään sellaista mitä saisi korjattua? Vai onko peräti mitään korjattavaa?

kalminen · Nov 1, 2008

Eipä täällä kummempia !!!

******************************************
Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK
*************************************************************
D:

Log in or Sign up

Kone reistaillut XP:n asentamisen jälkeen.

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

LolzZz Regular member

_Sanooj Member

kalminen Regular member

Share This Page

Log in or Sign up

Kone reistaillut XP:n asentamisen jälkeen.

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

kalminen Regular member

_Sanooj Member

LolzZz Regular member

_Sanooj Member

kalminen Regular member

Share This Page

Useful Searches