Hei, Sellasta on nyt käyny, että kone on hidastunut, kuten myös selain ym. ohjelmat. Selaimesta ei pääse esim. googlen hakuun ym. tässä hjt: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:59:46, on 21.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\MSI\Live Update 3\LMonitor.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\TurvaPC\GDC.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\program files\steam\steam.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\TurvaPC\updater.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finnish.toggle.com/index.php?rvs=hompag R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TurvaPC] C:\Program Files\TurvaPC\GDC.exe O4 - HKLM\..\Run: [00ff93d9] rundll32.exe "C:\WINDOWS\system32\cewebcoy.dll",b O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [BM03cca045] Rundll32.exe "C:\WINDOWS\system32\womvmowp.dll",s O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 6768 bytes
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa) Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM\..\Run: [TurvaPC] C:\Program Files\TurvaPC\GDC.exe O4 - HKLM\..\Run: [00ff93d9] rundll32.exe "C:\WINDOWS\system32\cewebcoy.dll",b O4 - HKLM\..\Run: [BM03cca045] Rundll32.exe "C:\WINDOWS\system32\womvmowp.dll",s Poista alla oleva kansio. C:\Program Files\TurvaPC Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti *
Combofix: ComboFix 08-06-20.4 - juuso 2008-06-22 16:30:08.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.270 [GMT 3:00] Running from: C:\Documents and Settings\juuso\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\juuso\Työpöytä\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\womvmowp.dll . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM03cca045.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\AcedNXyb.ini C:\WINDOWS\system32\AcedNXyb.ini2 C:\WINDOWS\system32\ahxgnvus.dll C:\WINDOWS\system32\antugevv.ini C:\WINDOWS\system32\byXNdecA.dll C:\WINDOWS\system32\cwpufxiy.dll C:\WINDOWS\system32\JTuxyyay.ini C:\WINDOWS\system32\JTuxyyay.ini2 C:\WINDOWS\system32\qyvnucis.ini C:\WINDOWS\system32\winsys.exe C:\WINDOWS\system32\xyvgltkm.ini C:\WINDOWS\system32\yocbewec.ini . ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-22 to 2008-06-22 ))))))))))))))))) . 2008-06-22 07:45 . 2008-06-22 07:45 101,728 --a------ C:\WINDOWS\system32\hgbnaxec.dll 2008-06-22 07:42 . 2008-06-22 07:42 84,304 --a------ C:\WINDOWS\system32\vvegutna.dll 2008-06-22 07:39 . 2008-06-22 07:39 90,464 --a------ C:\WINDOWS\system32\jlppdpqp.dll 2008-06-21 19:31 . 2008-06-21 19:31 25,472 --a------ C:\WINDOWS\system32\byXRIbAr.dll 2008-06-21 19:23 . 2008-06-21 19:23 <KANSIO> d-------- C:\Program Files\Opera 2008-06-21 15:40 . 2008-06-21 15:40 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-20 10:30 . 2008-06-20 10:30 79,360 --a------ C:\WINDOWS\system32\sicunvyq.dll 2008-06-19 18:19 . 2008-06-19 18:19 0 --a------ C:\23990098.$$$ 2008-06-19 17:50 . 2008-06-19 17:50 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-19 17:50 . 2008-06-19 18:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-19 17:39 . 2008-06-19 17:54 <KANSIO> d-------- C:\Downloads 2008-06-19 17:39 . 2008-06-19 17:39 <KANSIO> d-------- C:\Bases 2008-06-19 17:38 . 2008-06-19 18:20 <KANSIO> d-------- C:\Kaspersky 2008-06-19 17:00 . 2008-06-19 17:00 <KANSIO> d-------- C:\Documents and Settings\juuso\Application Data\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> d-------- C:\Program Files\Common Files\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon 2008-06-19 16:55 . 2007-02-13 09:09 388,126 --a------ C:\WINDOWS\system32\sqlite3.dll 2008-06-19 16:54 . 2008-06-21 17:45 <KANSIO> d-------- C:\Program Files\TurvaPC 2008-06-18 22:24 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll 2008-06-18 22:24 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll 2008-06-18 22:23 . 2008-06-18 22:29 <KANSIO> d-------- C:\Program Files\Trials 2 Second Edition 2008-06-18 22:23 . 2008-06-18 22:23 <KANSIO> d-------- C:\Program Files\OpenAL 2008-06-18 22:23 . 2008-06-18 22:23 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll 2008-06-18 22:23 . 2008-06-18 22:23 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll 2008-06-18 03:51 . 2008-06-18 03:53 <KANSIO> d-------- C:\Documents and Settings\juuso\Application Data\dvdcss 2008-06-11 13:44 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 13:44 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-08 03:43 . 2008-06-08 03:43 11,076 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-22 22:31 . 2008-05-22 22:31 <KANSIO> d-------- C:\Program Files\BestGameEver 2008-05-22 22:28 . 2008-05-22 22:28 <KANSIO> d-------- C:\Program Files\D-Tools 2008-05-22 22:28 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2008-05-22 22:28 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2008-05-22 22:27 . 2008-05-22 22:27 <KANSIO> d-------- C:\WINDOWS\Downloaded Installations 2008-05-22 22:14 . 2008-05-22 22:14 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-22 13:33 --------- d-----w C:\Program Files\Steam 2008-06-22 13:29 --------- d-----w C:\Documents and Settings\juuso\Application Data\NoNameScript 2008-06-22 13:15 --------- d-----w C:\Program Files\mIRC 2008-06-22 11:55 --------- d-----w C:\Documents and Settings\juuso\Application Data\foobar2000 2008-06-22 01:48 --------- d-----w C:\Documents and Settings\juuso\Application Data\uTorrent 2008-06-21 21:55 --------- d-----w C:\Documents and Settings\juuso\Application Data\LimeWire 2008-06-18 14:06 --------- d-----w C:\Program Files\LimeWire 2008-05-17 19:11 --------- d-----w C:\Program Files\B2BPOKER 2008-05-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania 2008-05-12 11:30 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-12 11:30 --------- d-----w C:\Program Files\Windows Live 2008-05-12 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 14:25 --------- d-----w C:\Documents and Settings\juuso\Application Data\Apple Computer 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-03 23:07 --------- d-----w C:\Program Files\WinAVI MP4 Converter 2008-05-03 23:01 --------- d-----w C:\Program Files\Xilisoft 2008-05-03 22:48 --------- d-----w C:\Program Files\Free iPod Video Converter 2008-05-03 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-04-27 22:34 --------- d-----w C:\Program Files\uTorrent 2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-30 20:53 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57A52E74-004C-464B-96CC-4DFE5366EA02}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EE4B48C-BFE8-4265-81F5-529E0B2BD591}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB57F3E7-89A4-466C-BD48-82AA9B49FDF0}] C:\WINDOWS\system32\yayyxuTJ.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B833FF05-4DF8-4980-9A88-8549306F9DE9}] 2008-06-21 19:31 25472 --a------ C:\WINDOWS\system32\byXRIbAr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac1b14d-b7cb-4dc9-ad5a-0aa3453d5c6d}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9162FC2-4E60-4D25-90FF-0EDC5C45899B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2C0D62C-9A78-4B7C-9258-0B345E6B08A7}] 2008-06-22 16:36 318336 --a------ C:\WINDOWS\system32\geBsqRiG.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "Steam"="c:\program files\steam\steam.exe" [2008-06-18 01:05 1271032] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-06-05 10:48 2113360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 12:20 6803456] "nwiz"="nwiz.exe" [2005-06-15 12:20 1519616 C:\WINDOWS\system32\nwiz.exe] "SW20"="C:\WINDOWS\system32\sw20.exe" [2005-06-29 12:08 212992] "SW24"="C:\WINDOWS\system32\sw24.exe" [2005-07-04 08:29 69632] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-06-15 12:20 86016] "LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2005-03-07 13:34 482816] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920] "BM03cca045"="C:\WINDOWS\system32\ckqalluv.dll" [2008-06-22 16:42 90464] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-14 16:12 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{B833FF05-4DF8-4980-9A88-8549306F9DE9}"= C:\WINDOWS\system32\byXRIbAr.dll [2008-06-21 19:31 25472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRIbAr] byXRIbAr.dll 2008-06-21 19:31 25472 C:\WINDOWS\system32\byXRIbAr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkklkJ] opnkklkJ.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-14 07:04 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBsqRiG [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Steam\\steamapps\\hande10\\counter-strike\\hl.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\B2BPOKER\\Club4Aces.com\\jre\\bin\\javaw.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Kaspersky\\kavupd.exe"= "C:\\Program Files\\Opera\\opera.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 20:31] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 20:35] *Newly Created Service* - WEBNTACCESS . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-06-16 19:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-22 16:33:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\byXRIbAr.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-06-22 16:43:15 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-22 13:43:03 Pre-Run: 28,644,401,152 tavua vapaana Post-Run: 28,951,830,528 tavua vapaana 204 --- E O F --- 2008-06-11 12:19:35 Hjt: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:44:23, on 22.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\MSI\Live Update 3\LMonitor.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\program files\steam\steam.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finnish.toggle.com/index.php?rvs=hompag R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [BM03cca045] Rundll32.exe "C:\WINDOWS\system32\ckqalluv.dll",s O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe -- End of file - 6597 bytes
ComboFix 08-06-20.4 - juuso 2008-06-23 16:08:54.2 - NTFSx86 MINIMAL Running from: C:\Documents and Settings\juuso\Työpöytä\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM03cca045.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\geBsqRiG.dll C:\WINDOWS\system32\GiRqsBeg.ini C:\WINDOWS\system32\GiRqsBeg.ini2 C:\WINDOWS\system32\lvahdust.ini C:\WINDOWS\system32\mcrh.tmp . ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-23 to 2008-06-23 ))))))))))))))))) . 2008-06-23 15:48 . 2008-06-23 15:48 <KANSIO> d-------- C:\Program Files\Lavasoft 2008-06-23 15:48 . 2008-06-23 15:49 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-22 22:51 . 2008-06-22 22:51 25,472 --a------ C:\WINDOWS\system32\rqRKEWMC.dll 2008-06-22 16:46 . 2008-06-22 16:46 101,728 --a------ C:\WINDOWS\system32\lopjblfd.dll 2008-06-22 16:43 . 2008-06-22 16:46 84,336 --a------ C:\WINDOWS\system32\tsudhavl.dll 2008-06-22 16:42 . 2008-06-22 16:42 90,464 --a------ C:\WINDOWS\system32\ckqalluv.dll 2008-06-22 07:45 . 2008-06-22 07:45 101,728 --a------ C:\WINDOWS\system32\hgbnaxec.dll 2008-06-22 07:42 . 2008-06-22 07:42 84,304 --a------ C:\WINDOWS\system32\vvegutna.dll 2008-06-22 07:39 . 2008-06-22 07:39 90,464 --a------ C:\WINDOWS\system32\jlppdpqp.dll 2008-06-21 19:31 . 2008-06-21 19:31 25,472 --a------ C:\WINDOWS\system32\byXRIbAr.dll 2008-06-21 19:23 . 2008-06-21 19:23 <KANSIO> d-------- C:\Program Files\Opera 2008-06-21 15:40 . 2008-06-23 15:47 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-20 10:30 . 2008-06-20 10:30 79,360 --a------ C:\WINDOWS\system32\sicunvyq.dll 2008-06-19 18:19 . 2008-06-19 18:19 0 --a------ C:\23990098.$$$ 2008-06-19 17:50 . 2008-06-19 17:50 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-19 17:50 . 2008-06-19 18:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-19 17:39 . 2008-06-19 17:54 <KANSIO> d-------- C:\Downloads 2008-06-19 17:39 . 2008-06-19 17:39 <KANSIO> d-------- C:\Bases 2008-06-19 17:38 . 2008-06-19 18:20 <KANSIO> d-------- C:\Kaspersky 2008-06-19 17:00 . 2008-06-19 17:00 <KANSIO> d-------- C:\Documents and Settings\juuso\Application Data\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> d-------- C:\Program Files\Common Files\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\TurvaPC 2008-06-19 16:55 . 2008-06-19 16:55 <KANSIO> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon 2008-06-19 16:55 . 2007-02-13 09:09 388,126 --a------ C:\WINDOWS\system32\sqlite3.dll 2008-06-19 16:54 . 2008-06-21 17:45 <KANSIO> d-------- C:\Program Files\TurvaPC 2008-06-18 22:24 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll 2008-06-18 22:24 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll 2008-06-18 22:23 . 2008-06-18 22:29 <KANSIO> d-------- C:\Program Files\Trials 2 Second Edition 2008-06-18 22:23 . 2008-06-18 22:23 <KANSIO> d-------- C:\Program Files\OpenAL 2008-06-18 22:23 . 2008-06-18 22:23 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll 2008-06-18 22:23 . 2008-06-18 22:23 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll 2008-06-18 03:51 . 2008-06-18 03:53 <KANSIO> d-------- C:\Documents and Settings\juuso\Application Data\dvdcss 2008-06-11 13:44 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 13:44 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-08 03:43 . 2008-06-08 03:43 11,076 --ah----- C:\WINDOWS\system32\mlfcache.dat . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-23 13:12 --------- d-----w C:\Program Files\Steam 2008-06-23 13:06 --------- d-----w C:\Documents and Settings\juuso\Application Data\foobar2000 2008-06-23 09:34 --------- d-----w C:\Program Files\mIRC 2008-06-23 09:34 --------- d-----w C:\Documents and Settings\juuso\Application Data\NoNameScript 2008-06-23 01:17 --------- d-----w C:\Documents and Settings\juuso\Application Data\uTorrent 2008-06-22 23:34 --------- d-----w C:\Documents and Settings\juuso\Application Data\LimeWire 2008-06-18 14:06 --------- d-----w C:\Program Files\LimeWire 2008-05-22 19:31 --------- d-----w C:\Program Files\BestGameEver 2008-05-22 19:28 --------- d-----w C:\Program Files\D-Tools 2008-05-22 19:14 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-05-17 19:11 --------- d-----w C:\Program Files\B2BPOKER 2008-05-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-12 11:30 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-12 11:30 --------- d-----w C:\Program Files\Windows Live 2008-05-12 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 14:25 --------- d-----w C:\Documents and Settings\juuso\Application Data\Apple Computer 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-03 23:07 --------- d-----w C:\Program Files\WinAVI MP4 Converter 2008-05-03 23:01 --------- d-----w C:\Program Files\Xilisoft 2008-05-03 22:48 --------- d-----w C:\Program Files\Free iPod Video Converter 2008-05-03 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-27 22:34 --------- d-----w C:\Program Files\uTorrent 2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-30 20:53 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll . ((((((((((((((((((((((((((((( snapshot@2008-06-22_16.42.48.31 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-22 13:33:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-23 13:11:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-03-24 16:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe - 2008-03-29 17:45:49 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe + 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe - 2008-03-29 17:23:22 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr + 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr + 2008-06-23 12:51:48 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat - 2008-03-29 17:26:52 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys + 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys - 2008-03-29 17:35:49 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys + 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys - 2008-01-17 15:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys + 2008-01-17 16:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys - 2008-03-29 17:35:21 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys + 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys - 2008-03-29 17:29:08 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys + 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys - 2008-03-29 17:31:34 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys + 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys - 2008-03-29 17:27:33 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys + 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys + 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe + 2008-06-22 23:18:18 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe + 2008-06-23 13:11:44 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6b8.dat . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08A82634-9D13-4BE0-851C-B2F944FDABE5}] 2008-06-23 16:15 318256 --a------ C:\WINDOWS\system32\byXpPiJY.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ebf30b9-32b1-4178-8753-f167f48d4fc2}] 2008-06-22 16:46 101728 --a------ C:\WINDOWS\system32\lopjblfd.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB57F3E7-89A4-466C-BD48-82AA9B49FDF0}] C:\WINDOWS\system32\yayyxuTJ.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B833FF05-4DF8-4980-9A88-8549306F9DE9}] 2008-06-21 19:31 25472 --a------ C:\WINDOWS\system32\byXRIbAr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2C0D62C-9A78-4B7C-9258-0B345E6B08A7}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "Steam"="c:\program files\steam\steam.exe" [2008-06-18 01:05 1271032] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-06-05 10:48 2113360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 12:20 6803456] "nwiz"="nwiz.exe" [2005-06-15 12:20 1519616 C:\WINDOWS\system32\nwiz.exe] "SW20"="C:\WINDOWS\system32\sw20.exe" [2005-06-29 12:08 212992] "SW24"="C:\WINDOWS\system32\sw24.exe" [2005-07-04 08:29 69632] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-06-15 12:20 86016] "LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2005-03-07 13:34 482816] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224] "BM03cca045"="C:\WINDOWS\system32\ckqalluv.dll" [2008-06-22 16:42 90464] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-14 16:12 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{B833FF05-4DF8-4980-9A88-8549306F9DE9}"= C:\WINDOWS\system32\byXRIbAr.dll [2008-06-21 19:31 25472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRIbAr] byXRIbAr.dll 2008-06-21 19:31 25472 C:\WINDOWS\system32\byXRIbAr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkklkJ] opnkklkJ.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-14 07:04 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\byXpPiJY [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Steam\\steamapps\\hande10\\counter-strike\\hl.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\B2BPOKER\\Club4Aces.com\\jre\\bin\\javaw.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Kaspersky\\kavupd.exe"= "C:\\Program Files\\Opera\\opera.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] *Newly Created Service* - WEBNTACCESS . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-06-16 19:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-23 16:12:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\byXpPiJY.dll 318256 bytes executable C:\WINDOWS\system32\YJiPpXyb.ini 347 bytes C:\WINDOWS\system32\YJiPpXyb.ini2 347 bytes scan completed successfully hidden files: 3 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\byXRIbAr.dll PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\qomqyqyl.dll -> C:\WINDOWS\system32\ckqalluv.dll -> C:\WINDOWS\system32\byXpPiJY.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Alwil Software\Avast4\Setup\avast.setup C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-06-23 16:22:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-23 13:22:05 ComboFix2.txt 2008-06-22 13:43:16 Pre-Run: 25,954,140,160 tavua vapaana Post-Run: 25,975,562,240 tavua vapaana 239 --- E O F --- 2008-06-11 12:19:35
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti *
