Kone sekoilee ja tulee mainoksia.

Eli koneelle tulee surffatessa manosikkunoita ihan urakalla ja ei meinaa päästä sivuille. Myös Windows sekoilee. Ei päästä kansioihin ja kaikkea muuta mukavaa. Tässä HJT-logi.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:42, on 18.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Rockstar Games Social Club\1_1_3_0\RGSC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RGSC] D:\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD155396-C65F-4FBF-8525-AD564122DCA9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6136 bytes

 

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi

 

Tein tarkistuksen ja tässä loki:



Malwarebytes' Anti-Malware 1.33
Tietokantaversio: 1665
Windows 5.1.2600 Service Pack 3

18.1.2009 16:18:32
mbam-log-2009-01-18 (16-18-32).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|)
Tarkistetut kohteet: 151345
Kulunut aika: 32 minute(s), 35 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 1
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 1
Saastuneita tiedostoja: 6

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
C:\WINDOWS\system32\162123 (Trojan.BHO) -> Quarantined and deleted successfully.

Saastuneita tiedostoja:
C:\WINDOWS\system32\msqpdxprrrvdkm.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxeabediem.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxmxjbodxl.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxulvbutpq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reko\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reko\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

 

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

 

siinä hijackthis loki:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:24:04, on 18.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD155396-C65F-4FBF-8525-AD564122DCA9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6427 bytes






ja siinä report:




SDFix: Version 1.240
Run by Reko Lamberg on su 18.01.2009 at 17:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Reko Lamberg\Desktop\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 17:20:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\\?\globalroot\systemroot\system32\drivers\msqpdxulvbutpq.sys"
"msqpdxl"="\\?\globalroot\systemroot\system32\msqpdxprrrvdkm.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\\Rockstar Games Social Club\\RGSCLauncher.exe"="D:\\Rockstar Games Social Club\\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"
"C:\\Program Files\\Steam\\SteamApps\\r4xona\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\r4xona\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"D:\\Grand Theft Auto IV\\LaunchGTAIV.exe"="D:\\Grand Theft Auto IV\\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\\Grand Theft Auto IV\\GTAIV.exe"="D:\\Grand Theft Auto IV\\GTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\\Games\\Grid\\GRID.exe"="D:\\Games\\Grid\\GRID.exe:*:Enabled:GRID Executable"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 28 Dec 2008 243,712 A..H. --- "C:\Documents and Settings\Reko.TIETOKON-1FA2B2\Local Settings\Temp\~165.tmp"
Mon 29 Dec 2008 444 ...HR --- "C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 19 Dec 2008 887 ...HR --- "C:\Documents and Settings\Reko\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 18 Jan 2009 2,421 ...HR --- "C:\Documents and Settings\Reko Lamberg\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 28 Dec 2008 444 ...HR --- "C:\Documents and Settings\Reko.TIETOKON-1FA2B2\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

 

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

älä asenna palautus consolia
2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

Tässä loki:


ComboFix 09-01-17.04 - Reko Lamberg 2009-01-18 17:49:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.487 [GMT 2:00]
Running from: c:\documents and settings\Reko Lamberg\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090117-0] *On-access scanning disabled* (Updated)
AV: Norton AntiVirus Gaming Edition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\tmp46.tmp
c:\windows\system32\tmp47.tmp
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com

----- BITS: Possible infected sites -----

hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-18 17:15 . 2009-01-18 17:15 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-18 17:14 . 2009-01-18 17:14 <DIR> d-------- c:\windows\ERUNT
2009-01-18 15:43 . 2009-01-18 15:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 15:43 . 2009-01-18 15:43 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\Malwarebytes
2009-01-18 15:43 . 2009-01-18 15:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-18 15:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-18 15:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 12:52 . 2008-06-26 13:07 19,424,048 --a------ c:\windows\GRID.exe
2009-01-18 12:52 . 2008-06-24 09:33 805,068 --a------ c:\windows\system\flow.bin
2009-01-18 12:52 . 2008-06-24 17:42 491,520 --a------ c:\windows\win_000.000
2009-01-18 12:52 . 2008-06-24 14:18 378,980 --a------ c:\windows\system\states.bin
2009-01-18 12:52 . 2008-06-09 14:36 131,072 --a------ c:\windows\win_000.nfs
2009-01-18 12:52 . 2008-06-03 08:19 6,363 --a------ c:\windows\system\hardware_settings_restrictions.xml
2009-01-18 12:52 . 2008-05-20 14:00 5,743 --a------ c:\windows\system\applicationMemoryMap.xml
2009-01-18 12:52 . 2008-06-02 15:38 1,960 --a------ c:\windows\system\hardware_settings_config.xml
2009-01-18 12:38 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- c:\program files\Zone Labs
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2009-01-18 11:34 . 2009-01-18 11:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Codemasters
2009-01-18 11:03 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-01-17 15:05 . 2009-01-18 17:28 <DIR> d-------- c:\program files\Steam
2009-01-16 22:19 . 2009-01-16 22:19 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-16 22:14 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-01-16 22:14 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-01-16 22:14 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-01-16 21:36 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-16 15:23 . 2008-06-20 13:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-16 15:23 . 2008-06-20 19:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-16 15:23 . 2008-06-20 13:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-16 15:23 . 2008-06-20 19:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-15 20:04 . 2009-01-15 20:04 <DIR> d-------- c:\program files\Ventrilo
2009-01-15 20:04 . 2009-01-15 20:06 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\Ventrilo
2009-01-15 20:04 . 2009-01-15 20:04 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-12 21:33 . 2009-01-12 21:33 724,992 --a------ c:\windows\iun6002.exe
2009-01-12 21:26 . 2009-01-12 21:26 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-01-12 21:26 . 2009-01-12 21:26 <DIR> d-------- C:\SilverSoftFiles
2009-01-12 20:24 . 2009-01-12 20:24 <DIR> d-------- c:\program files\Alwil Software
2009-01-12 20:24 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-12 20:05 . 2009-01-12 20:05 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-12 20:05 . 2009-01-12 20:05 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-12 18:50 . 2009-01-18 11:34 444,952 --a------ c:\windows\system32\wrap_oal.dll
2009-01-12 18:50 . 2009-01-18 11:34 109,080 --a------ c:\windows\system32\OpenAL32.dll
2009-01-12 18:50 . 1999-11-02 10:01 6,173 --a------ c:\windows\system32\drivers\Entech.vxd
2009-01-12 18:50 . 2004-06-22 15:44 5,632 --a------ c:\windows\system32\drivers\Entech64.sys
2009-01-12 18:50 . 2001-11-19 19:05 3,972 --a------ c:\windows\system32\drivers\PciBus.sys
2009-01-12 18:49 . 2009-01-12 18:49 <DIR> d-------- c:\program files\Futuremark
2009-01-12 18:48 . 2009-01-12 18:48 <DIR> d-------- c:\windows\system32\Futuremark
2009-01-12 18:48 . 2007-08-20 11:05 27,672 -ra------ c:\windows\system32\drivers\Entech.sys
2009-01-12 12:06 . 2009-01-12 12:06 <DIR> d-------- c:\windows\nview
2009-01-12 12:06 . 2009-01-18 17:29 206,664 --a------ c:\windows\system32\nvapps.xml
2009-01-12 12:06 . 2008-12-26 00:08 18,725 --a------ c:\windows\system32\nvdisp.nvu
2009-01-08 17:46 . 2009-01-08 17:46 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-01-08 17:45 . 2009-01-08 17:45 <DIR> d-------- C:\00000082
2009-01-08 15:06 . 2009-01-08 15:06 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-01-08 15:06 . 2009-01-08 17:47 2,100 --a------ c:\documents and settings\All Users.BAK
2009-01-08 15:05 . 2009-01-12 20:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2009-01-08 15:03 . 2009-01-08 17:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-01-05 17:56 . 2009-01-05 17:56 77 --a------ c:\windows\wininit.ini
2009-01-05 16:54 . 2009-01-18 12:26 <DIR> d-------- c:\program files\Lavalys
2009-01-04 12:24 . 2009-01-04 13:22 <DIR> d-------- c:\program files\GCFScape
2009-01-03 19:28 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-03 19:28 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-03 19:24 . 2009-01-03 19:25 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-03 00:57 . 2009-01-03 00:58 <DIR> d-------- c:\program files\GameGain
2009-01-01 21:17 . 2009-01-01 21:17 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-01-01 21:17 . 2009-01-01 21:17 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-01-01 21:17 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-01-01 21:16 . 2009-01-01 21:17 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-01-01 21:16 . 2009-01-01 21:16 <DIR> d--hs---- c:\documents and settings\All Users.WINDOWS\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-31 12:06 . 2008-12-31 12:06 <DIR> d-------- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Xfire
2008-12-31 11:57 . 2008-12-31 11:57 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\Xfire
2008-12-31 11:54 . 2009-01-17 20:20 <DIR> d-------- c:\program files\Xfire
2008-12-31 11:54 . 2009-01-17 20:25 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\Xfire
2008-12-31 10:41 . 2008-12-31 10:41 <DIR> d-------- c:\program files\CCleaner
2008-12-30 18:04 . 2008-12-30 18:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SRS Labs
2008-12-30 18:04 . 2007-07-26 09:25 47,360 -ra------ c:\windows\system32\drivers\Surroundhp_kern_i386.sys
2008-12-30 18:04 . 2007-07-26 09:25 47,104 -ra------ c:\windows\system32\drivers\tshd4_kern_i386.sys
2008-12-30 18:04 . 2007-07-26 09:25 42,112 -ra------ c:\windows\system32\drivers\csiidecoder_kern_i386.sys
2008-12-30 18:04 . 2007-07-26 09:25 39,808 -ra------ c:\windows\system32\drivers\SRS_SSCFilter_i386.sys
2008-12-30 18:04 . 2007-07-26 09:25 32,000 -ra------ c:\windows\system32\drivers\wowhd_kern_i386.sys
2008-12-30 18:00 . 2009-01-12 20:36 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\uTorrent
2008-12-30 16:40 . 2008-12-30 16:39 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 16:40 . 2008-12-30 16:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-30 15:25 . 2008-12-30 15:25 <DIR> d-------- c:\windows\5888428E699C4E71BF7194EE06B497DA.TMP
2008-12-29 17:04 . 2008-12-29 17:04 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\SecuROM
2008-12-29 16:59 . 2008-12-29 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SecuROM
2008-12-29 16:59 . 2009-01-08 17:44 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-29 16:57 . 2008-12-30 15:25 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-29 10:12 . 2009-01-01 21:48 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 10:12 . 2009-01-17 12:01 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-29 10:02 . 2008-12-29 10:02 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\TuneUp Software
2008-12-29 10:02 . 2008-12-29 10:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-12-29 10:01 . 2008-12-30 15:25 <DIR> d-------- c:\program files\TuneUp Utilities 2008
2008-12-29 01:31 . 2008-12-29 01:31 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-29 01:29 . 2008-06-24 18:43 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll
2008-12-29 01:29 . 2008-12-29 01:29 58 --a------ C:\steam.bat
2008-12-29 01:28 . 2008-05-07 07:12 1,288,192 -----c--- c:\windows\system32\dllcache\quartz.dll
2008-12-29 01:28 . 2008-05-09 12:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2008-12-29 01:28 . 2008-05-09 12:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2008-12-29 01:28 . 2008-07-07 22:26 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2008-12-29 01:28 . 2008-05-09 12:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2008-12-29 01:28 . 2008-05-09 12:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2008-12-29 01:28 . 2008-05-08 13:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2008-12-29 01:28 . 2008-05-09 10:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2008-12-29 01:28 . 2008-05-09 12:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2008-12-29 01:22 . 2008-09-15 14:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-29 01:19 . 2008-08-14 12:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-29 01:19 . 2008-08-14 12:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-29 01:19 . 2008-08-14 11:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-29 01:19 . 2008-08-14 11:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-29 01:17 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-29 01:17 . 2008-05-08 16:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-29 01:16 . 2008-04-11 21:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-29 01:16 . 2008-05-01 16:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-29 01:15 . 2008-09-04 19:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-29 01:15 . 2008-10-15 18:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-28 22:22 . 2008-12-28 22:22 <DIR> d-------- c:\documents and settings\Reko Lamberg\Contacts
2008-12-28 22:11 . 2008-12-28 22:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\WLInstaller
2008-12-28 21:23 . 2008-12-28 21:23 <DIR> d-------- c:\documents and settings\Reko Lamberg\Application Data\Logitech
2008-12-28 21:22 . 2008-12-28 21:22 127,034 -r------- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-12-28 21:21 . 2007-04-11 15:33 1,419,024 --a------ c:\windows\system32\WdfCoInstaller01005.dll
2008-12-28 21:21 . 2007-04-11 15:32 56,080 --a------ c:\windows\KHALMNPR.Exe
2008-12-28 21:21 . 2007-04-11 15:32 36,112 --a------ c:\windows\system32\drivers\LMouFilt.Sys
2008-12-28 21:21 . 2007-04-11 15:32 34,832 --a------ c:\windows\system32\drivers\LHidFilt.Sys
2008-12-28 21:21 . 2007-04-11 15:32 20,496 --a------ c:\windows\system32\drivers\L8042Kbd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 15:18 16,896 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-01-18 15:09 33,792 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-01-18 14:19 96,768 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-01-18 09:34 --------- d-----w c:\program files\OpenAL
2009-01-15 18:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-13 13:11 --------- d-----w c:\program files\DivX
2009-01-13 13:11 --------- d-----w c:\program files\AGEIA Technologies
2009-01-12 16:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 18:08 319,488 ----a-w c:\windows\HideWin.exe
2008-12-28 18:08 --------- d-----w c:\program files\Realtek
2008-12-28 13:50 --------- d-----w c:\program files\Common Files\Logitech
2008-12-22 09:21 --------- d-----w c:\documents and settings\Reko\Application Data\Hamachi
2008-12-18 13:19 --------- d-----w c:\documents and settings\Reko\Application Data\MSN6
2008-12-18 12:57 --------- d-----w c:\documents and settings\Reko\Application Data\Skype
2008-12-18 12:56 --------- d-----w c:\documents and settings\Reko\Application Data\skypePM
2008-12-15 10:12 --------- d-----w c:\documents and settings\Reko\Application Data\AVGTOOLBAR
2008-12-13 12:33 --------- d-----w c:\program files\Java
2008-12-11 20:38 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 13:32 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-06 13:32 --------- d-----w c:\documents and settings\Reko\Application Data\SystemRequirementsLab
2008-12-06 11:27 --------- d-----w c:\program files\DC++
2008-12-01 18:57 --------- d-----w c:\documents and settings\Reko\Application Data\MozillaControl
2008-12-01 17:16 --------- d-----w c:\program files\Common Files\Thraex Software
2008-11-30 13:44 --------- d-----w c:\program files\free-downloads.net
2008-10-28 15:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 15:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-02-29 17:21 22,328 ----a-w c:\documents and settings\Reko\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech SetPoint Event Manager (UNICODE)"="c:\program files\Logitech\SetPoint\SetPoint.exe" [2007-04-23 692224]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\steam\steam.exe" [2009-01-17 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 00:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 14:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-01-17 17:11 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-09-30 18:01 16864768 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
".norton2009Reset"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"RGSC"=d:\rockstar games social club\RGSCLauncher.exe /silent
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\r4xona\\counter-strike source\\hl2.exe"=
"d:\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\Grand Theft Auto IV\\GTAIV.exe"=
"d:\\Games\\Grid\\GRID.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-12 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-12 20560]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-28 10640]
S4 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\Norton2009Reset.exe [2009-01-08 280833]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-01 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
.
------- Supplementary Scan -------
.
TCP: {AD155396-C65F-4FBF-8525-AD564122DCA9} = 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Reko Lamberg\Application Data\Mozilla\Firefox\Profiles\3xtgjken.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 17:50:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-1757981266-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,24,5d,b0,af,ca,38,ec,7f,b4,86,a7,46,31,94,d3,02,bf,67,35,90,
2b,f9,93,ed,6b,f1,ac,cd,79,08,41,90,ac,89,bf,0b,c4,4f,20,55,59,5d,a1,ea,a9,\
"rkeysecu"=hex:0f,52,69,73,95,df,9f,75,e7,22,6a,97,35,5b,98,c2
.
Completion time: 2009-01-18 17:51:59
ComboFix-quarantined-files.txt 2009-01-18 15:51:57

Pre-Run: 15 341 621 248 bytes free
Post-Run: 15,480,221,696 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
312 --- E O F --- 2009-01-16 16:21:45

 

Kirjoita suorita lukkuun

ComboFix /u

klikkaa ok

============

Lataa OTMoveIt
OTMoveIt ja tallenna se työpöydällesi.

Tuplaklikkaa OTMoveIt.exe.
Klikkaa CleanUp!.
Valitse Yes kun kysytään "Begin cleanup Process?".
Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.

=============

Lataa Tästä Ccleaner
CCleaner v 2.14.750.- Standard Build, ÄLÄ aseenna Yahoo toolbaria!
Asennuksessa poista merkki/rasti kohdasta "asenna Yahoo! toolbar/työkalupalkki".
Asennuksen jälkeen aukaise CCleaneri.
Valitse vasemmalta pystyrivistä Options.
Valitse viereisestä pystyrivistä Settings.
Language kohtaan valitse Suomi.

Puhdistaja
Valitse vasemmalta pystyrivistä Puhdistaja.
Paina alhaalta Tutki.
Nyt CCleaneri tutkii, mitä voidaan poistaa (tempit, cookiessit jne.).
Kun tutkiminen on valmis, paina Aja CCleaner.
Nyt CCleaneri poistaa löydetyt tempit, cookiessit jne.

Rekisterin virheiden korjaus
Valitse vasemmalta pystyrivistä Rekisteri.
Paina alhaalta Etsi rekisterin virheitä.
Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet.
Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä. Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon.
Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet.
Saat vielä varmistus kysymyksen, paina Ok.
Kun virheet on korjattu, paina Sulje.
Nyt voit sulkea CCleanerin painamalla oikealta ylhäältä punaista rastia.

 

Joo kiitos paljon avusta. Oliko tämä nyt tässä vai vieläkö pitäisi jotain tehdä?

 

Mikäs on koneen toiminta

 

Juu kone toimii moitteettomasti. ei heitä enää pommpuikkunoita ja pääsee D/ levylle ja windows update sivustokin toimii .

 

sittehän se on pikkusen parempi.