Koneen toiminnassa jotain hämärää..

Siis kaikki alkoi siitä kun imuroin Autodatan eräältä sivustolta. Latauksen valmistuttua, viruksentorjuntaohjelmani (Kaspersky internet security 7.0.1.321) ilmoitti troijalaisesta joka oli ko. ohjelman kansiossa ja myös KIS 7.0 kansiossa. Ajoin täyden tarkastuksen KIS:llä ja tuhosin troijalaiset. Nyt KIS ilmoittaa: incorrect key activation date. System date was possibly changed
Combofix on myös ajettu läpi.

Tässä olisi sitten se HJT-loki

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:05, on 26.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4934 bytes

 

Poista lisää poista sovelutuksesta

SweetIM Toolbar for Internet Explorer
SWEETIE mikää vaan sanooikin tuon

poista vikasiedossa kansio

C:\Program Files\SweetIM

===========

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

 

Jep, poistin sen SweetIM -kansion. Ei auttanut ongemaan! Tässäolisi kuitenkin se Malwarebytes -loki. Olisiko aiheellista asentaa tuo KIS uudestaan..?


Malwarebytes' Anti-Malware 1.25
Tietokantaversio: 1087
Windows 5.1.2600 Service Pack 2

15:22:27 26.8.2008
mbam-log-08-26-2008 (15-22-27).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 63129
Kulunut aika: 20 minute(s), 0 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

 

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

============

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

SDFix: Version 1.219
Run by Marvin on ti 26.08.2008 at 16:14

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\Documents and Settings\Marvin\Ty”p”yt„\sdfix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Documents and Settings\Marvin\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 16:35:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:39,c5,e9,07,59,2a,84,33,38,55,95,b9,27,71,b1,5f,57,e9,d0,17,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,31,89,7a,2b,bf,47,75,e3,59,e0,13,e4,6f,bf,af,01,97,..
"khjeh"=hex:7d,7c,a2,9f,eb,3f,6d,68,bc,59,e9,42,f8,0a,1a,8e,a6,49,fe,bb,99,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c8,14,ac,36,15,31,06,07,09,4c,be,89,ac,00,a2,b0,1a,a3,e6,65,54,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:39,c5,e9,07,59,2a,84,33,38,55,95,b9,27,71,b1,5f,57,e9,d0,17,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,31,89,7a,2b,bf,47,75,e3,59,e0,13,e4,6f,bf,af,01,97,..
"khjeh"=hex:7d,7c,a2,9f,eb,3f,6d,68,bc,59,e9,42,f8,0a,1a,8e,a6,49,fe,bb,99,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c8,14,ac,36,15,31,06,07,09,4c,be,89,ac,00,a2,b0,1a,a3,e6,65,54,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{173D12A7-6289-0DF6-3A4C-E5A5D56EF796}]
"hahplenlecochpln"=hex:61,61,00,7c
"jahplenlecochplnmmap"=hex:63,61,67,6a,67,6b,00,7c
"papnkmianhdmihcjngjfbcanbjpicgmm"=hex:64,61,63,69,6b,62,62,63,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 18 Jun 2008 72 ..SH. --- "C:\WINDOWS\S06D9BB16.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 16 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 19 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8ebe3d089c557669dfffb95dff25f32f\BIT5.tmp"
Wed 28 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\960b17240cd5888c9f5e18f8a9de5ecd\BIT5.tmp"

Finished!

Siinä on SDfixin raportti ja tässä tulee HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:12, on 26.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (file missing)
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4930 bytes

Kiitos avusta jo nyt etukäteen.

 

Tässä vielä Combofixin loki.

ComboFix 08-08-25.01 - Marvin 2008-08-26 17:31:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.531 [GMT 3:00]
Running from: C:\Documents and Settings\Marvin\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-07-26 to 2008-08-26 )))))))))))))))))
.

2008-08-26 17:43 . 2008-08-26 17:43 268 --ah----- C:\sqmdata07.sqm
2008-08-26 17:43 . 2008-08-26 17:43 244 --ah----- C:\sqmnoopt07.sqm
2008-08-26 17:06 . 2008-08-26 17:19 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-26 17:06 . 2008-08-26 17:19 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-26 17:06 . 2008-08-26 17:06 268 --ah----- C:\sqmdata06.sqm
2008-08-26 17:06 . 2008-08-26 17:06 244 --ah----- C:\sqmnoopt06.sqm
2008-08-26 17:04 . 2008-08-26 17:23 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-26 17:04 . 2008-08-26 17:43 899,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-26 17:04 . 2008-08-26 17:43 10,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-26 17:04 . 2008-08-26 17:43 6,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-26 17:04 . 2008-08-26 17:43 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-26 16:51 . 2008-08-26 16:51 268 --ah----- C:\sqmdata05.sqm
2008-08-26 16:51 . 2008-08-26 16:51 244 --ah----- C:\sqmnoopt05.sqm
2008-08-26 16:12 . 2008-08-26 16:13 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-08-26 16:06 . 2008-08-26 16:06 268 --ah----- C:\sqmdata04.sqm
2008-08-26 16:06 . 2008-08-26 16:06 244 --ah----- C:\sqmnoopt04.sqm
2008-08-26 14:57 . 2008-08-26 16:09 <KANSIO> d-------- C:\Documents and Settings\J„rjestelm„nvalvoja
2008-08-26 14:50 . 2008-08-26 14:50 268 --ah----- C:\sqmdata03.sqm
2008-08-26 14:50 . 2008-08-26 14:50 244 --ah----- C:\sqmnoopt03.sqm
2008-08-26 13:03 . 2008-08-26 13:03 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Documents and Settings\Marvin\Application Data\Malwarebytes
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 11:52 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-26 11:52 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 15:42 . 2008-08-16 15:42 <KANSIO> d-------- C:\Program Files\Windows Media Connect 2
2008-08-16 15:40 . 2008-08-16 15:40 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
2008-08-16 15:40 . 2008-08-18 18:26 <KANSIO> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-04 23:15 . 2004-09-14 16:11 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-04 23:15 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-04 23:15 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-04 23:15 . 2001-10-05 16:31 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-02 19:41 . 2008-08-02 19:41 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Autodata Limited
2008-08-02 19:38 . 2008-08-02 19:38 <KANSIO> d-------- C:\Program Files\Common Files\Autodata Limited Shared
2008-07-28 00:02 . 2008-07-28 00:02 268 --ah----- C:\sqmdata02.sqm
2008-07-28 00:02 . 2008-07-28 00:02 244 --ah----- C:\sqmnoopt02.sqm
2008-07-26 22:53 . 2008-07-26 22:53 268 --ah----- C:\sqmdata01.sqm
2008-07-26 22:53 . 2008-07-26 22:53 244 --ah----- C:\sqmnoopt01.sqm

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 14:44 --------- d-----w C:\Program Files\ViStart
2008-08-26 14:24 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-26 14:22 --------- d-----w C:\Documents and Settings\Marvin\Application Data\uTorrent
2008-08-26 14:19 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-08-26 13:55 --------- d-----w C:\Program Files\Windows Live
2008-08-26 13:53 --------- d-----w C:\Program Files\SlySoft
2008-08-26 13:53 --------- d-----w C:\Program Files\Elaborate Bytes
2008-08-26 13:53 --------- d-----w C:\Program Files\Ashampoo
2008-08-26 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-26 09:15 --------- d-----w C:\Program Files\Vista Sidebar
2008-08-18 15:27 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Nokia
2008-08-18 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-16 12:47 --------- d-----w C:\Program Files\Winamp
2008-08-16 12:46 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Winamp
2008-07-23 14:27 --------- d-----w C:\Documents and Settings\Marvin\Application Data\PC Suite
2008-07-23 14:26 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-23 14:26 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-23 14:23 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-07-23 14:23 --------- d-----w C:\Program Files\Nokia
2008-07-23 14:23 --------- d-----w C:\Program Files\DIFX
2008-07-23 14:23 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-23 14:23 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-23 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-09 14:53 --------- d-----w C:\Program Files\Java
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:40 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-27 14:06 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

------- Sigcheck -------

2005-03-02 21:13 2059264 01f49730c2d76aad87c4d2b2dd4e12e2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:08 2061696 8bacc2a67078823acab7c8306f394918 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-09-14 16:19 2059136 e6cbe47b5ea01ce981e4663900f04a15 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 21:08 2059136 1c09a92e5a1c21ca1ad367f13f9b5a9d C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 19:02 2070272 cc7dd434d738f8ecdcefa962296d13bf C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-02 21:13 2181888 6e55b15ee58a0eaaaf20db1f4da39add C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:08 2184448 7ff07a634379ee2fd2b097fd76c49bfc C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-09-14 16:08 2183296 2a8e38e78177bf83c73897511a4eecd0 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 21:08 2181632 ae8d156d1028fba3939609f4c39eb1f1 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 19:02 2193024 384056a003d4b564a38bc81f6b64a850 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\system32\VITrans\ntoskrnl.exe

2007-06-13 16:22 1424384 6cb031502907d2c13b4ad3322adb6434 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-09-14 16:12 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\system32\VITrans\explorer.exe
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 01:27 65536]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-11-26 19:27 593920]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 13:01 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 12:33 16132608 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-14 16:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 15:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 12:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-10 05:06]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
BHO-{EEE6C35C-6118-11DC-9C72-001320C79847} - (no file)
Toolbar-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\7l09z1lq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=fi
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 17:44:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
.
**************************************************************************
.
Completion time: 2008-08-26 17:49:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 14:49:49
ComboFix2.txt 2008-08-26 09:37:07

Pre-Run: 13,434,429,440 tavua vapaana
Post-Run: 13,475,598,336 tavua vapaana

173 --- E O F --- 2008-08-24 20:24:39

 

Tässä vielä Combofixin loki.

ComboFix 08-08-25.01 - Marvin 2008-08-26 17:31:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.531 [GMT 3:00]
Running from: C:\Documents and Settings\Marvin\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-07-26 to 2008-08-26 )))))))))))))))))
.

2008-08-26 17:43 . 2008-08-26 17:43 268 --ah----- C:\sqmdata07.sqm
2008-08-26 17:43 . 2008-08-26 17:43 244 --ah----- C:\sqmnoopt07.sqm
2008-08-26 17:06 . 2008-08-26 17:19 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-26 17:06 . 2008-08-26 17:19 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-26 17:06 . 2008-08-26 17:06 268 --ah----- C:\sqmdata06.sqm
2008-08-26 17:06 . 2008-08-26 17:06 244 --ah----- C:\sqmnoopt06.sqm
2008-08-26 17:04 . 2008-08-26 17:23 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-26 17:04 . 2008-08-26 17:43 899,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-26 17:04 . 2008-08-26 17:43 10,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-26 17:04 . 2008-08-26 17:43 6,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-26 17:04 . 2008-08-26 17:43 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-26 16:51 . 2008-08-26 16:51 268 --ah----- C:\sqmdata05.sqm
2008-08-26 16:51 . 2008-08-26 16:51 244 --ah----- C:\sqmnoopt05.sqm
2008-08-26 16:12 . 2008-08-26 16:13 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-08-26 16:06 . 2008-08-26 16:06 268 --ah----- C:\sqmdata04.sqm
2008-08-26 16:06 . 2008-08-26 16:06 244 --ah----- C:\sqmnoopt04.sqm
2008-08-26 14:57 . 2008-08-26 16:09 <KANSIO> d-------- C:\Documents and Settings\J„rjestelm„nvalvoja
2008-08-26 14:50 . 2008-08-26 14:50 268 --ah----- C:\sqmdata03.sqm
2008-08-26 14:50 . 2008-08-26 14:50 244 --ah----- C:\sqmnoopt03.sqm
2008-08-26 13:03 . 2008-08-26 13:03 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Documents and Settings\Marvin\Application Data\Malwarebytes
2008-08-26 11:52 . 2008-08-26 11:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 11:52 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-26 11:52 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 15:42 . 2008-08-16 15:42 <KANSIO> d-------- C:\Program Files\Windows Media Connect 2
2008-08-16 15:40 . 2008-08-16 15:40 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
2008-08-16 15:40 . 2008-08-18 18:26 <KANSIO> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-04 23:15 . 2004-09-14 16:11 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-04 23:15 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-04 23:15 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-04 23:15 . 2001-10-05 16:31 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-02 19:41 . 2008-08-02 19:41 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Autodata Limited
2008-08-02 19:38 . 2008-08-02 19:38 <KANSIO> d-------- C:\Program Files\Common Files\Autodata Limited Shared
2008-07-28 00:02 . 2008-07-28 00:02 268 --ah----- C:\sqmdata02.sqm
2008-07-28 00:02 . 2008-07-28 00:02 244 --ah----- C:\sqmnoopt02.sqm
2008-07-26 22:53 . 2008-07-26 22:53 268 --ah----- C:\sqmdata01.sqm
2008-07-26 22:53 . 2008-07-26 22:53 244 --ah----- C:\sqmnoopt01.sqm

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 14:44 --------- d-----w C:\Program Files\ViStart
2008-08-26 14:24 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-26 14:22 --------- d-----w C:\Documents and Settings\Marvin\Application Data\uTorrent
2008-08-26 14:19 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-08-26 13:55 --------- d-----w C:\Program Files\Windows Live
2008-08-26 13:53 --------- d-----w C:\Program Files\SlySoft
2008-08-26 13:53 --------- d-----w C:\Program Files\Elaborate Bytes
2008-08-26 13:53 --------- d-----w C:\Program Files\Ashampoo
2008-08-26 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-26 09:15 --------- d-----w C:\Program Files\Vista Sidebar
2008-08-18 15:27 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Nokia
2008-08-18 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-16 12:47 --------- d-----w C:\Program Files\Winamp
2008-08-16 12:46 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Winamp
2008-07-23 14:27 --------- d-----w C:\Documents and Settings\Marvin\Application Data\PC Suite
2008-07-23 14:26 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-23 14:26 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-23 14:23 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-07-23 14:23 --------- d-----w C:\Program Files\Nokia
2008-07-23 14:23 --------- d-----w C:\Program Files\DIFX
2008-07-23 14:23 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-23 14:23 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-23 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-09 14:53 --------- d-----w C:\Program Files\Java
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:40 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-27 14:06 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

------- Sigcheck -------

2005-03-02 21:13 2059264 01f49730c2d76aad87c4d2b2dd4e12e2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:08 2061696 8bacc2a67078823acab7c8306f394918 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-09-14 16:19 2059136 e6cbe47b5ea01ce981e4663900f04a15 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 21:08 2059136 1c09a92e5a1c21ca1ad367f13f9b5a9d C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 19:02 2070272 cc7dd434d738f8ecdcefa962296d13bf C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-02 21:13 2181888 6e55b15ee58a0eaaaf20db1f4da39add C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:08 2184448 7ff07a634379ee2fd2b097fd76c49bfc C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-09-14 16:08 2183296 2a8e38e78177bf83c73897511a4eecd0 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 21:08 2181632 ae8d156d1028fba3939609f4c39eb1f1 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 19:02 2193024 384056a003d4b564a38bc81f6b64a850 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\system32\VITrans\ntoskrnl.exe

2007-06-13 16:22 1424384 6cb031502907d2c13b4ad3322adb6434 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-09-14 16:12 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\system32\VITrans\explorer.exe
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 01:27 65536]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-11-26 19:27 593920]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 13:01 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 12:33 16132608 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-14 16:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 15:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 12:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-10 05:06]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
BHO-{EEE6C35C-6118-11DC-9C72-001320C79847} - (no file)
Toolbar-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\7l09z1lq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=fi
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 17:44:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
.
**************************************************************************
.
Completion time: 2008-08-26 17:49:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 14:49:49
ComboFix2.txt 2008-08-26 09:37:07

Pre-Run: 13,434,429,440 tavua vapaana
Post-Run: 13,475,598,336 tavua vapaana

173 --- E O F --- 2008-08-24 20:24:39


Viittaus vielä viestiketjun ensimmäiseen viestiin, se Kaspersky ei asetu vieläkään..olen asentanut sen jo uudelleen, mutta vika on vielä sama..?
Olisiko ehdotuksia..?

 

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (file missing)
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

===============

Lataa OTMoveIt
OTMoveIt ja tallenna se työpöydällesi.

Tuplaklikkaa OTMoveIt.exe.
Klikkaa CleanUp!.
Valitse Yes kun kysytään "Begin cleanup Process?".
Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.