1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lieneekö Keylogger Ardamax?

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by Kennyy, Feb 12, 2008.

Page 2 of 2
  1. Kennyy

    Kennyy Member

    Joined:
    Feb 12, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    AVG-login saannissa oli ongelmia joten otin kuvat quarantine-listasta:

    [​IMG]
    [​IMG]

    ======================================================================

    Hjt:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:32:23, on 15.2.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Mabinogi\npkcmsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.59.164.62:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 cmicnfg3.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Paikallinen palve')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://asdasd.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2006.12.27.cab
    O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
    O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
    O20 - Winlogon Notify: hblogon - hblogon.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Mabinogi\npkcmsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

    --
    End of file - 8506 bytes

    ======================================================================

    ComboFix:

    ComboFix 08-02-13.1 - Käyttäjä 2008-02-15 20:34:32.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.1571 [GMT 2:00]
    Running from: C:\Documents and Settings\Käyttäjä\Työpöytä\Virustorjunta\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-15 to 2008-02-15 )))))))))))))))))
    .

    2008-02-15 20:25 . 2008-02-15 20:25 112,147 --a------ C:\avg3.jpg
    2008-02-15 20:25 . 2008-02-15 20:25 108,899 --a------ C:\avg4.jpg
    2008-02-15 20:22 . 2008-02-15 20:22 72,019 --a------ C:\avg.jpg
    2008-02-15 20:22 . 2008-02-15 20:22 44,702 --a------ C:\avg2.jpg
    2008-02-15 17:09 . 2008-02-15 17:09 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\Application Data\Grisoft
    2008-02-15 17:08 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-02-15 16:56 . 2008-02-15 16:56 <KANSIO> d-------- C:\kav
    2008-02-14 05:32 . 2008-02-14 05:32 0 --a------ C:\23990098.$$$
    2008-02-13 22:33 . 2008-02-13 22:35 <KANSIO> d-------- C:\Bases
    2008-02-13 22:32 . 2008-02-13 22:38 <KANSIO> d-------- C:\Kaspersky
    2008-02-13 22:07 . 2008-02-13 22:07 <KANSIO> d-------- C:\Program Files\CCleaner
    2008-02-13 19:23 . 2008-02-13 19:23 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\DoctorWeb
    2008-02-13 19:23 . 2008-02-13 19:23 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\DoctorWeb
    2008-02-13 19:20 . 2008-02-13 19:20 <KANSIO> d-------- C:\Program Files\Dr. Web CureIt
    2008-02-13 00:59 . 2008-02-13 00:59 <KANSIO> d-------- C:\RegSeeker
    2008-02-12 23:47 . 2008-02-12 23:47 209,008 --a------ C:\WINDOWS\system32\kbhookdll.dll
    2008-02-12 23:47 . 2008-02-12 23:47 102,912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
    2008-02-12 21:40 . 2008-02-12 21:40 <KANSIO> d-------- C:\Program Files\Trend Micro
    2008-02-12 21:34 . 2008-02-12 21:34 <KANSIO> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-02-12 21:34 . 2008-02-13 02:46 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\Application Data\AVG7
    2008-02-12 21:33 . 2008-02-15 17:08 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-02-12 21:33 . 2008-02-12 21:35 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-02-12 20:46 . 2007-12-15 06:48 90,112 --a------ C:\WINDOWS\system32\XCoreLib.dll
    2008-02-04 15:28 . 2008-02-13 22:38 <KANSIO> d-------- C:\Downloads
    2008-02-02 22:01 . 2008-02-02 22:05 <KANSIO> d-------- C:\Program Files\Desktop Screen Record 5
    2008-02-02 13:52 . 2007-10-20 15:01 <KANSIO> d-------- C:\Program Files\FretsOnFire
    2008-01-31 23:25 . 2008-01-31 23:25 <KANSIO> d-------- C:\Program Files\Common Files\INCA Shared
    2008-01-31 23:23 . 2008-01-31 23:23 <KANSIO> d-------- C:\Nexon
    2008-01-31 16:33 . 2008-01-31 16:33 <KANSIO> d-------- C:\Program Files\Perfect World
    2008-01-29 21:31 . 2008-01-29 21:31 <KANSIO> d-------- C:\WINDOWS\system32\LogFiles
    2008-01-29 21:31 . 2008-01-29 21:31 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
    2008-01-29 21:31 . 2008-01-29 21:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
    2008-01-29 21:31 . 2008-01-29 21:31 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-01-29 21:31 . 2008-01-29 21:31 22,328 --a------ C:\Documents and Settings\Käyttäjä\Application Data\PnkBstrK.sys
    2008-01-29 21:31 . 2008-01-29 21:31 308 --a------ C:\WINDOWS\game.ini
    2008-01-29 21:26 . 2008-01-31 01:26 <KANSIO> d-------- C:\Program Files\Call of Duty 4 - Modern Warfare
    2008-01-29 20:18 . 2008-01-29 20:35 <KANSIO> d-------- C:\Program Files\Crysis
    2008-01-28 00:50 . 2008-01-28 00:50 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\Application Data\Clickteam
    2008-01-28 00:47 . 2008-02-05 14:33 <KANSIO> d-------- C:\Program Files\Multimedia Fusion 2
    2008-01-21 17:43 . 2008-01-21 17:43 11,736 --a------ C:\pldecal.wad
    2008-01-21 17:39 . 2008-01-21 17:42 <KANSIO> d-------- C:\Program Files\Wally
    2008-01-20 22:24 . 2008-01-20 22:28 <KANSIO> d-------- C:\Documents and Settings\Käyttäjä\Application Data\Command & Conquer 3 Tiberium Wars
    2008-01-20 15:00 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
    2008-01-20 14:55 . 2008-01-20 14:55 <KANSIO> d-------- C:\Program Files\Electronic Arts

    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-15 18:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-15 18:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
    2008-02-15 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-02-15 15:18 --------- d-----w C:\Program Files\mIRC617
    2008-02-13 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-13 13:12 --------- d-----w C:\Program Files\BSplayer_WhenUSave_Installer
    2008-02-13 00:00 4,208 ----a-w C:\Documents and Settings\Käyttäjä\Application Data\wklnhst.dat
    2008-02-12 23:45 --------- d-----w C:\Program Files\Cheat Engine
    2008-02-12 22:07 --------- d-----w C:\Program Files\Spyware Doctor
    2008-02-12 19:08 51,072 ----a-w C:\WINDOWS\system32\drivers\ikhlayer.sys
    2008-02-12 11:20 --------- d-----w C:\Documents and Settings\Käyttäjä\Application Data\Azureus
    2008-02-04 13:28 --------- d-----w C:\Program Files\AmazingMIDI
    2008-02-04 13:28 --------- d-----w C:\Documents and Settings\Käyttäjä\Application Data\GetRightToGo
    2008-01-31 21:23 --------- d-s---w C:\Program Files\Mabinogi Taiwan
    2008-01-29 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-23 14:24 --------- d-----w C:\Program Files\Wizet
    2008-01-21 21:29 412,906 ----a-w C:\Program Files\AAA Real Recorder.rar
    2008-01-20 19:19 --------- d-----w C:\Program Files\Azureus
    2008-01-20 13:03 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-01-12 19:54 --------- d-----w C:\Program Files\Peggle
    2008-01-12 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
    2008-01-12 19:53 --------- d-----w C:\Program Files\BFG
    2008-01-10 20:06 --------- d-----w C:\Program Files\ZSNes
    2008-01-10 14:19 --------- d-----w C:\Documents and Settings\Käyttäjä\Application Data\TeamViewer
    2008-01-10 14:16 --------- d-----w C:\Program Files\TeamViewer3
    2008-01-03 14:01 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
    2008-01-03 14:01 --------- d-----w C:\Program Files\Hamachi
    2008-01-03 14:01 --------- d-----w C:\Documents and Settings\Käyttäjä\Application Data\Hamachi
    2007-12-26 16:26 --------- d-----w C:\Program Files\DC++
    2007-12-24 17:09 --------- d-----w C:\Program Files\Portal
    2007-12-22 20:09 --------- d-----w C:\Program Files\Winamp
    2007-12-21 18:17 --------- d-----w C:\Program Files\DivX
    2007-12-19 22:27 --------- d-----w C:\Program Files\GALA-NET
    2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-11-15 12:47 203,264 ----a-w C:\WINDOWS\system32\zk_sc.scr
    .

    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 14:00 15360]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-02-12 21:08 2115728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 15:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 21:07 7110656]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
    "NvMediaCenter"="NvMCTray.dll" [2005-07-20 21:07 86016 C:\WINDOWS\system32\nvmctray.dll]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-09-15 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "zzsecagent"="" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
    "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
    "CmPCIaudio"="cmicnfg3.cpl" []
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-12 21:35 579072]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 14:00 15360]
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-02-12 21:08 2115728]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-12 21:33 219136]

    C:\Documents and Settings\All Users\K&#8222;ynnist&#8222;-valikko\Ohjelmat\K&#8222;ynnistys\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "AllowLegacyWebView"= 1 (0x1)
    "AllowUnhashedWebView"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
    hblogon.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Bluetooth Manager.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Iolo Macro Magic.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Käynnistä-valikko^Ohjelmat^Käynnistys^Service Manager.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^Käyttäjä^Käynnistä-valikko^Ohjelmat^Käynnistys^Chronice.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00saskda]
    --a------ 2006-06-06 14:01 1541120 C:\Program Files\1st Security Agent\newadmin.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
    C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    --a------ 2005-12-10 16:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-Border Credential]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.5]
    --a------ 2007-02-12 13:50 1870848 C:\Program Files\Novosoft\Handy Backup\hbagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 11:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2005-07-20 21:07 1519616 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
    --a------ 2007-11-12 17:45 38128 C:\program files\ncsoft\launcher\NCLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxHome]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
    --a------ 2008-02-12 21:08 2115728 C:\Program Files\Spyware Doctor\swdoctor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2007-12-05 15:28 1266936 C:\Program Files\Valve\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

    R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
    R2 npkcmsvc;npkcmsvc;C:\Program Files\Mabinogi\npkcmsvc.exe [2007-05-16 13:15]
    R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2005-04-14 17:42]
    R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2005-04-14 17:42]
    R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 12:56]
    S2 anysee;anysee USB type Tuner(2005.04.25.D010313);C:\WINDOWS\system32\DRIVERS\anyseeTU.sys [2005-04-25 12:40]
    S3 CEDRIVER52;CEDRIVER52;C:\Program Files\Cheat Engine\dbk32.sys [2006-10-27 19:13]
    S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2006-10-27 19:13]
    S3 DADriv1;DADriv1;C:\Shared Files\Maple Hacks\DAEngine\DAK32.sys []
    S3 danny1;danny1;C:\Shared Files\Maple Hacks\Danny Engine\danny.sys []
    S3 DISK_DRIVE32;DISK_DRIVE32;C:\Shared Files\Maple Hacks\UCE\disk_1024.sys []
    S3 Dua1;Dua1;F:\Shared Files\Maple Hacks\DualEngine2\DualEngi.sys [2006-10-02 11:43]
    S3 EAGLE1;EAGLE1;C:\Shared Files\Maple Hacks\Google Engine\google32.sys []
    S3 fspio;fspio;C:\WINDOWS\system32\drivers\fspio.sys [2001-03-08 17:10]
    S3 geebers12;geebers12;C:\Shared Files\Maple Hacks\Buffy Engine\nvid888.sys []
    S3 iCheat1;iCheat1;C:\Shared Files\Maple Hacks\iCheat13\nvid999.sys []
    S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;F:\Shared Files\Maple Hacks\MoonLight Engine 1129.1\IlvMoney1129.sys [2007-10-17 21:19]
    S3 jamilah;jamilah;C:\Shared Files\Maple Hacks\jamilah.sys []
    S3 ¥Õ¥Ø°ê¤¤¥Í1;¥Õ¥Ø°ê¤¤¥Í1;C:\Shared Files\Maple Hacks\VE5 1032\nvid999.sys []
    S3 NUBBER;NUBBER;C:\Shared Files\Maple Hacks\NubEngine\nubbk32.sys []
    S3 saruen;saruen;C:\Shared Files\Maple Hacks\saruengang101se\saruen.sys []
    S3 scskusbf;USB SCSK Filter Driver Service;C:\WINDOWS\system32\drivers\scskusbf.sys [2007-03-31 14:21]
    S3 scskusbs;USB SCSK Driver Service;C:\WINDOWS\system32\drivers\scskusbs.sys [2007-03-31 14:21]
    S3 sejt1;sejt1;C:\Shared Files\Maple Hacks\AkumaEngine33\sejt.sys []
    S3 serb1;serb1;F:\Shared Files\Maple Hacks\Serbio Engine\serbio.sys [2006-06-29 19:49]
    S3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2005-06-20 09:12]
    S3 SoRa01;SoRa01;C:\Shared Files\Maple Hacks\SoRa Remak Engine 2.6\SoRa.sys []
    S3 spuce1;spuce1;F:\Shared Files\Maple Hacks\SPUCEREV878able\SPUCE\spuce.sys [2006-11-28 21:13]
    S3 sys_com001;sys_com001;C:\Shared Files\Maple Hacks\SysComEngine_1059\syscom.sys []
    S3 TEMPLEVER;TEMPLEVER;C:\Shared Files\Maple Hacks\Templery Engine\damainzor.sys []
    S3 uzeil1;uzeil1;C:\Shared Files\Maple Hacks\Mini Engine\Mini Engine\uzeil.sys []
    S3 Visual1;Visual1;C:\Shared Files\Maple Hacks\Visual Engine\Visual.sys []
    S3 zenx1;zenx1;C:\Shared Files\Maple Hacks\ZenxEngine_LATEST\zenx.sys []

    *Newly Created Service* - AVGASCLN
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-15 20:38:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-15 20:41:32
    ComboFix-quarantined-files.txt 2008-02-15 18:41:30
    ComboFix2.txt 2008-02-13 00:29:25
    ComboFix3.txt 2008-02-13 00:22:39
    ComboFix4.txt 2008-02-12 23:20:05
    ComboFix5.txt 2008-02-12 22:16:46
    .
    2008-01-22 15:07:46 --- E O F ---
     
    Kennyy, Feb 15, 2008
    #21
  2. Hujo

    Hujo Guest

    kai deletoit avg:n anti-spywaren löydöt lopullisesti

    ============

    acannaa hjt:llä merkka paina Fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O20 - Winlogon Notify: hblogon - hblogon.dll (file missing)

    ============

    Javan päivitys ja välimuistin tyhjennys:

    1. Klikkaa Käynnistä -> Ohjauspaneeli ja tupla-klikkaa Lisää tai poista sovellus Ohjauspaneelissa.
    2. Etsi listasta kaikki entiset Java versiosi. (J2SE Runtime Environment.... )
    Niissä pitäisi olla seuraava kuva vieressä: [​IMG]

    3. Valitse kaikki entiset Java versiosi ja valitse Poista.
    4. Asenna uusin Java päivitys seuraavasta linkistä..
    5. Käynnistä kone uudelleen asennuksen jälkeen:

    http://java.sun.com/javase/downloads/index.jsp

    Rullaa alas kohteeseen Java Runtime Environment (JRE) 6u4

    Paina Download

    Ruksaa Accept, ota offline installation, tallenna vaikka työpöydälle ja asenna se.

    6. Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi).

    7. General Settings -osion alla, vedä liukusäädintä (Disk Space) pienemmälle, ja klikkaa Delete Files -nappia.

    (Jotkut javapohjaiset ohjelmat saattavat tarvita enemmän levytilaa.
    Jos huomaat säädön pienentämisen jälkeen koneessa hitautta, siirrä liukusäädintä isommalle).

    8. Varmista että kaikki kaksi valintaa ovat rastitettuja:

    *Applications and Applets

    *Trace and Log Files

    Ja paina OK -nappia

    9. Klikkaa OK "Temporary Files Settings" -ikkunassasi.

    10. Klikkaa OK jättääksesi Java asetusikkunasi.
     
    Last edited by a moderator: Feb 15, 2008
    Hujo, Feb 15, 2008
    #22
  3. Kennyy

    Kennyy Member

    Joined:
    Feb 12, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Deletoisin kyllä avg:n löytämät tiedostot.
    Tein myös juuri kaikki nuo Hjt ja Java-kohdat.

    Muokkaus:

    Huomasin tuolla Ardamaxin virallisilla sivuilla olevan ohjelman joka poistaa kaikki keyloggerit, jotka on tehty kyseisellä ohjelmalla.
    Kun tuo Ardamax on kaupallinen ohjelma niin voin kyllä varmaan luottaa tuohon, kun se herjas että "Ardamax Keylogger not found."

    Kiitoksia kumminkin kovasti avusta, enköhän nyt voi jo turvallisin mielin käyttää konettani enempää scannaamatta. Olen myös huomannut, että kone käynnistyy nykyään paljon nopeammin kuin ennen, noiden kaikkien toimenpiteiden jälkeen, joten kiitos siitäkin.
     
    Last edited: Feb 15, 2008
    Kennyy, Feb 15, 2008
    #23
  4. Hujo

    Hujo Guest

    Poista tuo vikasiedossa

    C:\Program Files\BSplayer_WhenUSave_Installer
    C:\WINDOWS\system32\kbhookdll.dll <-- laita piilotiedostot näkyviin

    ==========

    Lataa OTMoveIt
    OTMoveIt ja tallenna se työpöydällesi.

    Tuplaklikkaa OTMoveIt.exe.
    Klikkaa CleanUp!.
    Valitse Yes kun kysytään "Begin cleanup Process?".
    Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

    HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.
     
    Last edited by a moderator: Feb 15, 2008
    Hujo, Feb 15, 2008
    #24
Page 2 of 2

Share This Page