HJT ja combofix lokit. Koneesta puhdistettu jo kaikkea paskaa reilusti. COMBOFIX ComboFix 08-06-09.7 - windows 2008-06-11 16:46:43.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.1143 [GMT 3:00] Running from: C:\Documents and Settings\windows\Työpöytä\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMaf0c0dae.xml C:\WINDOWS\cookies.ini C:\WINDOWS\Fonts\acrsecB.fon C:\WINDOWS\pskt.ini C:\WINDOWS\service.exe C:\WINDOWS\smdat32m.sys C:\WINDOWS\system32\cpiusbrg.ini C:\WINDOWS\system32\ctqtwuab.exe C:\WINDOWS\system32\cuandtnx.ini C:\WINDOWS\system32\fccbAttU.dll C:\WINDOWS\system32\gdgryocw.ini C:\WINDOWS\system32\hyjfdvur.ini C:\WINDOWS\system32\urqNedDU.dll C:\WINDOWS\system32\YGhjmnmp.ini C:\WINDOWS\system32\YGhjmnmp.ini2 . ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-11 to 2008-06-11 ))))))))))))))))) . 2008-06-11 16:39 . 2008-06-11 16:39 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-06-11 16:01 . 2008-06-11 16:02 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-06-11 15:52 . 2008-06-11 15:52 <KANSIO> d-------- C:\Program Files\AusLogics Disk Defrag 2008-06-11 15:52 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-11 15:51 . 2008-06-11 15:52 <KANSIO> d-------- C:\Program Files\Java 2008-06-11 15:51 . 2008-06-11 15:51 <KANSIO> d-------- C:\Program Files\Common Files\Java 2008-06-11 15:50 . 2008-06-11 15:50 <KANSIO> d-------- C:\Program Files\7-Zip 2008-06-11 14:58 . 2008-06-11 14:58 <KANSIO> d-------- C:\Program Files\Godlike Developers 2008-06-11 14:56 . 2008-06-11 15:01 <KANSIO> d-------- C:\HJT 2008-06-11 14:28 . 2008-06-11 14:28 <KANSIO> d-------- C:\Program Files\Alwil Software 2008-06-11 14:04 . 2008-06-11 14:05 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-11 14:04 . 2008-06-11 14:04 <KANSIO> d-------- C:\Documents and Settings\windows\Application Data\Malwarebytes 2008-06-11 14:04 . 2008-06-11 14:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-11 14:04 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-11 14:04 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-11 13:49 . 2008-06-11 14:02 <KANSIO> d-------- C:\Program Files\CCleaner 2008-06-11 13:47 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 13:47 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-05 22:43 . 2008-06-06 13:26 <KANSIO> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-05 21:15 . 2008-06-05 21:15 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE 2008-06-05 19:07 . 2008-06-05 19:08 <KANSIO> d-------- C:\Program Files\Windows Defender 2008-06-04 11:25 . 2008-06-04 11:25 132,608 --a------ C:\WINDOWS\system32\xjvojtns.dll 2008-06-04 11:25 . 2008-06-04 11:25 116,736 --a------ C:\WINDOWS\system32\wcoyrgdg.dll 2008-06-04 11:22 . 2008-06-04 11:22 2,560 --a------ C:\WINDOWS\system32\ucydvcgp.exe 2008-06-04 11:20 . 2008-06-04 11:20 125,952 --a------ C:\WINDOWS\system32\qfpfuuib.dll 2008-06-02 08:59 . 2008-06-02 08:59 132,096 --a------ C:\WINDOWS\system32\eeejonvj.dll 2008-06-02 08:59 . 2008-06-02 08:59 2,560 --a------ C:\WINDOWS\system32\gnkjjakg.exe 2008-06-02 08:57 . 2008-06-02 08:57 126,464 --a------ C:\WINDOWS\system32\occqmfda.dll 2008-06-02 08:56 . 2008-06-02 14:57 3,423 --a------ C:\WINDOWS\is154890.exe 2008-05-31 18:53 . 2008-05-31 18:53 86,512 --a------ C:\Documents and Settings\Jasmina\setup1.exe 2008-05-27 21:30 . 2008-05-27 21:30 <KANSIO> d-------- C:\Program Files\PhotoFiltre 2008-05-27 12:43 . 2008-05-27 12:51 <KANSIO> d-------- C:\WINDOWS\system32\Adobe 2008-05-16 18:20 . 2008-05-16 18:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-11 13:41 --------- d-----w C:\Program Files\F-Secure 2008-06-11 13:39 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-11 13:27 --------- d-----w C:\Program Files\ExtraFilm Kotona 2008-06-11 12:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-11 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-11 11:22 --------- d--h--w C:\Program Files\Zero G Registry 2008-06-05 15:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-14 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\IVANOFF 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2006-02-26 07:31 2,689 -c--a-w C:\Program Files\INSTALL.LOG . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FFBF14F-C242-4D84-A08F-762DB92DA122}] C:\WINDOWS\system32\pmnmjhGY.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2006-03-09 04:04 49152 C:\WINDOWS\system32\SiSPower.dll] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152] "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [ ] "ExtraFilmHemmaAgent"="C:\Program Files\ExtraFilm Kotona\Agent.exe" [2005-05-27 17:00 303104] "nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016] "Windows svchost"="service.exe" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoSecCpl"= 0 (0x0) "DisableChangePassword"= 0 (0x0) "DisableLockWorkstation"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoStartMenuPinnedList"= 0 (0x0) "NoStartMenuMFUprogramsList"= 0 (0x0) "NoUserNameInStartMenu"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoPrinterTabs"= 0 (0x0) "NoDeletePrinter"= 0 (0x0) "NoAddPrinter"= 0 (0x0) "NoPrinters"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoRecentDocsNetHood"= 0 (0x0) "NoChangeAnimation"= 0 (0x0) "NoChangeKeyboardNavigationIndicators"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] S2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Common\FSfilter.sys [] S2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Common\fsgk.sys [] S2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Common\FSrec.sys [] S2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [] S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [] S4 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [] S4 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;C:\Program Files\F-Secure Anti-Virus\fswsclds.exe [] . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-06-11 13:59:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-11 16:57:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sistray.exe . ************************************************************************** . Completion time: 2008-06-11 17:01:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-11 14:01:08 Pre-Run: 56,185,425,920 tavua vapaana Post-Run: 57,284,636,672 tavua vapaana 171 --- E O F --- 2008-06-11 13:39:39 _________ HJT Logfile of HijackThis v1.99.1 Scan saved at 17:41:31, on 11.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ExtraFilm Kotona\Agent.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ O2 - BHO: (no name) - {0FFBF14F-C242-4D84-A08F-762DB92DA122} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows svchost] service.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{D753BCCA-2921-49CF-81DC-9DE9E6970005}: NameServer = 80.95.128.10,80.95.128.11 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe ____ Ohjauspaneelissa javan lisäksi näkyy Java Plug-in 1.4.0_02. Miten sen saa poistettua kun ei löydy uninstalleria mistään? Services.msc valikossa 3 f-securen palvelua vaikka hävitetty koneelta. Miten poistetaan? Lisäksi agent.exe päällä. Minkälainen CFScript? Koneessa useita profiileja. Täytyykö poistaa muilta profiileilta myös?
C:\WINDOWS\_MSRSTRT.EXE C:\WINDOWS\system32\pmnmjhGY.dll ^ Kuuluuko nuo lisätä siihen CFScriptiin myös? Miksei Hujo käskenyt laittaa tuossa: http://keskustelu.afterdawn.com/message_reply.cfm?thread_id=672408&forum_id=198"e_id=4093487 noita kaikkia .dll tiedostoja + muita siihen CFScriptiin? Tota _MSRSTRT.EXE tiedostoa ei vissii tarvi poistaa. Info: http://www.wilderssecurity.com/showthread.php?t=81428
Nämä ovat kaksi eri konetta ja jos osaisin itse fixata niin en pyytäisi apua. Sijaitsevat aivan eri osotteissa.
http://keskustelu.afterdawn.com/thread_view.cfm/672704#4092882 Elikkäs tee noiden ohjeiden mukaan sillä combofix.exe:llä ja sen jälkeen postaa uusi hjt logi ja combofix.exe:n logi
Nyt olis tuo cfscript suoritettu ja avast asennettu uudestaan. Tässä combofix loki ComboFix 08-06-09.7 - windows 2008-06-12 14:50:43.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.1144 [GMT 3:00] Running from: C:\SIIVOUS\ComboFix.exe Command switches used :: C:\SIIVOUS\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\Documents and Settings\Jasmina\setup1.exe C:\WINDOWS\is154890.exe C:\WINDOWS\system32\eeejonvj.dll C:\WINDOWS\system32\gnkjjakg.exe C:\WINDOWS\system32\occqmfda.dll C:\WINDOWS\system32\qfpfuuib.dll C:\WINDOWS\system32\ucydvcgp.exe C:\WINDOWS\system32\wcoyrgdg.dll C:\WINDOWS\system32\xjvojtns.dll . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Jasmina\setup1.exe C:\WINDOWS\Fonts\acrsecI.fon C:\WINDOWS\is154890.exe C:\WINDOWS\system32\eeejonvj.dll C:\WINDOWS\system32\gnkjjakg.exe C:\WINDOWS\system32\occqmfda.dll C:\WINDOWS\system32\qfpfuuib.dll C:\WINDOWS\system32\ucydvcgp.exe C:\WINDOWS\system32\wcoyrgdg.dll C:\WINDOWS\system32\xjvojtns.dll . ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-12 to 2008-06-12 ))))))))))))))))) . 2008-06-12 14:48 . 2008-06-12 14:48 <KANSIO> d-------- C:\Program Files\VideoLAN 2008-06-11 17:47 . 2008-06-12 14:50 <KANSIO> d-------- C:\SIIVOUS 2008-06-11 17:02 . 2008-06-11 17:02 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja 2008-06-11 17:02 . <KANSIO> C:\Documents and Settings\Jõrjestelmõnvalvoja\Local Settings 2008-06-11 17:02 . <KANSIO> C:\Documents and Settings\Jõrjestelmõnvalvoja\Local Settings 2008-06-11 16:39 . 2008-06-11 16:39 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-06-11 15:52 . 2008-06-11 15:52 <KANSIO> d-------- C:\Program Files\AusLogics Disk Defrag 2008-06-11 15:52 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-11 15:51 . 2008-06-11 15:52 <KANSIO> d-------- C:\Program Files\Java 2008-06-11 15:51 . 2008-06-11 15:51 <KANSIO> d-------- C:\Program Files\Common Files\Java 2008-06-11 15:50 . 2008-06-11 15:50 <KANSIO> d-------- C:\Program Files\7-Zip 2008-06-11 14:58 . 2008-06-11 14:58 <KANSIO> d-------- C:\Program Files\Godlike Developers 2008-06-11 14:56 . 2008-06-11 17:41 <KANSIO> d-------- C:\HJT 2008-06-11 14:28 . 2008-06-11 14:28 <KANSIO> d-------- C:\Program Files\Alwil Software 2008-06-11 14:04 . 2008-06-11 14:05 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-11 14:04 . 2008-06-11 14:04 <KANSIO> d-------- C:\Documents and Settings\windows\Application Data\Malwarebytes 2008-06-11 14:04 . 2008-06-11 14:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-11 14:04 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-11 14:04 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-11 13:49 . 2008-06-11 14:02 <KANSIO> d-------- C:\Program Files\CCleaner 2008-06-11 13:47 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 13:47 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-05 22:43 . 2008-06-06 13:26 <KANSIO> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-05 21:15 . 2008-06-05 21:15 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE 2008-06-05 19:07 . 2008-06-05 19:08 <KANSIO> d-------- C:\Program Files\Windows Defender 2008-05-27 21:30 . 2008-05-27 21:30 <KANSIO> d-------- C:\Program Files\PhotoFiltre 2008-05-27 12:43 . 2008-05-27 12:51 <KANSIO> d-------- C:\WINDOWS\system32\Adobe 2008-05-16 18:20 . 2008-05-16 18:52 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-12 11:46 --------- d-----w C:\Program Files\MSN Apps 2008-06-11 13:39 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-11 13:27 --------- d-----w C:\Program Files\ExtraFilm Kotona 2008-06-11 12:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-11 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-11 11:22 --------- d--h--w C:\Program Files\Zero G Registry 2008-06-05 15:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-14 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\IVANOFF 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2006-02-26 07:31 2,689 -c--a-w C:\Program Files\INSTALL.LOG . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2006-03-09 04:04 49152 C:\WINDOWS\system32\SiSPower.dll] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152] "ExtraFilmHemmaAgent"="C:\Program Files\ExtraFilm Kotona\Agent.exe" [2005-05-27 17:00 303104] "nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016] "Windows svchost"="service.exe" [] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoSecCpl"= 0 (0x0) "DisableChangePassword"= 0 (0x0) "DisableLockWorkstation"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoStartMenuPinnedList"= 0 (0x0) "NoStartMenuMFUprogramsList"= 0 (0x0) "NoUserNameInStartMenu"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoPrinterTabs"= 0 (0x0) "NoDeletePrinter"= 0 (0x0) "NoAddPrinter"= 0 (0x0) "NoPrinters"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoRecentDocsNetHood"= 0 (0x0) "NoChangeAnimation"= 0 (0x0) "NoChangeKeyboardNavigationIndicators"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] S2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [] S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-10 19:02] S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [] . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-06-12 11:55:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-12 14:53:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-06-12 14:57:09 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-12 11:57:05 ComboFix2.txt 2008-06-11 14:01:14 Pre-Run: 58,871,894,016 tavua vapaana Post-Run: 58,854,387,712 tavua vapaana 166 --- E O F --- 2008-06-11 13:39:39 ---- tässä hjt Logfile of HijackThis v1.99.1 Scan saved at 14:57:39, on 12.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ExtraFilm Kotona\Agent.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\HJT\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows svchost] service.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{D753BCCA-2921-49CF-81DC-9DE9E6970005}: NameServer = 80.95.128.10,80.95.128.11 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe ----- Tässä myös malware bytes loki. Malwarebytes' Anti-Malware 1.17 Tietokantaversio: 846 16:16:15 12.6.2008 mbam-log-6-12-2008 (16-16-15).txt Tarkistustyyppi: Täysi tarkistus (C:\|) Tarkistetut kohteet: 103961 Kulunut aika: 37 minute(s), 55 second(s) Saastuneita muistiprosesseja: 0 Saastuneita muistimoduuleja: 0 Saastuneita rekisteriavaimia: 3 Saastuneita rekisteriarvoja: 1 Saastuneita rekisterikohteita: 0 Saastuneita hakemistoja: 0 Saastuneita tiedostoja: 13 Saastuneita muistiprosesseja: (Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriavaimia: HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. Saastuneita rekisteriarvoja: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows svchost (Backdoor.Bot) -> Quarantined and deleted successfully. Saastuneita rekisterikohteita: (Haitallisia kohteita ei löydetty) Saastuneita hakemistoja: (Haitallisia kohteita ei löydetty) Saastuneita tiedostoja: C:\Documents and Settings\Jasmina\Omat tiedostot\'.com (Backdoor.Bot) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\Documents and Settings\Jasmina\setup1.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\service.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\system32\ctqtwuab.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\system32\fccbAttU.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\QooBox\Quarantine\C\WINDOWS\system32\urqNedDU.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP182\A0152117.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP189\A0153203.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP189\A0153206.exe (Trojan.LowZones) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP189\A0153207.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP189\A0153208.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{56DDBDFD-E3EC-4CB1-9A9F-4A4688F4C36E}\RP190\A0154357.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. HUOM HJT LOKI OTETTU ENNEN MALWARE BYTESIN AJOA.
Järjestelmän palauttamisen poistaminen käytöstä Voit poistaa järjestelmän palauttamisen käytöstä seuraavasti: 1.Napsauta Käynnistä-painiketta, napsauta Oma tietokone -kuvaketta hiiren kakkospainikkeella ja valitse sitten Ominaisuudet. 2.Valitse Järjestelmän palauttaminen -välilehti. 3.Valitse Poista järjestelmän palauttaminen käytöstä -valintaruutu (tai Poista järjestelmän palauttaminen käytöstä kaikissa asemissa -valintaruutu) ja valitse sitten OK. 4.Valitse Kyllä, kun näyttöön tulee kehote järjestelmän palauttamisen poistamisesta käytöstä. Lataa Atribunen ATF Cleaner Ohjeet: Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman. Main:n alla valitse: Select All Klikkaa Empty Selected valintaa. Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All Klikkaa Empty Selected valintaa. HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy. Jos käytät Operaa selaimenasi Klikkaa Opera yläpuolelta ja valitse: Select All Klikkaa Empty Selected valintaa taas. HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy. Klikkaa Exit päävalikosta sulkeaksesi ohjelman. Noiden toimen piteiden jälkeen postaa uusi hjt logi ja skannaa myös viellä malwarebytesillä ja postaa sen logi jos se löytää jotain.
Logfile of HijackThis v1.99.1 Scan saved at 15:05:02, on 16.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ExtraFilm Kotona\Agent.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\HJT\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\ExtraFilm Kotona\Agent.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{D753BCCA-2921-49CF-81DC-9DE9E6970005}: NameServer = 80.95.128.10,80.95.128.11 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -------- Malwarebytes' Anti-Malware 1.17 Tietokantaversio: 846 15:42:25 16.6.2008 mbam-log-6-16-2008 (15-42-25).txt Tarkistustyyppi: Täysi tarkistus (C:\|) Tarkistetut kohteet: 100905 Kulunut aika: 21 minute(s), 12 second(s) Saastuneita muistiprosesseja: 0 Saastuneita muistimoduuleja: 0 Saastuneita rekisteriavaimia: 0 Saastuneita rekisteriarvoja: 0 Saastuneita rekisterikohteita: 0 Saastuneita hakemistoja: 0 Saastuneita tiedostoja: 0 Saastuneita muistiprosesseja: (Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriavaimia: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriarvoja: (Haitallisia kohteita ei löydetty) Saastuneita rekisterikohteita: (Haitallisia kohteita ei löydetty) Saastuneita hakemistoja: (Haitallisia kohteita ei löydetty) Saastuneita tiedostoja: (Haitallisia kohteita ei löydetty) _____________________________________________________________________ Viitsitkö katsoa vielä että tämä on puhdas koska Hujo lopetti homman kesken luultuaan koneita samoiksi. http://keskustelu.afterdawn.com/thread_view.cfm/672408#4091667
