Veli avasi puolihuolimattomasti messengerissä tuon messenger-viruksen levittämän linkin ja nyt kone takkuaa viimeistä päivää. Itse saa sitä millään pois. Tässä on HJT-logi, jos joku ystävällisesti auttaisi: Logfile of HijackThis v1.99.1 Scan saved at 22:25:59, on 17.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\ATI-CPanel\atiptaxx.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Norman\Npm\bin\ZLH.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\acersv.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\HijackThis\scanner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: (no name) - {13894FD6-D2FA-462B-A4E1-B5C0CB4280E3} - C:\WINDOWS\system32\ljJCrooP.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: {b0c21e79-4c87-41f9-a664-d7d3e4429d99} - {99d9244e-3d7d-466a-9f14-78c497e12c0b} - C:\WINDOWS\system32\mrdfivjf.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - C:\WINDOWS\system32\cbXQjjJC.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Acer Service ] acersv.exe O4 - HKLM\..\Run: [e00f1633] rundll32.exe "C:\WINDOWS\system32\mnhqyvwm.dll",b O4 - HKLM\..\Run: [BMe33c25af] Rundll32.exe "C:\WINDOWS\system32\anmjeiyt.dll",s O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - Global Startup: Adobe Gamma Loader.lnk = ? O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Lähetä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Läh&etä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181489975082 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: cbXQjjJC - C:\WINDOWS\SYSTEM32\cbXQjjJC.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa) Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked) O2 - BHO: (no name) - {13894FD6-D2FA-462B-A4E1-B5C0CB4280E3} - C:\WINDOWS\system32\ljJCrooP.dll O2 - BHO: {b0c21e79-4c87-41f9-a664-d7d3e4429d99} - {99d9244e-3d7d-466a-9f14-78c497e12c0b} - C:\WINDOWS\system32\mrdfivjf.dll O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - C:\WINDOWS\system32\cbXQjjJC.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Acer Service ] acersv.exe O4 - HKLM\..\Run: [e00f1633] rundll32.exe "C:\WINDOWS\system32\mnhqyvwm.dll",b O4 - HKLM\..\Run: [BMe33c25af] Rundll32.exe "C:\WINDOWS\system32\anmjeiyt.dll",s O20 - Winlogon Notify: cbXQjjJC - C:\WINDOWS\SYSTEM32\cbXQjjJC.dll Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti *
ComboFix-raportti: ComboFix 08-06-16.5 - Teemu 2008-06-18 0:50:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.533 [GMT 3:00] Running from: C:\Documents and Settings\Teemu\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\Teemu\Työpöytä\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\acersv.exe C:\Windows\mservice.exe C:\WINDOWS\service.exe C:\WINDOWS\system32\anmjeiyt.dll C:\WINDOWS\system32\cbXQjjJC.dll C:\WINDOWS\system32\ljJCrooP.dll C:\WINDOWS\system32\mnhqyvwm.dll C:\WINDOWS\system32\mrdfivjf.dll C:\WINDOWS\winudspm.exe . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\acersv.exe C:\WINDOWS\BMe33c25af.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\abunemba.dll C:\WINDOWS\system32\anmjeiyt.dll C:\WINDOWS\system32\byXOhHaY.dll C:\WINDOWS\system32\cbXQjjJC.dll C:\WINDOWS\system32\iifDsTNe.dll C:\WINDOWS\system32\ljJCrooP.dll C:\WINDOWS\system32\ljJCttSM.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mnhqyvwm.dll C:\WINDOWS\system32\mrdfivjf.dll C:\WINDOWS\system32\mwvyqhnm.ini C:\WINDOWS\system32\ovnmnnrt.ini C:\WINDOWS\system32\pcmqtumq.ini C:\WINDOWS\system32\PoorCJjl.ini C:\WINDOWS\system32\PoorCJjl.ini2 C:\WINDOWS\system32\qgtdipts.ini C:\WINDOWS\system32\stpidtgq.dll C:\WINDOWS\system32\vtUlLdcD.dll C:\WINDOWS\system32\vtUmKARJ.dll C:\WINDOWS\system32\wwkomomi.dll C:\WINDOWS\system32\xwheiqeo.dll C:\WINDOWS\system32\xxyxYsQk.dll C:\WINDOWS\system32\ytxtkvvc.dll . ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-17 to 2008-06-17 ))))))))))))))))) . 2008-06-17 22:25 . 2008-06-17 22:25 <KANSIO> d-------- C:\HijackThis 2008-06-17 22:13 . 2008-06-18 00:32 33,792 --------- C:\is1551932.exe 2008-06-17 13:13 . 2008-06-17 13:13 0 --a------ C:\WINDOWS\system32\ovnmnnrt.tmp 2008-06-16 22:19 . 2008-06-17 13:12 345 --ahs---- C:\WINDOWS\system32\lRrtvGgh.ini 2008-06-16 22:14 . 2008-06-17 14:19 2,231 --a------ C:\iss.exe 2008-06-16 20:28 . 2008-06-16 20:28 <KANSIO> d-------- C:\Program Files\Lavasoft 2008-06-16 20:28 . 2008-06-16 20:29 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-16 19:30 . 2008-06-16 19:30 31,280 --a------ C:\is.exe 2008-06-11 11:59 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-08 13:39 . 2008-06-08 13:39 <KANSIO> d-------- C:\Program Files\SystemRequirementsLab 2008-06-05 08:44 . 2008-06-05 08:49 <KANSIO> d-------- C:\Program Files\Movie Joiner 2008-06-03 15:41 . 2008-06-05 08:47 <KANSIO> d--h----- C:\Documents and Settings\Teemu\DG 2008-05-27 23:27 . 2008-05-27 23:53 <KANSIO> d-------- C:\Program Files\DAEMON Tools 2008-05-27 23:24 . 2008-05-27 23:24 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-17 22:00 --------- d-----w C:\Program Files\Norman 2008-06-17 19:11 --------- d-----w C:\Program Files\Steam 2008-06-17 11:18 47,918 ----a-w C:\Documents and Settings\Teemu\Application Data\wklnhst.dat 2008-06-16 17:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-10 22:41 --------- d-----w C:\Documents and Settings\Juho\Application Data\uTorrent 2008-06-01 16:05 --------- d-----w C:\Program Files\RevConnect 2008-05-23 15:29 366 ----a-w C:\Documents and Settings\Kaisa\Application Data\wklnhst.dat 2008-05-21 09:55 --------- d-----w C:\Documents and Settings\Teemu\Application Data\Kingston 2008-05-18 21:01 --------- d-----w C:\Program Files\DivX 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-15 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 01:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-05-13 01:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2008-05-13 01:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-09 15:05 --------- d-----w C:\Program Files\Paint.NET 2008-05-09 13:30 --------- d-----w C:\Program Files\Registry Helper 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-04 09:03 --------- d-----w C:\Program Files\EA Games 2008-05-04 09:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-02 10:04 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-02 10:01 --------- d-----w C:\Program Files\Common Files\Adobe AIR 2008-05-02 10:01 --------- d-----w C:\Program Files\Adobe Media Player 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-27 15:17 --------- d-----w C:\Program Files\Electronic Arts 2008-04-26 00:07 1,636 ----a-w C:\Documents and Settings\Juho\Application Data\wklnhst.dat 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-19 15:39 --------- d-----w C:\Program Files\Winamp 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2007-10-05 21:12 56,144 ----a-w C:\Documents and Settings\Teemu\Application Data\GDIPFONTCACHEV1.DAT 2007-10-04 19:10 814 ----a-w C:\Documents and Settings\Jussi\Application Data\wklnhst.dat 2008-02-12 20:22 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 02:12 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:34 68856] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2004-08-12 21:10 339968] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "NWEReboot"="" [] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960] "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592] "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152] "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352] "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 03:11 50688] "EnvyHFCPL"="C:\Program Files\Envy24\EnMixCPL.exe" [2003-10-26 22:25 1314816] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048] "atwtusb"="atwtusb.exe" [2005-09-21 19:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "Windows Acer Service "="acersv.exe" [] "e00f1633"="C:\WINDOWS\system32\mnhqyvwm.dll" [ ] "BMe33c25af"="C:\WINDOWS\system32\anmjeiyt.dll" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-15 02:12 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQjjJC] cbXQjjJC.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm "msacm.ac3filter"= ac3filter.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"= "C:\\Program Files\\Steam\\Steam.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\The All-Seeing Eye\\eye.exe"= "C:\\Program Files\\RevConnect\\DCPlusPlus.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\counter-strike\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\day of defeat\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\condition zero\\hl.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\B2BPOKER\\Pokerihuone\\jre\\bin\\javaw.exe"= "C:\\Documents and Settings\\Juho\\Omat tiedostot\\Pelit\\CS 2D\\CounterStrike2D.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\B2BPOKER\\Pokerimaa\\jre\\bin\\javaw.exe"= "C:\\Program Files\\B2BPOKER\\Club4Aces.com\\jre\\bin\\javaw.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 15:45] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2003-10-26 22:24] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-05-21 10:34] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-05-22 14:54] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23] S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 17:02] S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50] . 'Ajoitetut teht„v„t'-kansion sis„lt” "2008-06-12 12:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-18 01:01:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\drivers\mchInjDrv.sys 2560 bytes executable scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Norman\Npm\Bin\elogsvc.exe C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Norman\Npm\Bin\Njeeves.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Norman\NVC\bin\Nip.exe C:\Program Files\Norman\NVC\bin\CClaw.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-06-18 1:09:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-17 22:09:15 Pre-Run: 37,381,484,544 tavua vapaana Post-Run: 38,134,566,912 tavua vapaana 217 --- E O F --- 2008-06-11 13:51:54
Ja HJT-loki: Logfile of HijackThis v1.99.1 Scan saved at 1:23:06, on 18.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\ATI-CPanel\atiptaxx.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Norman\Npm\bin\ZLH.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\HijackThis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: OneNote 2007 -näyttöleikkeet ja Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = ? O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Lähetä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Läh&etä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181489975082 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa) Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti *
ComboFix-raportti: ComboFix 08-06-16.5 - Teemu 2008-06-18 11:13:33.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.576 [GMT 3:00] Running from: C:\Documents and Settings\Teemu\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\Teemu\Työpöytä\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\is.exe C:\is1551932.exe C:\iss.exe . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\is.exe C:\is1551932.exe C:\iss.exe . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-18 to 2008-06-18 ))))))))))))))))) . 2008-06-17 22:25 . 2008-06-18 01:23 <KANSIO> d-------- C:\HijackThis 2008-06-17 13:13 . 2008-06-17 13:13 0 --a------ C:\WINDOWS\system32\ovnmnnrt.tmp 2008-06-16 22:19 . 2008-06-17 13:12 345 --ahs---- C:\WINDOWS\system32\lRrtvGgh.ini 2008-06-16 20:28 . 2008-06-16 20:28 <KANSIO> d-------- C:\Program Files\Lavasoft 2008-06-16 20:28 . 2008-06-16 20:29 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-11 11:59 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-08 13:39 . 2008-06-08 13:39 <KANSIO> d-------- C:\Program Files\SystemRequirementsLab 2008-06-05 08:44 . 2008-06-05 08:49 <KANSIO> d-------- C:\Program Files\Movie Joiner 2008-06-03 15:41 . 2008-06-05 08:47 <KANSIO> d--h----- C:\Documents and Settings\Teemu\DG 2008-05-27 23:27 . 2008-05-27 23:53 <KANSIO> d-------- C:\Program Files\DAEMON Tools 2008-05-27 23:24 . 2008-05-27 23:24 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-18 07:36 --------- d-----w C:\Program Files\Norman 2008-06-17 19:11 --------- d-----w C:\Program Files\Steam 2008-06-17 11:18 47,918 ----a-w C:\Documents and Settings\Teemu\Application Data\wklnhst.dat 2008-06-16 17:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-10 22:41 --------- d-----w C:\Documents and Settings\Juho\Application Data\uTorrent 2008-06-01 16:05 --------- d-----w C:\Program Files\RevConnect 2008-05-23 15:29 366 ----a-w C:\Documents and Settings\Kaisa\Application Data\wklnhst.dat 2008-05-21 09:55 --------- d-----w C:\Documents and Settings\Teemu\Application Data\Kingston 2008-05-18 21:01 --------- d-----w C:\Program Files\DivX 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-15 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-05-13 01:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-05-13 01:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2008-05-13 01:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-09 15:05 --------- d-----w C:\Program Files\Paint.NET 2008-05-09 13:30 --------- d-----w C:\Program Files\Registry Helper 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-04 09:03 --------- d-----w C:\Program Files\EA Games 2008-05-04 09:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-02 10:04 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-02 10:01 --------- d-----w C:\Program Files\Common Files\Adobe AIR 2008-05-02 10:01 --------- d-----w C:\Program Files\Adobe Media Player 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-27 15:17 --------- d-----w C:\Program Files\Electronic Arts 2008-04-26 00:07 1,636 ----a-w C:\Documents and Settings\Juho\Application Data\wklnhst.dat 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-19 15:39 --------- d-----w C:\Program Files\Winamp 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2007-10-05 21:12 56,144 ----a-w C:\Documents and Settings\Teemu\Application Data\GDIPFONTCACHEV1.DAT 2007-10-04 19:10 814 ----a-w C:\Documents and Settings\Jussi\Application Data\wklnhst.dat 2008-02-12 20:22 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-18_ 1.09.02.59 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-17 22:00:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-18 07:36:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 02:12 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 16:34 68856] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2004-08-12 21:10 339968] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "NWEReboot"="" [] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960] "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592] "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152] "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "Norman ZANDA"="C:\Program Files\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352] "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 03:11 50688] "EnvyHFCPL"="C:\Program Files\Envy24\EnMixCPL.exe" [2003-10-26 22:25 1314816] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048] "atwtusb"="atwtusb.exe" [2005-09-21 19:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-15 02:12 15360] C:\Documents and Settings\Jussi\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ OneNote 2007 -n„ytt”leikkeet ja Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632] C:\Documents and Settings\Teemu\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ OneNote 2007 -n„ytt”leikkeet ja Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-10 21:18:54 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm "msacm.ac3filter"= ac3filter.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"= "C:\\Program Files\\Steam\\Steam.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\The All-Seeing Eye\\eye.exe"= "C:\\Program Files\\RevConnect\\DCPlusPlus.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\counter-strike\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\day of defeat\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\juhop638\\condition zero\\hl.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\B2BPOKER\\Pokerihuone\\jre\\bin\\javaw.exe"= "C:\\Documents and Settings\\Juho\\Omat tiedostot\\Pelit\\CS 2D\\CounterStrike2D.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\B2BPOKER\\Pokerimaa\\jre\\bin\\javaw.exe"= "C:\\Program Files\\B2BPOKER\\Club4Aces.com\\jre\\bin\\javaw.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R2 Ndiskio;Ndiskio;C:\Program Files\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 15:45] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2003-10-26 22:24] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-05-21 10:34] R3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\bin\nvcoas.exe [2007-05-22 14:54] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23] S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 17:02] S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50] *Newly Created Service* - CATCHME . 'Ajoitetut tehtävät'-kansion sisältö "2008-06-12 12:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-18 11:16:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-18 11:18:46 ComboFix-quarantined-files.txt 2008-06-18 08:18:26 ComboFix2.txt 2008-06-17 22:09:20 Pre-Run: 38,119,444,480 tavua vapaana Post-Run: 38,109,298,688 tavua vapaana 173 --- E O F --- 2008-06-11 13:51:54 HJT-loki: Logfile of HijackThis v1.99.1 Scan saved at 11:26:29, on 18.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\ATI-CPanel\atiptaxx.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Norman\Npm\bin\ZLH.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\System32\wbem\wmiprvse.exe C:\HijackThis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: OneNote 2007 -näyttöleikkeet ja Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = ? O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Lähetä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Läh&etä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181489975082 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
Alkaako kone tuntua jonkin verran paremmalta? ****************************************** Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK *************************************************************************** Lataa Malwarebytes' Anti-Malware työpöydällesi. * Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman. * Lopuksi varmistu, että seuraavat on valittu: Päivitä Malwarebytes' Anti-Malware ja Käynnistä Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Lopeta. * Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version. * Kun ohjelma on latautunut, valitse Suorita täysi tarkistus ja klikkaa Tarkista. * Kun skanni on valmis, klikkaa OK ja sitten Näytä tulokset nähdäksesi tulokset. * Varmistu, että kaikki on merkitty ja klikkaa Poista valitut. * Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt * Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
Kyllä nyt pyörii jo paremmin. Kiitos vain tuhannesti avusta. Lähetän lisää lokia kunhan tuo Malwarebytes' on pyörinyt.
Tässä näitä nyt olisi. Ensin Malawarebytes'in loki: Malwarebytes' Anti-Malware 1.17 Tietokantaversio: 867 12:27:33 18.6.2008 mbam-log-6-18-2008 (12-27-33).txt Tarkistustyyppi: Täysi tarkistus (C:\|) Tarkistetut kohteet: 164184 Kulunut aika: 44 minute(s), 43 second(s) Saastuneita muistiprosesseja: 0 Saastuneita muistimoduuleja: 0 Saastuneita rekisteriavaimia: 1 Saastuneita rekisteriarvoja: 0 Saastuneita rekisterikohteita: 0 Saastuneita hakemistoja: 0 Saastuneita tiedostoja: 1 Saastuneita muistiprosesseja: (Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriavaimia: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. Saastuneita rekisteriarvoja: (Haitallisia kohteita ei löydetty) Saastuneita rekisterikohteita: (Haitallisia kohteita ei löydetty) Saastuneita hakemistoja: (Haitallisia kohteita ei löydetty) Saastuneita tiedostoja: C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. Ja sitten HJT: Logfile of HijackThis v1.99.1 Scan saved at 12:29:17, on 18.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE C:\Program Files\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norman\Npm\bin\NJEEVES.EXE C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\ATI-CPanel\atiptaxx.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Norman\Npm\bin\ZLH.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Norman\Nvc\bin\cclaw.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\HijackThis\scanner.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: OneNote 2007 -näyttöleikkeet ja Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = ? O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Lähetä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Läh&etä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181489975082 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
No niin nyt näyttää ihan hyvältä Lataa CCleaner tästä - Asennuksessa poista merkki/rasti kohdasta "asenna Yahoo! toolbar/työkalupalkki". - Asennuksen jälkeen aukaise CCleaner. - Valitse vasemmalta pystyrivistä Options. - Valitse viereisestä pystyrivistä Settings. - Language kohtaan valitse Suomi. Puhdistaja - Valitse vasemmalta pystyrivistä Puhdistaja. - Paina alhaalta Tutki. Nyt CCleaner tutkii, mitä voidaan poistaa (tempit, cookiessit jne.). - Kun tutkiminen on valmis, paina Aja CCleaner. Nyt CCleaner poistaa löydetyt tempit, cookiessit jne. Rekisterin virheiden korjaus - Valitse vasemmalta pystyrivistä Rekisteri. - Paina alhaalta Etsi rekisterin virheitä. - Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet. - Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä. Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon. - Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet. - Saat vielä varmistus kysymyksen, paina Ok. - Kun virheet on korjattu, paina Sulje. Nyt voit suljea CCleanerin painamalla oikealta ylhäältä punaista rastia. Javan päivitys ja välimuistin tyhjennys: 1. Klikkaa Käynnistä -> Ohjauspaneeli ja tupla-klikkaa Lisää tai poista sovellus Ohjauspaneelissa. 2. Etsi listasta kaikki entiset Java versiosi. (J2SE Runtime Environment.... ) Niissä pitäisi olla seuraava kuva vieressä: 3. Valitse kaikki entiset Java versiosi ja valitse Poista. 4. Asenna uusin Java päivitys seuraavasta linkistä.. 5. Käynnistä kone uudelleen asennuksen jälkeen: http://java.sun.com/javase/downloads/index.jsp Rullaa alas kohteeseen Java Runtime Environment (JRE) 6u6 Paina Download Ruksaa Accept, ota offline installation, tallenna vaikka työpöydälle ja asenna se. 6. Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi). 7. General Settings -osion alla, vedä liukusäädintä (Disk Space) pienemmälle, ja klikkaa Delete Files -nappia. (Jotkut javapohjaiset ohjelmat saattavat tarvita enemmän levytilaa. Jos huomaat säädön pienentämisen jälkeen koneessa hitautta, siirrä liukusäädintä isommalle). 8. Varmista että kaikki kaksi valintaa ovat rastitettuja: *Applications and Applets *Trace and Log Files Ja paina OK -nappia 9. Klikkaa OK "Temporary Files Settings" -ikkunassasi. 10. Klikkaa OK jättääksesi Java asetusikkunasi.
