Messenger virus + HJT-loki

mikvitik · Jun 10, 2008

Sama vika kuin monella muullakin tuntuu olevan, eli messengerin kautta pääsi virus koneelle ja tekee nyt kaikenlaista ikävää. Omat vähäiset konstit ei tässä vaiheessa enää auttaneet, joten viisaamman apu olisi tarpeen.

Tässä HJT-loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:00:03, on 10.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Mikon Temp\AD-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Mikon Temp\HJT\HijackThis.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\jkkkJbxW.dll
O2 - BHO: {792eeb15-45d0-1d9b-d3f4-48c030965b21} - {12b56903-0c84-4f3d-b9d1-0d5451bee297} - C:\WINDOWS\system32\ipkmophk.dll (file missing)
O2 - BHO: (no name) - {E5AB7D2D-9F8D-4A4A-9B57-6847D59D02A1} - C:\WINDOWS\system32\byXRKdBt.dll (file missing)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
O4 - HKLM\..\Run: [Windows svchost] ups.exe
O4 - HKLM\..\Run: [BM2564d4ff] Rundll32.exe "C:\WINDOWS\system32\otykjwjb.dll",s
O4 - HKLM\..\Run: [2657e763] rundll32.exe "C:\WINDOWS\system32\itamycny.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1035\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7490810-073A-4CF7-8BB6-D7837C9DA8FB}: NameServer = 217.78.192.22 217.78.192.78
O20 - Winlogon Notify: jkkkJbxW - C:\WINDOWS\SYSTEM32\jkkkJbxW.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Mikon Temp\AD-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 7506 bytes

Hujo · Jun 10, 2008

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

mikvitik · Jun 10, 2008

tässä combofixin logi:

ComboFix 08-06-05.3 - Tarja Vitikka 2008-06-11 0:43:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.516 [GMT 3:00]
Running from: C:\Documents and Settings\Tarja Vitikka\Työpöytä\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2564d4ff.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jflajvoy.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\oovxkxgv.ini
C:\WINDOWS\system32\qyappomi.exe
C:\WINDOWS\system32\tBdKRXyb.ini
C:\WINDOWS\system32\tBdKRXyb.ini2
C:\WINDOWS\system32\vupvcskj.ini
C:\WINDOWS\system32\yncymati.ini
E:\Autorun.inf

.
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-10 to 2008-06-10 )))))))))))))))))
.

2008-06-11 00:49 . 2008-06-11 00:49 268 --ah----- C:\sqmdata05.sqm
2008-06-11 00:49 . 2008-06-11 00:49 244 --ah----- C:\sqmnoopt05.sqm
2008-06-10 21:24 . 2007-08-24 19:45 101,120 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-06-10 21:24 . 2007-08-24 19:45 24,448 -ra------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-06-06 17:21 . 2008-06-06 17:21 49,156 --a------ C:\sz.exe
2008-06-06 17:20 . 2008-06-06 17:20 2,232 --a------ C:\sex2.exe
2008-06-06 16:47 . 2008-06-06 16:46 49,156 -r-hs---- C:\WINDOWS\UPS.0XE
2008-06-06 16:46 . 2008-06-06 16:46 49,156 --a------ C:\SZ.0XE
2008-06-06 16:46 . 2008-06-06 16:46 2,232 --a------ C:\sexx2.exe
2008-06-05 23:29 . 2008-06-05 23:29 <KANSIO> d-------- C:\fsaua.data
2008-06-05 22:49 . 2008-06-05 22:49 117,248 --------- C:\WINDOWS\system32\ITAMYCNY.0LL
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 22:58 . 2008-06-03 22:58 86,548 --a------ C:\Documents and Settings\Tarja Vitikka\setupa.exe
2008-06-03 22:50 . 2008-06-03 22:50 115,200 --------- C:\WINDOWS\system32\JKSCVPUV.0LL
2008-06-03 22:50 . 2008-06-03 22:50 86,548 -r-hs---- C:\WINDOWS\SERVICE.0XE
2008-06-03 22:47 . 2008-06-03 22:47 125,952 --a------ C:\WINDOWS\system32\oxdlpfmp.dll
2008-06-03 22:31 . 2008-06-03 22:31 4,217 --a------ C:\WINDOWS\is154890.exe
2008-05-28 23:39 . 2008-05-28 23:46 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 23:37 . 2008-05-28 23:37 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-28 21:20 . 2008-05-28 21:20 57,344 --------- C:\WINDOWS\system32\JKKKJBXW.0LL
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 18:24 --------- d-----w C:\Program Files\Mobile Partner
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ------w C:\WINDOWS\system32\dllcache\win32k.sys
1999-06-09 14:51 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 00:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 00:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 00:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 00:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 00:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12b56903-0c84-4f3d-b9d1-0d5451bee297}]
C:\WINDOWS\system32\ipkmophk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5AB7D2D-9F8D-4A4A-9B57-6847D59D02A1}]
C:\WINDOWS\system32\byXRKdBt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-16 22:01 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 19:01 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-14 12:20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-14 12:20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-14 12:20 118784]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 09:56 131072]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 10:36 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 16:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 17:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 18:43 892928]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-09-19 10:30 106571]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Windows UDP Control"="winudspm.exe" []
"Windows svchost"="ups.exe" [2004-09-15 11:00 18432 C:\WINDOWS\system32\ups.exe]
"BM2564d4ff"="C:\WINDOWS\system32\otykjwjb.dll" [ ]
"2657e763"="C:\WINDOWS\system32\itamycny.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 11:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkJbxW]
jkkkJbxW.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 14:52]
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-03-13 09:33]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-11-14 18:52]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-09-23 10:23]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2005-09-19 10:30]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 20:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 19:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f3-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f5-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f8-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fa-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fd-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765ff-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f0-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f1-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388146-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388149-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 00:52:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Mikon Temp\AD-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\Common\FSMA32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\F-Secure\Common\FSMB32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\F-Secure\Common\fch32.exe
C:\Program Files\F-Secure\Common\FAMEH32.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\Common\FNRB32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
.
**************************************************************************
.
Completion time: 2008-06-11 0:55:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 21:55:03

Pre-Run: 55,169,048,576 tavua vapaana
Post-Run: 55,272,448,000 tavua vapaana

182 --- E O F --- 2008-05-27 17:29:30

Hujo · Jun 10, 2008

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sz.exe
C:\sex2.exe
C:\WINDOWS\UPS.0XE
C:\SZ.0XE
C:\sexx2.exe
C:\WINDOWS\system32\ITAMYCNY.0LL
C:\WINDOWS\system32\JKSCVPUV.0LL
C:\WINDOWS\SERVICE.0XE
C:\WINDOWS\is154890.exe
C:\WINDOWS\system32\JKKKJBXW.0LL
C:\WINDOWS\system32\jkkkJbxW.dll
C:\WINDOWS\system32\ipkmophk.dll
C:\WINDOWS\system32\byXRKdBt.dll
C:\WINDOWS\system32\otykjwjb.dll
C:\WINDOWS\system32\itamycny.dll

Click to expand...

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

==============

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\jkkkJbxW.dll
O2 - BHO: {792eeb15-45d0-1d9b-d3f4-48c030965b21} - {12b56903-0c84-4f3d-b9d1-0d5451bee297} - C:\WINDOWS\system32\ipkmophk.dll (file missing)
O2 - BHO: (no name) - {E5AB7D2D-9F8D-4A4A-9B57-6847D59D02A1} - C:\WINDOWS\system32\byXRKdBt.dll (file missing)
O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
O4 - HKLM\..\Run: [Windows svchost] ups.exe
O4 - HKLM\..\Run: [BM2564d4ff] Rundll32.exe "C:\WINDOWS\system32\otykjwjb.dll",s
O4 - HKLM\..\Run: [2657e763] rundll32.exe "C:\WINDOWS\system32\itamycny.dll",b
O20 - Winlogon Notify: jkkkJbxW - C:\WINDOWS\SYSTEM32\jkkkJbxW.dll

===================

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

mikvitik · Jun 10, 2008

tuore combofix loki:

ComboFix 08-06-05.3 - Tarja Vitikka 2008-06-11 1:23:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.563 [GMT 3:00]
Running from: C:\Documents and Settings\Tarja Vitikka\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tarja Vitikka\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\sex2.exe
C:\sexx2.exe
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\SZ.0XE
C:\sz.exe
C:\WINDOWS\is154890.exe
C:\WINDOWS\SERVICE.0XE
C:\WINDOWS\system32\byXRKdBt.dll
C:\WINDOWS\system32\ipkmophk.dll
C:\WINDOWS\system32\ITAMYCNY.0LL
C:\WINDOWS\system32\itamycny.dll
C:\WINDOWS\system32\JKKKJBXW.0LL
C:\WINDOWS\system32\jkkkJbxW.dll
C:\WINDOWS\system32\JKSCVPUV.0LL
C:\WINDOWS\system32\otykjwjb.dll
C:\WINDOWS\UPS.0XE
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sex2.exe
C:\sexx2.exe
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\SZ.0XE
C:\sz.exe
C:\WINDOWS\is154890.exe
C:\WINDOWS\SERVICE.0XE
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\ITAMYCNY.0LL
C:\WINDOWS\system32\JKKKJBXW.0LL
C:\WINDOWS\system32\JKSCVPUV.0LL
C:\WINDOWS\UPS.0XE

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-10 to 2008-06-10 )))))))))))))))))
.

2008-06-11 00:59 . 2008-06-11 00:59 <KANSIO> d-------- C:\WINDOWS\LastGood
2008-06-11 00:55 . 2008-06-11 00:55 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-10 21:24 . 2007-08-24 19:45 101,120 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-06-10 21:24 . 2007-08-24 19:45 24,448 -ra------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-06-05 23:29 . 2008-06-05 23:29 <KANSIO> d-------- C:\fsaua.data
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 22:58 . 2008-06-03 22:58 86,548 --a------ C:\Documents and Settings\Tarja Vitikka\setupa.exe
2008-06-03 22:47 . 2008-06-03 22:47 125,952 --a------ C:\WINDOWS\system32\oxdlpfmp.dll
2008-05-28 23:39 . 2008-05-28 23:46 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 23:37 . 2008-05-28 23:37 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 18:24 --------- d-----w C:\Program Files\Mobile Partner
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ------w C:\WINDOWS\system32\dllcache\win32k.sys
1999-06-09 14:51 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 00:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 00:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 00:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 00:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 00:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-06-11_ 0.54.41.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-03 19:35:20 5,310 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{540D5CC5-9289-4A0C-AC4C-E28FB2E21447}.bin
- 2008-06-10 18:02:58 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-10 21:55:38 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 18:02:58 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
+ 2008-06-10 21:55:38 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
- 2008-06-10 18:02:58 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-10 21:55:38 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-10 18:02:58 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
+ 2008-06-10 21:55:38 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12b56903-0c84-4f3d-b9d1-0d5451bee297}]
C:\WINDOWS\system32\ipkmophk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5AB7D2D-9F8D-4A4A-9B57-6847D59D02A1}]
C:\WINDOWS\system32\byXRKdBt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-16 22:01 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 19:01 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-14 12:20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-14 12:20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-14 12:20 118784]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 09:56 131072]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 10:36 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 16:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 17:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 18:43 892928]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-09-19 10:30 106571]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Windows UDP Control"="winudspm.exe" []
"Windows svchost"="ups.exe" [2004-09-15 11:00 18432 C:\WINDOWS\system32\ups.exe]
"BM2564d4ff"="C:\WINDOWS\system32\otykjwjb.dll" [ ]
"2657e763"="C:\WINDOWS\system32\itamycny.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 11:00 15360]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe [2006-02-27 18:02:06 581693]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1035\OLFSNT40.EXE [1999-06-09 17:51:36 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkJbxW]
jkkkJbxW.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 14:52]
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-03-13 09:33]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-11-14 18:52]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-09-23 10:23]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2005-09-19 10:30]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 20:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 19:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f3-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f5-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f8-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fa-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fd-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765ff-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f0-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f1-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388146-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388149-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 01:24:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-11 1:25:35
ComboFix-quarantined-files.txt 2008-06-10 22:25:32
ComboFix2.txt 2008-06-10 21:55:11

Pre-Run: 55,204,093,952 tavua vapaana
Post-Run: 55,192,309,760 tavua vapaana

180 --- E O F --- 2008-05-27 17:29:30

Hujo · Jun 10, 2008

sitten nuo fixsaukset ja Malwarebytes' Anti-Malware ajo

mikvitik · Jun 10, 2008

kohtaa
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\jkkkJbxW.dll
ei löytynyt, muut poistettu. Sitten Anti-Malware..

Hujo · Jun 10, 2008

hyvä että ei löydy sitä ei koneella tarvita

mikvitik · Jun 10, 2008

Anti-Malware ajettu ja tarinoi seuraavaa:

Malwarebytes' Anti-Malware 1.17
Tietokantaversio: 846

2:13:10 11.6.2008
mbam-log-6-11-2008 (02-13-10).txt

Tarkistustyyppi: Täysi tarkistus (C:\|E:\|F:\|)
Tarkistetut kohteet: 137136
Kulunut aika: 27 minute(s), 27 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 3
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 1
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 14

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\QooBox\Quarantine\C\WINDOWS\system32\jflajvoy.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\JKSCVPUV.0LL.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qyappomi.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP61\A0008488.0XE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0009470.0LL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0009503.0LL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0009507.0LL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0009510.0XE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0009511.0XE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0010503.0XE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP67\A0010504.0LL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP69\A0011657.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80C5CEDA-2C20-4CDE-85C6-8B452C14D7B0}\RP69\A0011658.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Hujo · Jun 10, 2008

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

=============

aja uusi combofix loki
aja uusi Malwarebytes' Anti-Malware loki
aja uusi hjt:n loki

mikvitik · Jun 10, 2008

ComboFix loki:

ComboFix 08-06-05.3 - Tarja Vitikka 2008-06-11 2:40:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.569 [GMT 3:00]
Running from: C:\Documents and Settings\Tarja Vitikka\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-10 to 2008-06-10 )))))))))))))))))
.

2008-06-11 02:33 . 2008-06-11 02:33 268 --ah----- C:\sqmdata06.sqm
2008-06-11 02:33 . 2008-06-11 02:33 244 --ah----- C:\sqmnoopt06.sqm
2008-06-11 02:14 . 2008-06-11 02:14 268 --ah----- C:\sqmdata05.sqm
2008-06-11 02:14 . 2008-06-11 02:14 244 --ah----- C:\sqmnoopt05.sqm
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Documents and Settings\Tarja Vitikka\Application Data\Malwarebytes
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 01:43 . 2008-06-11 15:00 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 01:43 . 2008-06-11 15:00 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 00:55 . 2008-06-11 00:55 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-10 21:24 . 2007-08-24 19:45 101,120 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-06-10 21:24 . 2007-08-24 19:45 24,448 -ra------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-06-05 23:29 . 2008-06-05 23:29 <KANSIO> d-------- C:\fsaua.data
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 22:58 . 2008-06-03 22:58 86,548 --a------ C:\Documents and Settings\Tarja Vitikka\setupa.exe
2008-06-03 22:47 . 2008-06-03 22:47 125,952 --a------ C:\WINDOWS\system32\oxdlpfmp.dll
2008-05-28 23:39 . 2008-05-28 23:46 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 23:37 . 2008-05-28 23:37 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 18:24 --------- d-----w C:\Program Files\Mobile Partner
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ------w C:\WINDOWS\system32\dllcache\win32k.sys
1999-06-09 14:51 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 00:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 00:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 00:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 00:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 00:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-06-11_ 0.54.41.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 21:51:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 23:35:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 23:14:21 5,310 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{540D5CC5-9289-4A0C-AC4C-E28FB2E21447}.bin
- 2008-06-10 18:02:58 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-10 23:39:52 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 18:02:58 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
+ 2008-06-10 23:39:52 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
- 2008-06-10 18:02:58 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-10 23:39:52 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-10 18:02:58 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
+ 2008-06-10 23:39:52 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-16 22:01 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 19:01 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-14 12:20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-14 12:20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-14 12:20 118784]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 09:56 131072]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 10:36 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 16:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 17:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 18:43 892928]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-09-19 10:30 106571]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 11:00 15360]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe [2006-02-27 18:02:06 581693]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1035\OLFSNT40.EXE [1999-06-09 17:51:36 45568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 14:52]
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-03-13 09:33]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-11-14 18:52]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-09-23 10:23]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2005-09-19 10:30]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 20:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 19:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f3-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f5-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f8-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fa-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fd-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765ff-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f0-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f1-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388146-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388149-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 02:42:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-11 2:43:21
ComboFix-quarantined-files.txt 2008-06-10 23:43:18
ComboFix2.txt 2008-06-10 22:25:36
ComboFix3.txt 2008-06-10 21:55:11

Pre-Run: 55,512,113,152 tavua vapaana
Post-Run: 55,498,440,704 tavua vapaana

146 --- E O F --- 2008-05-27 17:29:30

mikvitik · Jun 10, 2008

Anti-Malware loki:

Malwarebytes' Anti-Malware 1.17
Tietokantaversio: 846

3:15:03 11.6.2008
mbam-log-6-11-2008 (03-15-03).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|F:\|)
Tarkistetut kohteet: 135819
Kulunut aika: 29 minute(s), 58 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

ja vielä HJT-loki perään:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:12, on 11.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Mikon Temp\AD-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Mikon Temp\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1035\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Mikon Temp\AD-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 6518 bytes

Hujo · Jun 11, 2008

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\Documents and Settings\Tarja Vitikka\setupa.exe

Click to expand...

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

mikvitik · Jun 11, 2008

Tässäpä tuore comfofix loki:

ComboFix 08-06-05.3 - Tarja Vitikka 2008-06-11 22:29:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.580 [GMT 3:00]
Running from: C:\Documents and Settings\Tarja Vitikka\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tarja Vitikka\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Tarja Vitikka\setupa.exe
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tarja Vitikka\setupa.exe
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-11 to 2008-06-11 )))))))))))))))))
.

2008-06-11 22:21 . 2008-06-11 22:21 <KANSIO> d-------- C:\WINDOWS\LastGood
2008-06-11 22:21 . 2007-08-24 19:45 101,120 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-06-11 22:21 . 2007-08-24 19:45 24,448 -ra------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-06-11 03:35 . 2008-06-11 03:35 268 --ah----- C:\sqmdata07.sqm
2008-06-11 03:35 . 2008-06-11 03:35 244 --ah----- C:\sqmnoopt07.sqm
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Documents and Settings\Tarja Vitikka\Application Data\Malwarebytes
2008-06-11 01:43 . 2008-06-11 01:43 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 01:43 . 2008-06-11 15:00 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 01:43 . 2008-06-11 15:00 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 00:58 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:58 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:55 . 2008-06-11 00:55 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-05 23:29 . 2008-06-05 23:29 <KANSIO> d-------- C:\fsaua.data
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 23:50 . 2008-06-03 23:50 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 22:47 . 2008-06-03 22:47 125,952 --a------ C:\WINDOWS\system32\oxdlpfmp.dll
2008-05-28 23:39 . 2008-05-28 23:46 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 23:37 . 2008-05-28 23:37 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 19:21 --------- d-----w C:\Program Files\Mobile Partner
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:15 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 19:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:41 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:41 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ------w C:\WINDOWS\system32\dllcache\win32k.sys
1999-06-09 14:51 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 00:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 00:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 00:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 00:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 00:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-06-11_ 0.54.41.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 21:51:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 19:04:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 15:52:59 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:01:50 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:01:50 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:01:50 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:01:50 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:01:50 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:56 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:01:50 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:01:50 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:01:51 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:01:51 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:01:51 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:01:51 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:01:51 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:56:25 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:01:51 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:01:52 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:01:52 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 15:31:54 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:01:53 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:01:53 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:01:53 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:01:53 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:01:53 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:31:14 214,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:32:23 380,640 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:01:53 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:01:53 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:01:53 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:01:53 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
+ 2008-06-11 00:35:55 9,318 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{540D5CC5-9289-4A0C-AC4C-E28FB2E21447}.bin
- 2008-03-01 13:01:50 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:41 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-03-01 13:01:50 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:41 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:01:50 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:42 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:01:50 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:42 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:01:50 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:42 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:01:50 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:42 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-03-01 13:01:50 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:42 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:01:50 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:42 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-03-01 13:01:51 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:42 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:01:51 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:42 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:01:51 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:42 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:01:51 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:42 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:01:51 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:42 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-03-01 13:01:51 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:42 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-03-01 13:01:52 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:42 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:01:52 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:42 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-01 13:01:53 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:42 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:01:53 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:42 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:01:53 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:42 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:01:53 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:42 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:01:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:42 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-03-01 13:01:53 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:42 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:01:53 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:43 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:01:53 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:43 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:01:53 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:43 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-03-01 13:01:50 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:42 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:01:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:42 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:01:50 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:42 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:01:50 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:42 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:56 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:41:08 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:01:50 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:42 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:01:50 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:42 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:01:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:42 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:01:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:42 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:01:51 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:42 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:01:51 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:42 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:01:51 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:42 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:01:51 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:42 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-03-01 13:01:52 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:42 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:01:52 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:42 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-01 15:31:54 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-23 19:16:44 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:01:53 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:42 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:01:53 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:42 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:01:53 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:01:53 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:42 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-06-10 18:02:58 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-11 19:09:41 56,056 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 18:02:58 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
+ 2008-06-11 19:09:41 68,204 ----a-w C:\WINDOWS\system32\perfc00B.dat
- 2008-06-10 18:02:58 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-11 19:09:41 391,404 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-10 18:02:58 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
+ 2008-06-11 19:09:41 364,850 ----a-w C:\WINDOWS\system32\perfh00B.dat
- 2008-03-01 13:01:53 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:42 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-03-06 01:31:09 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:19:02 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:01:53 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:01:53 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:43 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:01:53 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:43 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:01:53 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:43 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-16 22:01 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 19:01 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-14 12:20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-14 12:20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-14 12:20 118784]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 09:56 131072]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 10:36 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 16:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 17:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 18:43 892928]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-09-19 10:30 106571]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 11:00 15360]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe [2006-02-27 18:02:06 581693]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1035\OLFSNT40.EXE [1999-06-09 17:51:36 45568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 14:52]
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2007-03-13 09:33]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-11-14 18:52]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-09-23 10:23]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2005-09-19 10:30]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 20:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 19:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f3-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f5-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765f8-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fa-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765fd-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f4765ff-3717-11dd-bdb8-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d72b22c-37eb-11dd-bdbc-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f0-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001e6f1-1e02-11dd-bdac-0019d262d881}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388146-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9388149-f4f6-11dc-bd9e-001636edc875}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 22:31:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-11 22:32:14
ComboFix-quarantined-files.txt 2008-06-11 19:32:09
ComboFix2.txt 2008-06-10 23:43:22
ComboFix3.txt 2008-06-10 22:25:36
ComboFix4.txt 2008-06-10 21:55:11

Pre-Run: 55,331,495,936 tavua vapaana
Post-Run: 55,327,211,520 tavua vapaana

315 --- E O F --- 2008-06-11 00:08:30

Hujo · Jun 11, 2008

No niin mites kone toimii..

mikvitik · Jun 11, 2008

Kone toimii yhtä hyvin kuin ennen viruksen tulemista. Ei tule virheilmoituksia kadonneista tiedostoista eikä f-secure enään ilmoittele mistään ylimääräisestä. Kaikki tuntuisi olevan kondiksessa. Ilmeisesti myös näyttäisi puhtaalta?

Tuhannet kiitokset sinulle!

Log in or Sign up

Messenger virus + HJT-loki

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Share This Page

Log in or Sign up

Messenger virus + HJT-loki

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

mikvitik Member

Hujo Guest

mikvitik Member

Hujo Guest

mikvitik Member

Share This Page

Useful Searches