Messenger virus

Heka81 · Jan 3, 2010

Moi,

Johonkin tämän jo kirjoitin tänne, muttei missään näkynyt, eli tässä sama uudestaan. Jos näkyy toinen vastaava, ei saa vetää herneitä nenään, koska aloittelijalla kaikki ei välttämättä heti luonnistu

Vanhempien koneeseen on päässyt pöpö. Virus tuli saastuneesta messenger-linkistä.

Ongelmat ilmenee siten, että virustorjuntaohjelmisto ei toimi (avira antivir). Mikään haittaohjelmienpoisto ei myöskään toimi, eikä mitään tämän kategorian ohjelmia saa asennettua normaalissa eikä vikasietotilassa. Windowsin palautus ei toimi normaalissa eikä vikasietotilassa.

Latasin jo aviran sivuilta rescue cd:n ja katselin sillä koneen läpi, mitään ei tosin löytynyt...

Alkavat jo omat konstit loppumaan, että josko täältä löytyisi apua. Kiitos jo etukäteen.

Ohessa HJT:n loki, jos joku siitä saisi tolkkua.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:47:59, on 3.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST -ilmaisinalue.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?13642ba0eac7422e82c41dc228b1e320
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?13642ba0eac7422e82c41dc228b1e320
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Lisää tämä blogiin tuotteessa Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1152969764000
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9141 bytes

Heka81 · Jan 5, 2010

Oliskohan kenelläkään mitään apuja heittää? Jos ei niin sitten asenteleen kaikki uudestaan... Ei vaan millään huvittaisi, eli jos joku millään ehtisi/viitsisi/jaksaisi.

kalminen · Jan 5, 2010

Lataa Combofix mistä tahansa alapuolella olevasta linkistä. Sinun täytyy uudelleennimetä se ennen tallennusta. Tallenna
se työpöydällesi.

Käytä nimeä => kompovix.exe

Käytä linkkiä 3 helpoin =>

Linkki 1
Linkki 2
Linkki 3

* TÄRKEÄÄ !!! Tallenna ComboFix.exe työpöydällesi => kompovix.exe

* Sulje/ota pois päältä kaikki virustorjunta- ja haittaohjelmien poisto-ohjelmat, jotta ne eivät häiritse ComboFixin ajoa.

* Tuplaklikkaa Combofix.exe ja noudata ohjeita.

* Osana skannausta Combofix tarkistaa onko palautuskonsoli asennettuna. Nykypäivän haittaohjelmien takia on erittäin suositeltua olla asennettuna palautuskonsoli ennen haittaohjelmien poistoa. Windowsin palautuskonsoli mahdollistaa käynnistyksen erityiseen palautustilaan. Palautuskonsolin kautta voimme auttaa sinua helpommin mikäli haittaohjelmien poiston yhteydessä ilmenee ongelmia.

* Seuraa ohjeita ja salli Combofixin ladata ja asentaa Microsoftin palautuskonsoli, ja kun pyydetään, hyväksy ohjelman takuuehdot asentaaksesi palautuskonsolin.

**Huomaa: Jos palautuskonsoli on jo asennettuna, Combofix jatkaa eteenpäin.

Kun Microsoftin palautuskonsoli on asennettu, sinun pitäisi nähdä seuraava viesti:

Klikkaa Kyllä jatkaaksesi skannausta.

Kun ComboFix on valmis, se luo raportin. Ole hyvä ja kopioi/liitä seuraavat raportit vastaukseesi:
C:\ComboFix.txt
Uusi HijackThis-loki

Varoitus: ÄLÄ aja ComboFixia ilman valvontaa. Se ei ole lelu ja sitä ei tule käyttää rutiininomaisesti päivittäin.

Jos tarvitset apua, katso yksityiskohtaisempi ohje:
http://www.bleepingcomputer.com/combofix/fi/combofixin-kayttoohje

.

Heka81 · Jan 6, 2010

Kiitoksia Kalminen

Combofixin jälkeen Avira toimii jo, eli jotain sieltä lähti. Ohessa uudet logit.

Olisiko vielä syytä tehdä jotain muutakin?

Combofix:

ComboFix 10-01-04.01 - HP_Administrator 06.01.2010 10:45:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.654 [GMT 2:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\kombovix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\drivers\H8SRTtqscklltoi.sys
c:\windows\system32\H8SRTetidqbpjxi.dll
c:\windows\system32\H8SRTqpaphwhhol.dll
c:\windows\system32\H8SRTrkrowkiyuj.dll
c:\windows\system32\H8SRTupurutewnm.dat
c:\windows\system32\ps2.bat
c:\windows\system32\srcr.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-03 08:18 . 2010-01-03 08:18 -------- d-----w- c:\program files\TrendMicro
2010-01-02 10:27 . 2010-01-02 10:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2010-01-02 10:22 . 2010-01-02 10:22 42752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-02 09:40 . 2009-07-28 13:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-02 09:40 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-02 09:40 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-02 09:40 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-02 09:40 . 2010-01-02 09:40 -------- d-----w- c:\program files\Avira
2010-01-02 09:40 . 2010-01-02 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-31 06:37 . 2010-01-06 08:27 871 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-25 06:53 . 2009-12-25 06:53 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 08:35 . 2008-08-28 18:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-01-06 08:26 . 2006-12-25 06:53 15062697 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-01-05 12:07 . 2010-01-05 12:10 2810368 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-01-05 12:07 . 2010-01-05 12:10 2961920 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-01-04 14:18 . 2010-01-04 14:29 3079168 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-01-04 14:17 . 2010-01-04 14:29 2809344 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-01-04 13:33 . 2007-01-20 13:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-01-03 08:18 . 2010-01-03 08:18 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-25 06:53 . 2007-01-20 13:45 -------- d-----r- c:\program files\Skype
2009-12-25 06:53 . 2007-01-20 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-29 05:38 . 2004-08-10 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-22 11:50 . 2008-09-22 11:50 251 ----a-w- c:\program files\wt3d.ini
2006-07-15 09:56 . 2006-07-15 09:56 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 57344]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-1-3 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST -ilmaisinalue.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-2 57344]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [30.6.2004 6:25 7680]
R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2.10.2003 3:16 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [27.9.2003 14:37 5504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2.1.2010 11:40 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17.9.2009 14:43 54752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [3.1.2005 0:33 2825088]
S3 fsssvc;Windows Live -perheturvapalvelu;c:\program files\Windows Live\Family Safety\fsssvc.exe [5.8.2009 21:48 704864]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [3.1.2005 0:32 468768]
S3 WN5401;Liteon Wireless LAN PCI 802.11 a/b/g adapter WN5401A;c:\windows\system32\drivers\wn5401.sys [3.1.2005 0:32 449920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-12-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 14:53]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Avaa uuteen etuvälilehteen - c:\program files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?13642ba0eac7422e82c41dc228b1e320
IE: Avaa uuteen taustavälilehteen - c:\program files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?13642ba0eac7422e82c41dc228b1e320
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n7crs67i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.fi
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86971210]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d4f28
\Driver\ACPI -> ACPI.sys @ 0xf7367cb8
\Driver\atapi -> 0x86971210
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ALCXMNTR.EXE
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Skype\Phone\Skype.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Skype\Plugin Manager\SkypePM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-01-06 10:58:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 08:58

Pre-Run: 203 477 889 024 bytes free
Post-Run: 203 533 189 120 tavua vapaana

- - End Of File - - 78211DE42468584EFAD027656CA38FC5

HJT:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:04:18, on 6.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST -ilmaisinalue.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?13642ba0eac7422e82c41dc228b1e320
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?13642ba0eac7422e82c41dc228b1e320
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Lisää tämä blogiin tuotteessa Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152969764000
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9104 bytes

kalminen · Jan 6, 2010

Tämä => H8SRT tapaa liikua huonossa seurassa !!!

Tarkistetaan koneesi rootkittien varalta RootRepealilla

* Lataa RootRepeal yhdestä seuraavista linkeistä ja tallenna työpöydällesi.
* Suora lataus (Suositeltava)
* Ensisijainen linkki
* Toissijainen linkki

* Zip -pakattu (Suositeltavaa jos hidas internet yhteys tai jos suora lataus ei toimi)

* Ensisijainen linkki
* Toissijainen linkki

* Rar -pakattu (Suositeltavaa jos hidas internet yhteys / muut eivät toimi ja pystyt purkamaan Rar tiedostoja)

* Ensisijainen linkki
* Toissijainen linkki

* Pura RootRepeal.exe pakatusta tiedostosta, jos et käyttänyt suoraa latausta.
* Avaa työpöydältäsi.
* Klikkaa välilehteä.
* Klikkaa nappia.
* Merkkaa kaikki seitsemän laatikkoa:
* Paina ok.
* Merkkaa asemasi kohdalla oleva laatikko (Yleensä C: ), ja paina Ok.
* Anna RootRepealin skannata koneesi. Skannus voi kestää.
* Skannauksen valmistuttua, paina
nappia. Tallenna raportti työpöydälle esim. RootRepeal.txt.

=> Postita tämä raportti seuraavassa viestissäsi.

.

Heka81 · Jan 6, 2010

Tässä loki.

Vieläkö pitäisi tehdä jotain vai joko pöpö voidaan julistaa kuolleeksi?

Punaisella olevat sensuroin, jottei tulisi mitään roskapostiongelmaa...

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/06 15:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF72D5000 Size: 96512 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAC99000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A48000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7FB2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7140000 Size: 81920 File Visible: No Signed: -
Status: -

Name: tmytt.sys
Image Path: tmytt.sys
Address: 0xF7490000 Size: 54016 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\temp\perflib_perfdata_13c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\XXXXX.XXXXX@pp.inet.fi\SharingMetadata\XXXXX@hotmail.com\DFSR\Staging\CS{D468A13D-49E8-BC67-7904-F2EA3CB8BFD9}\13\11-{07~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf02fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaeffc80

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b98eee

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf03580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf17900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf17b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf1bb10

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b98ee4

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf03670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf00210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b98ef3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b98efd

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf17280

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b98f02

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf1af90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf00070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf19180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf18f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf1b6f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b98f0c

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf02be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b98f07

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf03190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf00440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b98ef8

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf18200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf18080

Stealth Objects
-------------------
Object: Hidden Code [Driver: st3shark, IRP_MJ_CREATE]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_CLOSE]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_READ]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_WRITE]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_QUERY_EA]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SET_EA]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_CLEANUP]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_POWER]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: st3shark, IRP_MJ_PNP]
Process: System Address: 0x868a08c8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86710d68 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8683fdf0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8683fdf0 Size: 99

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf01e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf01f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf01fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf00d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaaf02250

==EOF==

kalminen · Jan 6, 2010

Tämmöistä ei pitäisi olla olemassakaan tmytt.sys !!!

Laita piilotiedostot näkyviin =>nekon OHJE

*****************************************************************

Käytä winukan etsi toimintoa ja etsi tmytt.sys
laita kokopolku muistiin.

Klikkaa => TÄNNE

Paina yläreunassa selaa nappia.
Etsi koneeltasi ==>> /?/?/tmytt.sys
Klikkaa tiedostoa ja paina Avaa nappia.
Painele sitten Upload nappia.
Scan nappia ja odottelet hetken.
Kun raportti on valmistunut sivun alareunassa painat
nappia Copy to clipboard
Avaa Muistio/Notebad ja kopioit leikepöydältä raportin sinne (Ctlr+V)
Lähetä sitten raportti tänne viesti ketjuusi.

.

Heka81 · Jan 6, 2010

Joo ei löydy wintoosan omilla hakumetodeilla millään.

Eli haettu on piilotiedostot näkyvillä jne..

Olisiko jotain muuta keinoa?

kalminen · Jan 7, 2010

Lataa SystemLook by. jpshortstuff TÄÄLTÄ. ja tallenna se työpöydälle.

Tupla-klikkaa SystemLook.exe ajaaksesi sen.

Kopioi(CTRL+C) alla olevasta laatikosta kaikki teksti, tekstialueeseen.
Code:
:regfind
tmytt.sys
tmytt

:filefind 
tmytt.sys
tmytt.*

:dir
C:\WINDOWS\system32\drivers\etc /s
Klikkaa nappulaa Look aloittaaksesi skannauksen.

Kun skannaus on valmis avautuu muistio joka sisältää lokitiedot
Klikkaa lokia hiiren oikealla painikkeella ja valitse "Valitse kaikki"
Kopio ja liitä se seuraavaan viestiisi.
(Loki löytyy myös työpöydältäsi nimellä SystemLook.txt)

.

Heka81 · Jan 7, 2010

Moi.

Tässä loki.

Tiedostoa ei löytynyt, mutta rekisteriavaimia senkin edestä.

Mitäs seuraavaksi?

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:41 on 07/01/2010 by HP_Administrator (Administrator - Elevation successful)

========== regfind ==========

Searching for "tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"

Searching for "tmytt"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="tmytt"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="tmytt"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tmytt.sys"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="tmytt"
[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="tmytt"

========== filefind ==========

Searching for "tmytt.sys"
No files found.

Searching for "tmytt.*"
No files found.

========== dir ==========

C:\WINDOWS\system32\drivers\etc - Parameters: "/s"

---Files---
hosts --a--- 27 bytes [02:00 11/08/2004] [08:52 06/01/2010]
hosts.msn --a--- 734 bytes [21:19 28/12/2006] [02:00 11/08/2004]
lmhosts.sam --a--- 3683 bytes [12:00 10/08/2004] [12:00 10/08/2004]
networks --a--- 407 bytes [02:00 11/08/2004] [02:00 11/08/2004]
protocol --a--- 799 bytes [02:00 11/08/2004] [02:00 11/08/2004]
services --a--- 7116 bytes [02:00 11/08/2004] [02:00 11/08/2004]

No folders found.

-=End Of File=-

kalminen · Jan 7, 2010

Parempi näin !!!

Putsataan rekisteri.

Ota ensin rekisteristä näin varmuuskopio:

Alapalkista > Käynnistä > Suorita -> regedit -> ok.
Klikkaa hiirellä omatietokone rivi aktiiviseksi.
Sitten Tiedosto -> Vie. Kirjoita sille Heka81 Tiedoston nimi ja
Tallennus Kohde sarakkeeseen valitset (C juureen. Vientialueeseen "täppi" kohtaan kaikki. ja OK
Poistu Regeditistä.

Sitten tallenna tämä alla oleva tekstinpätkä nimellä fix.reg Notepad muistiossa
työpöydälle (tallennusmuoto kaikki tiedostot)
Code:
Windows Registry Editor Version 5.00 

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603] 
"000"=- 

[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5603] 
"000"=- 

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604] 
"000"=- 

[HKEY_USERS\S-1-5-21-823130572-4184854783-3000903846-1007\Software\Microsoft\Search Assistant\ACMru\5604] 
"000"=-
Tuplaklikkaa työpöydällä fix.reg ja paina kyllä ja ok.
Käynnistä kone uudelleen.

-----------------------------------------------------------------------------------

Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK

*************************************************************

Tässä käytetyt ohjelmat RootRepeal ja ymm... poista koneelta, ettei
virustorjunta herjaa niistä.

------------------------------------------------------------------------------

Tuo HOSTS ei ole kunnossa =>
hosts --a--- 27 bytes [02:00 11/08/2004] [08:52 06/01/2010]

* Vanha HOSTS tiedosto poistetaan. Käynnistä kone vikasietotilaan => OHJE
Tämä C:\WINDOWS\system32\drivers\etc\HOSTS tiedosto pois
* Käynnistä koneesi normaalitilaan.
* Lataa HOSTS: Täältä Työpöydällesi.
* Pura: hosts.zip C:\WINDOWS\system32\drivers\etc kansioon.

Lopuksi Voit varmistaa, että siellä on HOSTS niminen tiedosto ilman tiedostopäätettä. Koko n.600 kt.
Suoja activoituu seuraavan käynnistyksen yhteydessä.(ei kuormita muistia)

Houstiin päivitykset: Täältä
Mitä HOSTS tekee: Opas Täällä

Mikä tilanne ???

.

Heka81 · Jan 8, 2010

Nyt on rekisteri korjattu ja muutenkin toimittu ohjeiden mukaan

Tässä vielä combofixin loki:

ComboFix 10-01-04.01 - HP_Administrator 08.01.2010 17:56:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.615 [GMT 2:00]
Running from: c:\documents and settings\HP_Administrator\combofix.exe
Command switches used :: /u
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 15:38 . 2010-01-08 15:37 3819182 ----a-r- c:\documents and settings\HP_Administrator\ComboFix.exe
2010-01-08 15:30 . 2010-01-08 15:31 79793154 ----a-w- C:\Heka81.reg
2010-01-06 10:27 . 2010-01-06 10:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-01-06 10:27 . 2009-12-30 12:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 10:27 . 2010-01-06 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-06 10:27 . 2010-01-06 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 10:27 . 2009-12-30 12:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 08:18 . 2010-01-03 08:18 -------- d-----w- c:\program files\TrendMicro
2010-01-02 10:27 . 2010-01-02 10:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2010-01-02 10:22 . 2010-01-02 10:22 42752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-02 09:40 . 2010-01-06 09:00 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-02 09:40 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-02 09:40 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-02 09:40 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-02 09:40 . 2010-01-02 09:40 -------- d-----w- c:\program files\Avira
2010-01-02 09:40 . 2010-01-02 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-25 06:53 . 2009-12-25 06:53 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 15:24 . 2007-01-20 13:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-01-06 08:35 . 2008-08-28 18:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-01-06 08:26 . 2006-12-25 06:53 15062697 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-01-05 12:07 . 2010-01-05 12:10 2810368 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-01-05 12:07 . 2010-01-05 12:10 2961920 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-01-04 14:18 . 2010-01-04 14:29 3079168 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-01-04 14:17 . 2010-01-04 14:29 2809344 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-01-03 08:18 . 2010-01-03 08:18 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-25 06:53 . 2007-01-20 13:45 -------- d-----r- c:\program files\Skype
2009-12-25 06:53 . 2007-01-20 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-29 05:38 . 2004-08-10 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-22 11:50 . 2008-09-22 11:50 251 ----a-w- c:\program files\wt3d.ini
2006-07-15 09:56 . 2006-07-15 09:56 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-10-02 57344]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-1-3 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST -ilmaisinalue.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-10-2 57344]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [30.6.2004 6:25 7680]
R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2.10.2003 3:16 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [27.9.2003 14:37 5504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2.1.2010 11:40 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17.9.2009 14:43 54752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [3.1.2005 0:33 2825088]
S3 fsssvc;Windows Live -perheturvapalvelu;c:\program files\Windows Live\Family Safety\fsssvc.exe [5.8.2009 21:48 704864]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [3.1.2005 0:32 468768]
S3 WN5401;Liteon Wireless LAN PCI 802.11 a/b/g adapter WN5401A;c:\windows\system32\drivers\wn5401.sys [3.1.2005 0:32 449920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-12-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 14:53]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Avaa uuteen etuvälilehteen - c:\program files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?13642ba0eac7422e82c41dc228b1e320
IE: Avaa uuteen taustavälilehteen - c:\program files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?13642ba0eac7422e82c41dc228b1e320
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n7crs67i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.fi
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 18:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865BEF00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d4f28
\Driver\ACPI -> ACPI.sys @ 0xf7367cb8
\Driver\atapi -> 0x865bef00
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ARPWRMSG.EXE
c:\windows\ALCXMNTR.EXE
c:\program files\Skype\Phone\Skype.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-08 18:09:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 16:08
ComboFix2.txt 2010-01-06 08:58

Pre-Run: 203 632 746 496 bytes free
Post-Run: 203 602 034 688 tavua vapaana

- - End Of File - - E20679C299DF48D3DFEDA55312CC9CC0

Vieläkö olisi muuta vai joko taistelu voidaan julistaa voitetuksi?

kalminen · Jan 8, 2010

Kyllä me se joululahja H8RST voitettiin, mutta
tuolla tapaa olla huonoja kavereita.

Varmistetaan tuo MasterBootRecord vielä.

Lataa mbr.exe työpöydällesi. => TÄÄLTÄ

Tai C:\ juureen ja aja se CMD ikkunassa johon pääset
käsksi Käynnistävalikosta.

Tuplaklikkaa mbr.exeä ja seuraa ohjeita.

Kun mbr.exe on valmis, se luo lokin. Lähetä tämän lokin sisältö seuraavassa viestissäsi.

.

Heka81 · Jan 9, 2010

mbr ei kyllä kauaa touhua. Ruutu vaan välähtää ja loki tulee. Ohessa loki:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Eli ainakin tuon mukaan kaikki ok?

kalminen · Jan 9, 2010

Jovain Puhasta on !!!
Poista koneelta tämäkin => mbr.exe
Virusohjelmat vierastaa sitäkin.

Heka81 · Jan 9, 2010

Kiitoksia sinulle kalminen vaivannäöstäsi Säästyin asennustyöltä ja ehkäpä opin itsekin jotain uutta.

Erinomaisen hyvää alkanutta vuotta ja kaljat tarjoan jos joskus törmäillään

Log in or Sign up

Messenger virus

Heka81 Member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

Share This Page

Log in or Sign up

Messenger virus

Heka81 Member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

kalminen Regular member

Heka81 Member

Share This Page

Useful Searches