Moi! Keneeseen on jostain putkahtanut suhteellisen mukava virus. Ensin oikeassa alakulmassa vilkkui joku virus alert ja selitti SpywareQuakesta. Sain sen häipymään pois (jotain muutakin roskaa ilmeisesti samalla, laitoin full system scannit sekä Ad-Awarella että Ewidolla), mutta jatkuvasti pomppii esiin rasittavia pop-uppeja (siis ihan vaan Windowsissa. Tosin Firefoxissakin aukeaa uusia ikkunoita jatkuvasti)ja kone on ihan jumissa. Melkein yhtä rasittavaksi alkaa käydä Ewido joka ilmoittaa joka puolen sekunnin välein jostain troijalaisista ja muista (kaikista eniten jostain gebcd.dll:stä, joka ilmeisesti tulee uudestaan aina kun sen poistaa/laittaa karanteeniin, en tosin tiedä liittyvätkö kaikki tuohon yhteen ja samaan vai onko viruksia enemmänkin. Joka tapauksessa, tässä on nyt HijackThisin logi. Logfile of HijackThis v1.99.1 Scan saved at 11:38:40, on 26.7.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\ismon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\explorer.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\issearch.exe C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Documents and Settings\Johannes\Työpöytä\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt3.dll O2 - BHO: (no name) - {E686E5F8-92A1-4D54-A4E3-0549C079E4A3} - C:\WINDOWS\system32\gebcd.dll O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [envece25] RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56 O4 - HKLM\..\Run: [newname] C:\\nwnmef_7.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684925770 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\mlctfp.dll (file missing) O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\rBsser.dll O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\Nfindeo.dll (file missing) O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\atptif.dll O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\atptif.dll O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file) O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9oYW5uZXMgS2FhcmFrYWluZW4\command.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) Toivottavasti tähän saadaan jotain selkoa
Hyvä kokoelma vauhdissa 1. Lataa http://download.bleepingcomputer.com/sUBs/combofix.exe tiedosto työpöydällesi. 2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia. 3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi. Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen Lataa SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip Pura sisältö (kansio nimeltä SmitfraudFix) työpöydällesi: Avaa SmitfraudFix-kansio ja tuplaklikkaa smitfraudfix.cmd Valitse optio #1 - Search kirjoittamalla 1 ja painamalla "Enter"; tekstitiedosto avautuu, joka listaa tarttuneet tiedostot (jos olemassa). Postita tämän tekstitiedoston sisältö viestiketjuusi. Lähetä: - uusi HjT-loki - combofixin loki - smitfraudfixin loki
Tässäpä ovat nyt nämä logit: Start Time= ke 26.07.2006 12:12:02,39 Running from: C:\Documents and Settings\Johannes\Ty”p”yt„ ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\clsid\{0A47F2A0-B664-43F9-8AB3-5AAB9694FE59}] @="" [HKEY_CLASSES_ROOT\clsid\{0A47F2A0-B664-43F9-8AB3-5AAB9694FE59}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\clsid\{0A47F2A0-B664-43F9-8AB3-5AAB9694FE59}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\clsid\{0A47F2A0-B664-43F9-8AB3-5AAB9694FE59}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINDOWS\SYSTEM32\guard.tmp C:\WINDOWS\SYSTEM32\hr0005dme.dll C:\WINDOWS\SYSTEM32\mmjtes40.dll C:\WINDOWS\SYSTEM32\mvcorier.dll C:\WINDOWS\SYSTEM32\s2880cluefq80.dll Granting sedebugprivilege to Järjestelmänvalvojat ... successful (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\drsmartload.exe C:\drsmartload45a7h.exe C:\dfndref_7.exe C:\nwnmef_7.exe C:\kybrdef_7.exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\67VKUP33\drsmartload46a[1].exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\67VKUP33\dfndref_7[1].exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\EDFO9SFQ\kybrdef_7[1].exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\L48NPTOL\drsmartload849a[1].exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\O52R6ZW9\drsmartload45a[1].exe C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\ORTN2E3X\nwnmef_7[1].exe C:\WINDOWS\drsmartload2.dat C:\WINDOWS\newname.dat C:\WINDOWS\keyboard1.dat C:\Documents and Settings\Johannes\Local Settings\Temporary Internet Files\Content.IE5\JR1L9DP6\MTE3NDI6ODoxNg[1].exe C:\WINDOWS\uninstall_nmon.vbs C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\atmtd.dll._ C:\Program Files\network monitor C:\Documents and Settings\LocalService\Application Data\NetMon (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 11:31:52 29184 ( A.... ) "C:\WINDOWS\system32\ixt3.dll" 2006-07-26 10:59:08 29184 ( A.... ) "C:\WINDOWS\system32\ixt2.dll" 2006-07-26 10:59:06 14336 ( A.... ) "C:\WINDOWS\system32\ismon.exe" 2006-07-26 10:58:10 234319 ( ..S.R ) "C:\WINDOWS\system32\jt4007hme.dll" 2006-07-26 10:58:04 234526 ( ..S.R ) "C:\WINDOWS\system32\j4n20e5oeh.dll" 2006-07-26 10:45:52 29696 ( A.... ) "C:\WINDOWS\system32\w00ae435.dll" 2006-07-26 10:45:46 234272 ( ..S.R ) "C:\WINDOWS\system32\atptif.dll" 2006-07-26 10:45:06 234272 ( ..S.R ) "C:\WINDOWS\system32\rBsser.dll" 2006-07-26 10:45:00 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys" 2006-07-26 10:45:00 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys" 2006-07-26 10:44:54 ( .D... ) "C:\Program Files\TheSearchAccelerator" 2006-07-26 10:44:38 517168 ( A.... ) "C:\ucmoreiex.exe" 2006-07-26 00:22:40 1063 ( A.... ) "C:\WINDOWS\system32\envece25.sys" 2006-07-26 00:22:40 1063 ( A.... ) "C:\WINDOWS\system32\envece25.sys" 2006-07-25 23:41:58 29184 ( A.... ) "C:\WINDOWS\system32\ixt1.dll" 2006-07-25 23:22:48 61440 ( A.... ) "C:\WINDOWS\system32\envece25.dll" 2006-07-25 22:21:34 29184 ( A.... ) "C:\WINDOWS\system32\ixt0.dll" 2006-07-25 21:55:44 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-25 21:37:02 573492 ( ..... ) "C:\WINDOWS\system32\gebcd.dll" 2006-07-25 21:30:28 ( .D... ) "C:\Program Files\TClock" 2006-07-25 21:30:22 ( .D... ) "C:\Program Files\InetGet2" 2006-07-25 21:29:46 43520 ( A.... ) "C:\WINDOWS\system32\issearch.exe" 2006-07-25 21:27:36 113680 ( A.... ) "C:\WINDOWS\system32\ishost.exe" 2006-07-25 21:27:34 ( .D... ) "C:\Program Files\ToolBar888" 2006-07-25 21:27:34 ( .D... ) "C:\Program Files\Common Files\{987FA270-087B-1035-0819-030501030166}" 2006-07-25 21:27:22 15872 ( A.... ) "C:\WINDOWS\system32\winowl32.dll" 2006-07-25 20:58:54 ( .D... ) "C:\Program Files\QuickTime Alternative" 2006-07-25 20:50:02 ( .D... ) "C:\Program Files\QuickTime" 2006-07-16 01:35:20 47104 ( A.... ) "C:\WINDOWS\system32\KMVIDC32.DLL" 2006-07-08 13:06:34 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\Lavasoft" 2006-07-08 13:06:24 ( .D... ) "C:\Program Files\Lavasoft" 2006-07-07 23:48:10 ( .D... ) "C:\Program Files\ZipCodec" 2006-07-07 23:42:24 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\Apple Computer" 2006-07-07 23:39:16 ( .D... ) "C:\Program Files\iPod" 2006-07-07 23:39:14 ( .D... ) "C:\Program Files\iTunes" 2006-07-07 23:20:42 ( .D... ) "C:\Program Files\Video Converter" 2006-06-24 15:50:54 ( .D... ) "C:\Program Files\Steam" 2006-06-23 16:44:46 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\ubi.com" 2006-06-23 16:44:42 ( .D... ) "C:\Program Files\Common Files\PocketSoft" 2006-06-23 16:44:40 ( .D... ) "C:\Program Files\ubi.com" 2006-06-23 14:32:14 ( .D... ) "C:\Program Files\DAEMON Tools" 2006-06-20 16:57:04 ( .D... ) "C:\Program Files\Ubi Soft" 2006-05-19 16:24:54 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll" 2006-05-19 16:24:54 110592 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll" 2006-05-19 16:24:54 95744 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll" 2006-04-27 17:49:30 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe" 2006-02-06 19:46:40 1001 ( A.... ) "C:\Program Files\WS_FTP.LOG" 2005-10-21 20:19:40 629 ( A.... ) "C:\Program Files\F.E.A.R. MP Demo.lnk" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 11:31 29ÿ184 C:\WINDOWS\system32\ixt3.dll 2006-07-26 10:58 234ÿ526 C:\WINDOWS\system32\j4n20e5oeh.dll 2006-07-26 10:58 234ÿ319 C:\WINDOWS\system32\jt4007hme.dll 2006-07-26 10:45 29ÿ696 C:\WINDOWS\system32\w00ae435.dll 2006-07-26 10:45 234ÿ272 C:\WINDOWS\system32\rBsser.dll 2006-07-26 10:45 234ÿ272 C:\WINDOWS\system32\atptif.dll 2006-07-26 10:44 517ÿ168 C:\ucmoreiex.exe 2006-07-26 10:44 1ÿ064 C:\WINDOWS\system32\aaa00000.sys 2006-07-25 23:42 29ÿ184 C:\WINDOWS\system32\ixt2.dll 2006-07-25 23:41 29ÿ184 C:\WINDOWS\system32\ixt1.dll 2006-07-25 23:22 61ÿ440 C:\WINDOWS\system32\envece25.dll 2006-07-25 21:36 573ÿ492 C:\WINDOWS\system32\gebcd.dll 2006-07-25 21:29 43ÿ520 C:\WINDOWS\system32\issearch.exe 2006-07-25 21:29 29ÿ184 C:\WINDOWS\system32\ixt0.dll 2006-07-25 21:29 1ÿ063 C:\WINDOWS\system32\envece25.sys 2006-07-25 21:27 15ÿ872 C:\WINDOWS\system32\winowl32.dll 2006-07-25 21:27 14ÿ336 C:\WINDOWS\system32\ismon.exe 2006-07-25 21:27 113ÿ680 C:\WINDOWS\system32\ishost.exe 2006-07-15 21:46 47ÿ104 C:\WINDOWS\system32\KMVIDC32.DLL 2006-07-08 18:10 53ÿ248 C:\WINDOWS\system32\Process.exe 2006-07-08 18:10 42ÿ496 C:\WINDOWS\system32\swreg.exe 2006-07-08 18:10 40ÿ960 C:\WINDOWS\system32\swsc.exe 2006-07-08 18:10 288ÿ417 C:\WINDOWS\system32\SrchSTS.exe 2006-07-07 23:20 877ÿ568 C:\WINDOWS\system32\NCTAudioFile2.dll 2006-07-07 23:20 780ÿ288 C:\WINDOWS\system32\NCTVideoCompress.dll 2006-07-07 23:20 778ÿ240 C:\WINDOWS\system32\NCTAudioCompress2.dll 2006-07-07 23:20 764ÿ416 C:\WINDOWS\system32\NCTRMFile.dll 2006-07-07 23:20 495ÿ104 C:\WINDOWS\system32\NCTVideoCoreM.dll 2006-07-07 23:20 382ÿ464 C:\WINDOWS\system32\NCTAVIFile.dll 2006-07-07 23:20 261ÿ632 C:\WINDOWS\system32\mcdvd_32.dll 2006-07-07 23:20 249ÿ856 C:\WINDOWS\system32\NCTQuickTimeFile.dll 2006-07-07 23:20 215ÿ552 C:\WINDOWS\system32\NCTWMVFile.dll 2006-07-07 23:20 2ÿ846ÿ720 C:\WINDOWS\system32\NCTAudioCompress3.dll 2006-07-07 23:20 188ÿ416 C:\WINDOWS\system32\NCTVideoFile.dll 2006-07-07 23:20 126ÿ464 C:\WINDOWS\system32\lame_enc.dll 2006-06-23 16:44 185ÿ344 C:\WINDOWS\patchw32.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\"" "SideWinderTrayV4"="C:\\PROGRA~1\\MICROS~2\\GAMECO~1\\Common\\SWTrayV4.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe" "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "AVGCtrl"="\"C:\\Program Files\\AVPersonal\\AVGNT.EXE\" /min" "NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe" "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "Logitech Utility"="Logi_MwX.Exe" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "MOD"="C:\\Program Files\\Microangelo\\muamgr.exe" "PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "envece25"="RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Steam"="" "TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex] "flags"=dword:00000008 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "ishost.exe"="ishost.exe" "issearch.exe"="issearch.exe" "kernel32.dll"="C:\\WINDOWS\\system32\\isnotify.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{987FA270-087B-1035-0819-030501030166}"="\"C:\\Program Files\\Common Files\\{987FA270-087B-1035-0819-030501030166}\\Update.exe\" mc-110-12-0000272" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: ke 26.07.2006 12:19:09,31 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-26.121202.txt SmitFraudFix v2.68b Scan done at 12:23:06,64, ke 26.07.2006 Run from C:\Documents and Settings\Johannes\Ty”p”yt„\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\teller2.chk FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\ishost.exe FOUND ! C:\WINDOWS\system32\ismon.exe FOUND ! C:\WINDOWS\system32\issearch.exe FOUND ! C:\WINDOWS\system32\ixt?.dll FOUND ! C:\WINDOWS\system32\ixt??.dll FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\ts.ico FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johannes\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Johannes\Suosikit C:\DOCUME~1\Johannes\Suosikit\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 12:23:38, on 26.7.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\issearch.exe C:\WINDOWS\system32\ismon.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\TClock\TClock.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\notepad.exe C:\Documents and Settings\Johannes\Työpöytä\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt3.dll O2 - BHO: (no name) - {F1E82967-871B-4743-A154-32245235FEA8} - C:\WINDOWS\system32\gebcd.dll O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [envece25] RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56 O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684925770 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file) O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Tulipa pitkä lista tietoa Mitäs tämän jälkeen olisi viisainta tehdä?
Lähti jo osa Poista ohjauspaneelista (lisää/poista sovellus): ZipCodec ToolBar888 TheSearchAccelerator Hae uusi smitfraudfix ja poista vanha; uusin on 2.75. Pura se työpöydälle Tämän jälkeen: Lataa http://www.atribune.org/ccount/click.php?id=4[b] VundoFix.exe[/b] työpöydällesi. [*]Tupla-klikkaa VundoFix.exe ajaaksesi sen. [*]Rastita boksi Run VundoFix as a task. [*]Saat viestin joka sanoo "Vundofix will close and re-open in a minute or less". Klikkaa OK. [*]Kun Vundofix uudelleenaukeaa, klikkaa Scan for Vundo valintaa. [*]Kun skannaus on valmis, oikea-klikkaa kyseisen listaboksin sisällä (valkoinen laatikko jossa on löydetyt tiedostot listattu) ja valitse Add more files [*]Kopioi ja liitä seuraavat 2 riviä kahteen ylimmäiseen boksiin [*]C:\WINDOWS\system32\gebcd.dll [*]C:\WINDOWS\system32\dcbeg.* [*]Klikkaa Add Files ja sitten klikkaa Close Window. [*]Klikkaa Remove Vundo valintaa. [*]Saat viestin jossa kysytään haluatko poistaa valitut tiedostot, klikkaa YES. [*]Kun klikkaat yes, työpöytäsi tyhjenee kun työkalu alkaa poistamaan Vundoa. [*]Kun valmis, saat viestin jossa pyydetään sammuttamaan tietokone, klikkaa OK. [*]Käynnistä koneesi uudelleen. Printtaa ohjeet ulos. Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi. Poista jos löytyy: C:\ucmoreiex.exe C:\WINDOWS\system32\winowl32.dll C:\WINDOWS\system32\jt4007hme.dll C:\WINDOWS\system32\j4n20e5oeh.dll C:\WINDOWS\system32\w00ae435.dll C:\WINDOWS\system32\atptif.dll C:\WINDOWS\system32\rBsser.dll Avaa SmitfraudFix-kansio ja tuplaklikkaa smitfraudfix.cmd Valitse optio #2 - Clean kirjoittamalla 2 ja painamalla "Enter" poistaaksesi tarttuneet tiedostot. Sinulta kysytään: "Registry cleaning - Do you want to clean the registry ?"; vastaa "Yes" kirjoittamalla Y ja paina "Enter" poistaaksesi työpöydän taustakuvan ja puhdistaaksesi tarttuneet rekisteriavaimet. Työkalu tarkistaa jos wininet.dll on tarttunut. Sinua saatetaan pyytää korvaamaan tarttunut .dll (jos löytyy); vastaa "Yes" kirjoittamalla Y ja painamalla "Enter". Työkalun saattaa tarvita käynnistää kone uudelleen; jos ei tee niin, käynnistä normaaliin Windowsiin. Tekstitiedosto ilmestyy, puhdistusprosessin jäljiltä; kopioi & liitä tämän raportin tulokset vastaukseesi. Raportti löytyy paikalliselta levyltäsi, useimmiten C:\rapport.txt. Aja combofix uudestaan Tarkista nämä: C:\WINDOWS\system32\envece25.dll C:\WINDOWS\system32\aaa00000.sys C:\WINDOWS\system32\envece25.sys täällä -> http://www.virustotal.com/flash/index_en.html ja lähetä tulokset Lähetä: - uusi HjT-loki - C:\rapport.txt - C:\vundofix.txt - combofixin loki - virustotalin tulokset
Noniin, nyt on kaikista noista tulokset otettuna. Pahoittelen viivettä, tuli muutama muu kiireellinen asia väliin hoidettavaksi :/ ------------------------------------------------------------------------------------------------------------------------------------------------ Start Time= ke 26.07.2006 14:05:34,39 Running from: C:\Documents and Settings\Johannes\Ty”p”yt„ QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 10:45:00 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys" 2006-07-26 10:45:00 1064 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys" 2006-07-26 10:44:38 517168 ( A.... ) "C:\ucmoreiex.exe" 2006-07-26 00:22:40 1063 ( A.... ) "C:\WINDOWS\system32\envece25.sys" 2006-07-26 00:22:40 1063 ( A.... ) "C:\WINDOWS\system32\envece25.sys" 2006-07-25 23:22:48 61440 ( A.... ) "C:\WINDOWS\system32\envece25.dll" 2006-07-25 21:55:44 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-25 21:37:02 573492 ( ..... ) "C:\WINDOWS\system32\gebcd.dll" 2006-07-25 21:30:28 ( .D... ) "C:\Program Files\TClock" 2006-07-25 21:30:22 ( .D... ) "C:\Program Files\InetGet2" 2006-07-25 21:27:34 ( .D... ) "C:\Program Files\Common Files\{987FA270-087B-1035-0819-030501030166}" 2006-07-25 20:58:54 ( .D... ) "C:\Program Files\QuickTime Alternative" 2006-07-25 20:50:02 ( .D... ) "C:\Program Files\QuickTime" 2006-07-16 01:35:20 47104 ( A.... ) "C:\WINDOWS\system32\KMVIDC32.DLL" 2006-07-08 13:06:34 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\Lavasoft" 2006-07-08 13:06:24 ( .D... ) "C:\Program Files\Lavasoft" 2006-07-07 23:42:24 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\Apple Computer" 2006-07-07 23:39:16 ( .D... ) "C:\Program Files\iPod" 2006-07-07 23:39:14 ( .D... ) "C:\Program Files\iTunes" 2006-07-07 23:20:42 ( .D... ) "C:\Program Files\Video Converter" 2006-06-24 15:50:54 ( .D... ) "C:\Program Files\Steam" 2006-06-23 16:44:46 ( .D... ) "C:\Documents and Settings\Johannes\Application Data\ubi.com" 2006-06-23 16:44:42 ( .D... ) "C:\Program Files\Common Files\PocketSoft" 2006-06-23 16:44:40 ( .D... ) "C:\Program Files\ubi.com" 2006-06-23 14:32:14 ( .D... ) "C:\Program Files\DAEMON Tools" 2006-06-20 16:57:04 ( .D... ) "C:\Program Files\Ubi Soft" 2006-05-19 16:24:54 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll" 2006-05-19 16:24:54 110592 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll" 2006-05-19 16:24:54 95744 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll" 2006-04-27 17:49:30 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe" 2006-02-06 19:46:40 1001 ( A.... ) "C:\Program Files\WS_FTP.LOG" 2005-10-21 20:19:40 629 ( A.... ) "C:\Program Files\F.E.A.R. MP Demo.lnk" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 10:44 517ÿ168 C:\ucmoreiex.exe 2006-07-26 10:44 1ÿ064 C:\WINDOWS\system32\aaa00000.sys 2006-07-25 23:22 61ÿ440 C:\WINDOWS\system32\envece25.dll 2006-07-25 21:36 573ÿ492 C:\WINDOWS\system32\gebcd.dll 2006-07-25 21:29 1ÿ063 C:\WINDOWS\system32\envece25.sys 2006-07-15 21:46 47ÿ104 C:\WINDOWS\system32\KMVIDC32.DLL 2006-07-08 18:10 53ÿ248 C:\WINDOWS\system32\Process.exe 2006-07-08 18:10 42ÿ496 C:\WINDOWS\system32\swreg.exe 2006-07-08 18:10 40ÿ960 C:\WINDOWS\system32\swsc.exe 2006-07-08 18:10 288ÿ417 C:\WINDOWS\system32\SrchSTS.exe 2006-07-07 23:20 877ÿ568 C:\WINDOWS\system32\NCTAudioFile2.dll 2006-07-07 23:20 780ÿ288 C:\WINDOWS\system32\NCTVideoCompress.dll 2006-07-07 23:20 778ÿ240 C:\WINDOWS\system32\NCTAudioCompress2.dll 2006-07-07 23:20 764ÿ416 C:\WINDOWS\system32\NCTRMFile.dll 2006-07-07 23:20 495ÿ104 C:\WINDOWS\system32\NCTVideoCoreM.dll 2006-07-07 23:20 382ÿ464 C:\WINDOWS\system32\NCTAVIFile.dll 2006-07-07 23:20 261ÿ632 C:\WINDOWS\system32\mcdvd_32.dll 2006-07-07 23:20 249ÿ856 C:\WINDOWS\system32\NCTQuickTimeFile.dll 2006-07-07 23:20 215ÿ552 C:\WINDOWS\system32\NCTWMVFile.dll 2006-07-07 23:20 2ÿ846ÿ720 C:\WINDOWS\system32\NCTAudioCompress3.dll 2006-07-07 23:20 188ÿ416 C:\WINDOWS\system32\NCTVideoFile.dll 2006-07-07 23:20 126ÿ464 C:\WINDOWS\system32\lame_enc.dll 2006-06-23 16:44 185ÿ344 C:\WINDOWS\patchw32.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\"" "SideWinderTrayV4"="C:\\PROGRA~1\\MICROS~2\\GAMECO~1\\Common\\SWTrayV4.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe" "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "AVGCtrl"="\"C:\\Program Files\\AVPersonal\\AVGNT.EXE\" /min" "NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe" "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "Logitech Utility"="Logi_MwX.Exe" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "MOD"="C:\\Program Files\\Microangelo\\muamgr.exe" "PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "envece25"="RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Steam"="" "TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{987FA270-087B-1035-0819-030501030166}"="\"C:\\Program Files\\Common Files\\{987FA270-087B-1035-0819-030501030166}\\Update.exe\" mc-110-12-0000272" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: ke 26.07.2006 14:05:51,00 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-26.121202.txt ComboFix.2006-07-26.140534.txt ------------------------------------------------------------------------------------------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 14:04:38, on 26.7.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Windows NT\Accessories\wordpad.exe C:\WINDOWS\explorer.exe C:\WINDOWS\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Johannes\Työpöytä\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [envece25] RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56 O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684925770 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe ------------------------------------------------------------------------------------------------------------------------------------------------ VundoFix V5.1.5 Running as SYSTEM from c:\windows\system32\VundoFix.exe Checking Java version... Java version is 1.5.0.4 Scan started at 13:08:02 26.7.2006 Listing files found while scanning.... C:\windows\system32\gebcd.dll C:\windows\system32\dcbeg.ini Beginning removal... The process smss.exe was successfully stopped The process winlogon.exe could not be stopped Vundofix may not be able to delete some files that were found. The process explorer.exe was successfully stopped The process iexplore.exe was successfully stopped The process rundll32.exe was successfully stopped Attempting to delete C:\windows\system32\gebcd.dll C:\windows\system32\gebcd.dll Could not be deleted. Attempting to delete C:\windows\system32\dcbeg.ini C:\windows\system32\dcbeg.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\gebcd.dll C:\WINDOWS\system32\gebcd.dll Could not be deleted. Performing Repairs to the registry. Done! ------------------------------------------------------------------------------------------------------------------------------------------------ SmitFraudFix v2.75b Scan done at 13:58:02,07, ke 26.07.2006 Run from C:\Documents and Settings\Johannes\Ty”p”yt„\SmitfraudFix(2)\SmitfraudFix OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\components\flx?.dll Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ------------------------------------------------------------------------------------------------------------------------------------------------ Complete scanning result of "envece25.dll", received in VirusTotal at 07.26.2006, 12:37:34 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 07.26.2006 TR/Agent.RL.1 Authentium 4.93.8 07.26.2006 no virus found Avast 4.7.844.0 07.26.2006 Win32:Trojan-gen. {Other} AVG 386 07.25.2006 no virus found BitDefender 7.2 07.26.2006 Trojan.Agent.RL CAT-QuickHeal 8.00 07.25.2006 no virus found ClamAV devel-20060426 07.26.2006 no virus found DrWeb 4.33 07.26.2006 Adware.IEHelper eTrust-InoculateIT 23.72.78 07.25.2006 Win32/SillyDl.AIM!Trojan eTrust-Vet 12.6.2309 07.26.2006 no virus found Ewido 4.0 07.26.2006 Adware.IEHelper Fortinet 2.77.0.0 07.26.2006 W32/Agent.CCR!tr F-Prot 3.16f 07.26.2006 no virus found F-Prot4 4.2.1.29 07.26.2006 no virus found Ikarus 0.2.65.0 07.26.2006 no virus found Kaspersky 4.0.2.24 07.26.2006 no virus found McAfee 4814 07.25.2006 Downloader-AXF Microsoft 1.1508 07.26.2006 no virus found NOD32v2 1.1679 07.26.2006 no virus found Norman 5.90.23 07.26.2006 no virus found Panda 9.0.0.4 07.25.2006 Adware/DollarRevenue Sophos 4.07.0 07.26.2006 Troj/Agent-CCR Symantec 8.0 07.26.2006 Downloader TheHacker 5.9.8.181 07.25.2006 no virus found UNA 1.83 07.25.2006 no virus found VBA32 3.11.0 07.26.2006 no virus found VirusBuster 4.3.7:9 07.25.2006 no virus found Aditional Information File size: 61440 bytes MD5: 314b9344b20094d308535e4ecba310bd SHA1: a6efc861a8442b304772650d8f855ebb514227a8 packers: UPX ------------------------------------------------------------------------------------------------------------------------------------------------ Complete scanning result of "envece25.sys", received in VirusTotal at 07.26.2006, 12:40:34 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 07.26.2006 no virus found Authentium 4.93.8 07.26.2006 no virus found Avast 4.7.844.0 07.26.2006 no virus found AVG 386 07.25.2006 no virus found BitDefender 7.2 07.26.2006 no virus found CAT-QuickHeal 8.00 07.25.2006 no virus found ClamAV devel-20060426 07.26.2006 no virus found DrWeb 4.33 07.26.2006 no virus found eTrust-InoculateIT 23.72.78 07.25.2006 no virus found eTrust-Vet 12.6.2309 07.26.2006 no virus found Ewido 4.0 07.26.2006 no virus found Fortinet 2.77.0.0 07.26.2006 no virus found F-Prot 3.16f 07.26.2006 no virus found F-Prot4 4.2.1.29 07.26.2006 no virus found Ikarus 0.2.65.0 07.26.2006 no virus found Kaspersky 4.0.2.24 07.26.2006 no virus found McAfee 4814 07.25.2006 no virus found Microsoft 1.1508 07.26.2006 no virus found NOD32v2 1.1679 07.26.2006 no virus found Norman 5.90.23 07.26.2006 no virus found Panda 9.0.0.4 07.25.2006 no virus found Sophos 4.07.0 07.26.2006 no virus found Symantec 8.0 07.26.2006 no virus found TheHacker 5.9.8.181 07.25.2006 no virus found UNA 1.83 07.25.2006 no virus found VBA32 3.11.0 07.26.2006 no virus found VirusBuster 4.3.7:9 07.25.2006 no virus found Aditional Information File size: 1063 bytes MD5: 952281d8260f00d414e1a2a96983c9f0 SHA1: 9d3516fabbb3123f6c2824d94f964eb4b9634c9e ------------------------------------------------------------------------------------------------------------------------------------------------ Complete scanning result of "aaa00000.sys", received in VirusTotal at 07.26.2006, 12:43:45 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 07.26.2006 no virus found Authentium 4.93.8 07.26.2006 no virus found Avast 4.7.844.0 07.26.2006 no virus found AVG 386 07.25.2006 no virus found BitDefender 7.2 07.26.2006 no virus found CAT-QuickHeal 8.00 07.25.2006 no virus found ClamAV devel-20060426 07.26.2006 no virus found DrWeb 4.33 07.26.2006 no virus found eTrust-InoculateIT 23.72.78 07.25.2006 no virus found eTrust-Vet 12.6.2309 07.26.2006 no virus found Ewido 4.0 07.26.2006 no virus found Fortinet 2.77.0.0 07.26.2006 no virus found F-Prot 3.16f 07.26.2006 no virus found F-Prot4 4.2.1.29 07.26.2006 no virus found Ikarus 0.2.65.0 07.26.2006 no virus found Kaspersky 4.0.2.24 07.26.2006 no virus found McAfee 4814 07.25.2006 no virus found Microsoft 1.1508 07.26.2006 no virus found NOD32v2 1.1679 07.26.2006 no virus found Norman 5.90.23 07.26.2006 no virus found Panda 9.0.0.4 07.25.2006 no virus found Sophos 4.07.0 07.26.2006 no virus found Symantec 8.0 07.26.2006 no virus found TheHacker 5.9.8.181 07.25.2006 no virus found UNA 1.83 07.25.2006 no virus found VBA32 3.11.0 07.26.2006 no virus found VirusBuster 4.3.7:9 07.25.2006 no virus found Aditional Information File size: 1064 bytes MD5: 28eac01ca321c8c946de3e33864fc754 SHA1: 390a53b2154fb43d636670f11e2360056b85ac24 Tässä nyt on melkoinen lista tavaraa, toivottavasti muistin kaikki.. Ainakaan nyt ei ole pop-uppeja poksahdellut eikä epätavallisia juttuja näkynyt. Onkohan homma jo kunnossa vai vieläkö pöpöjä näkyy jossain päin?
Fixaa tämä rivi: O4 - HKLM\..\Run: [envece25] RUNDLL32.EXE w061ed56.dll,n 001ece240000000a061ed56 1. Lataa http://swandog46.geekstogo.com/avenger.zip The Avenger (c) työpöydällesi. [*]Klikkaa Avenger.zip filua avataksesi sen. 2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle: Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja. 3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi. "Script file to execute" alapuolelta valitse "Input Script Manually". Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script". Liitä se teksti jonka kopioit muistioon, tähän ikkunaan. Klikkaa Done. Nyt klikkaa vihreää valoa aloittaaksesi skriptin. Klikkaa "Yes" kun tulee kaksi varoitusboksia. Avenger tekee automaattisesti seuraavat: [*] Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa].) [*] Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia. [*] Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt [*] Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip. 5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.
Tässä nämä HjT ja Avenger logit: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\ulkvopxk ******************* Script file located at: \??\C:\ewkeipru.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\envece25.dll deleted successfully. File C:\WINDOWS\system32\gebcd.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1 Scan saved at 15:15:19, on 26.7.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\TClock\TClock.exe C:\Documents and Settings\Johannes\Työpöytä\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684925770 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Vieläkö löytyy ongelmakohtia?
Loki on ok, mutta virusmäärän takia aja vielä tuo: Skannaa koneesi http://www.kaspersky.com/downloads/kws/kavwebscan.html Kaspersky Online Skannerilla Sinulta kysytään sallitko ActiveX -komponentin asentamisen Kasperskyltä, klikkaa Kyllä. [*] Ohjelma käynnistyy ja aloittaa viimeisimpien tunnistetiedostojen lataamisen. [*] Kun skanneri on asennettu ja tunnistetiedot ladattu, klikkaa Next. [*] Klikkaa nyt asetuksia, Scan Settings [*] Tarkista asetuksista, että seuraavat ovat valittuina: o Scan using the following Anti-Virus database: + Extended (Jos valittavissa, muuten valitse Standard) o Scan Options: + Scan Archives + Scan Mail Bases [*] Klikkaa OK [*] Nyt valitse "select a target to scan" otsikon alta Oma Tietokone, My Computer [*] Skannaus vie aikaa, joten ole kärsivällinen. Kun skannaus on valmis saat ilmoituksen, jos koneesi on saastunut. [*] Klikkaa nyt Save as Text-painiketta. [*] Tallenna tiedosto työpöydällesi. [*] Kopioi ja Liitä tiedoston sisältö seuraavaan vastaukseesi.
Haitallisia vai ei? ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, July 26, 2006 6:06:53 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 26/07/2006 Kaspersky Anti-Virus database records: 209996 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 117154 Number of viruses found: 35 Number of infected objects: 125 Number of suspicious objects: 0 Duration of the scan process: 02:25:55 Infected Object Name / Virus Name / Last Action C:\avenger\backup.zip/avenger/gebcd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped C:\avenger\backup.zip ZIP: infected - 1 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\lakefree.exe/setup.exe/SAVENOWINST.EXE/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\lakefree.exe/setup.exe/SAVENOWINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\lakefree.exe/setup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\lakefree.exe ZIP: infected - 3 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\water.exe/WISE0023.BIN/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aq skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\water.exe/WISE0023.BIN/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aj skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\water.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.aj skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\water.exe WiseSFX: infected - 3 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\waterfalls.zip/waterfallsetup.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.Gator.1012 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\waterfalls.zip/waterfallsetup.exe Infected: not-a-virus:AdWare.Win32.Gator.1012 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\waterfalls.zip ZIP: infected - 2 skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\snowfree.exe/setup.exe/SAVENOWINST.EXE/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\snowfree.exe/setup.exe/SAVENOWINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\snowfree.exe/setup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ar skipped C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\snowfree.exe ZIP: infected - 3 skipped C:\Documents and Settings\Johannes\Työpöytä\backups\backup-20060708-173353-865.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.ai skipped C:\Documents and Settings\Johannes\Työpöytä\backups\backup-20060708-173353-886.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3DTACTL.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped C:\Program Files\MyWebSearch\bar\5.bin\F3HISTSW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3HTMLMU.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3HTTPCT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped C:\Program Files\MyWebSearch\bar\5.bin\F3POPSWT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\5.bin\F3PSSAVR.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3RESTUB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3SCHMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\F3SCRCTR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\5.bin\F3SHLLVW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped C:\Program Files\MyWebSearch\bar\5.bin\F3WPHOOK.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped C:\Program Files\MyWebSearch\bar\5.bin\M3IDLE.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped C:\Program Files\MyWebSearch\bar\5.bin\M3OUTLCN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\M3PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\5.bin\M3SKIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\MWSOEPLG.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.q skipped C:\Program Files\MyWebSearch\bar\5.bin\MWSOESTB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\5.bin\NPMYWEBS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP216\A0062222.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP221\A0065526.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP221\A0065527.dll Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0069991.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0069992.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0069995.dll Infected: not-a-virus:AdWare.Win32.SaveNow.ce skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0070019.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0070404.exe/data0011 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP224\A0070404.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071158.tlb Infected: Trojan-Downloader.Win32.Zlob.ya skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071191.exe/ACM.dll Infected: not-a-virus:AdWare.Win32.SaveNow.ce skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071191.exe CAB: infected - 1 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071192.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071193.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP225\A0071194.exe Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071207.dll Infected: not-virus:Hoax.Win32.Renos.dw skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071208.dll Infected: not-a-virus:AdWare.Win32.SaveNow.ce skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071550.tlb Infected: Trojan-Downloader.Win32.Zlob.ya skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071556.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ai skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071557.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071562.exe Infected: Trojan-Downloader.Win32.Zlob.xn skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071563.exe Infected: Trojan-Downloader.Win32.Zlob.ya skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071565.exe Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071566.tlb Infected: Trojan-Downloader.Win32.Zlob.ya skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071693.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071693.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071693.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071693.exe UPX: infected - 2 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071693.exe PE_Patch.UPX: infected - 2 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071696.exe/run.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071696.exe/run.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071696.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.xp skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\A0071696.exe ZIP: infected - 3 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.dw skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP226\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.SaveNow.ce skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073420.dll Infected: not-a-virus:AdWare.Win32.Ucmore skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073423.dll Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073425.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073425.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073425.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073425.exe ZIP: infected - 3 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073425.exe WiseSFX Dropper: infected - 3 skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073426.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073428.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073429.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073443.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073444.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cu skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073466.exe Infected: Trojan-Downloader.Win32.Adload.de skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0073469.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075481.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075494.exe Infected: Trojan-Downloader.Win32.Adload.de skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075495.exe Infected: Trojan-Downloader.Win32.VB.aiv skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075496.exe Infected: Trojan-Clicker.Win32.VB.ly skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075497.exe Infected: Trojan-Downloader.Win32.VB.aiy skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075498.exe Infected: Trojan-Downloader.Win32.VB.air skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075519.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075520.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075521.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075522.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075569.dll Infected: not-a-virus:AdWare.Win32.Ucmore skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075619.dll Infected: Packed.Win32.Klone.g skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075620.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075621.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075623.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075624.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075652.dll Infected: not-virus:Hoax.Win32.Renos.dw skipped C:\System Volume Information\_restore{9BE909D5-9D2C-4136-A8EB-5B39B12CC3A4}\RP233\A0075678.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped C:\ucmoreiex.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped C:\ucmoreiex.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped C:\ucmoreiex.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped C:\ucmoreiex.exe ZIP: infected - 3 skipped C:\ucmoreiex.exe WiseSFX Dropper: infected - 3 skipped C:\VundoFix Backups\gebcd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped C:\WINDOWS\Sm9oYW5uZXMgS2FhcmFrYWluZW4\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_ Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\WINDOWS\Sm9oYW5uZXMgS2FhcmFrYWluZW4\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_ Infected: not-a-virus:AdWare.Win32.CommAd.a skipped C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\WINDOWS\system32\__delete_on_reboot__m_j_e_x_c_l_4_0_._d_l_l_ Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped C:\__delete_on_reboot__a_c_3___0_0_1_0_._e_x_e_ Infected: Trojan-Downloader.Win32.Small.cyh skipped Scan process completed.
Osa on, osa ei Poista ohjauspaneelista(lisää/poista sovellus): MyWebsearch tms. Poista: C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\lakefree.exe C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\water.exe C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\Old\waterfalls.zip C:\Documents and Settings\Johannes\Omat tiedostot\Rombetta Janilta\ScreenSavers\snowfree.exe C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll C:\Program Files\MSN Messenger\riched20.dll C:\Program Files\MyWebSearch C:\ucmoreiex.exe C:\WINDOWS\Sm9oYW5uZXMgS2FhcmFrYWluZW4 C:\WINDOWS\system32\f3PSSavr.scr C:\WINDOWS\system32\__delete_on_reboot__m_j_e_x_c_l_4_0_._d_l_l_ C:\__delete_on_reboot__a_c_3___0_0_1_0_._e_x_e_ Tyhjennä: C:\VundoFix Backups Tyhjennä järjestelmänpalautus: 1. Valitse Oma tietokone (klikkaa oikealla). 2. Valitse Ominaisuudet. 3. Valitse Järjestelmän palauttaminen- välilehti. 4. Valitse "Poista järjestelmän palauttaminen käytöstä". 5. Paina Käytä. 6. Paina OK. 7. Käynnistä kone uudelleen 8. Tee kohdat 1.-3. 9. Ota rasti pois kohdasta "Poista järjestelmän palauttaminen käytöstä" 10. Tee kohdat 5. ja 6. Skannaa uudelleen kasperskyllä ja lähetä sen raportti.
