popupeja aukenee jatkuvasti, netti pätkii

seitti · Dec 28, 2007

Kone ollut hitaanlainen jo jonkin aikaa, mainospopupeja aukeilee jatkuvasti omia aikojaan, vaikkei koneeseen koskisikaan. Asunnossa on kiinteä nettiyhteys. Lisäksi linkkejä avatessa selain heittää usein jollekin sivulle, tyyliin mxfutbol.com. Epäilen että koneessa on jokin/joitain viruksia tai haittaohjelmia, osaisiko joku kertoa että mitä ja miten niistä pääsisi eroon? Tässä logi, jonka scannasin HijackThis-ohjelmalla.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:49, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\FileCD\FileCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aceradvantage.com/stdreg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=5812
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4EED7723-60D0-4E54-9D27-E3B8AA0FF65A} - C:\WINDOWS\system32\netms.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsm3.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: AD Bot - {BCBCEE7B-2001-4971-B991-EB6E81C96CC5} - C:\WINDOWS\system32\adspipe.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\ascltynv.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe (User '-Mariltn')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?3908b298c40f4b34935250fcce58284d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?3908b298c40f4b34935250fcce58284d
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10402 bytes

kalminen · Dec 29, 2007

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
combofix.exe
combofix.exe

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
-----------------------------------------
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\WINDOWS\system32\netms.dll
C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\ascltynv.dll
C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\Netverchk.exe
C:\WINDOWS\system32\BastaYa.exe
Folder::
C:\WINDOWS\system32\SearchTool
C:\WINDOWS\system32\SmartShopper

Click to expand...

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)

Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
--------------------------
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {4EED7723-60D0-4E54-9D27-E3B8AA0FF65A} - C:\WINDOWS\system32\netms.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsm3.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AD Bot - {BCBCEE7B-2001-4971-B991-EB6E81C96CC5} - C:\WINDOWS\system32\adspipe.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\ascltynv.dll
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe (User '-Mariltn')

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:

* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) 2 kpl
*

seitti · Dec 31, 2007

Tässä ensimmäinen (C:\ComboFix.txt) loki

ComboFix 07-12-31.4 - -Mariltn 2007-12-31 9:07:48.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.110 [GMT 2:00]
Running from: C:\Documents and Settings\-Mariltn\Local Settings\Temporary Internet Files\Content.IE5\RK7LZAS7\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\drivers\krtqcbth.dat
C:\WINDOWS\system32\netms.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RMDOLIBC
-------\rmdolibc

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 08:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 08:34 . 2007-12-31 09:25 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 08:34 . 2007-12-31 09:25 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 08:29 . 2007-12-31 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-31 08:28 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-31 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-31 08:28 . 2007-12-31 08:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-31 08:26 . 2007-12-31 08:26 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-28 22:16 . 2007-12-28 22:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 21:26 . 2007-12-28 21:28 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-28 21:26 . 2007-12-28 21:28 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-30 23:55 . 2007-11-30 23:55 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 10:49 . 2004-08-04 05:00 100,096 --a------ C:\WINDOWS\system32\netms.2
2007-11-29 10:49 . 2004-08-04 05:00 83,456 --a------ C:\WINDOWS\system32\netms.1
2007-11-28 18:06 . 2007-11-28 18:06 188,416 --a------ C:\WINDOWS\system32\adspipe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 07:31 49 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb41.dat
2007-12-31 07:25 3,932,160 ---ha-w C:\Documents and Settings\-Mariltn\NTUSER.DAT
2007-12-31 07:03 381 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb1942.dat
2007-12-31 07:03 20,480 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb4827.dat
2007-12-31 06:12 523 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb1409.dat
2007-12-28 19:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-28 19:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-29 08:49 40,723 ----a-w C:\WINDOWS\system32\adspipe-uninst.exe
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 06:13 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-10 16:35 379 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb1942.dat
2007-09-06 14:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-01-01 10:41 20,480 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb3881.dat
2007-01-01 10:40 151 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb7698.dat
2007-01-01 10:40 13,046 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8564.dat
2007-01-01 10:40 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8994.dat
2007-01-01 10:39 6,144 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb4087.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8457.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb7887.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb2478.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb1436.dat
2006-11-16 20:39 0 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb5436.dat
2006-11-09 20:59 9,216 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb8467.dat
2006-11-09 20:59 0 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb6334.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ED7D3DE-6DBE-4516-8712-436325722327}]
2006-11-09 22:59 413696 --a------ C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBCEE7B-2001-4971-B991-EB6E81C96CC5}]
2007-11-28 18:06 188416 --a------ C:\WINDOWS\system32\adspipe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-06-04 17:56 421888 --a------ C:\WINDOWS\system32\ascltynv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Chckup"="C:\WINDOWS\system32\Netverchk.exe" [2006-11-09 22:59 118784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 21:22 68856]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-06 14:20 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="" []
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-04-27 12:10 151552]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 12:11 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-27 23:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-06-23 06:59 602112]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40 413696]
"hid_start"="C:\WINDOWS\system32\adspipe.dll" [2007-11-28 18:06 188416]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 11:37:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 16:14]
R2 DritekPortIO;Dritek General Port I/O;C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2005-12-23 01:13]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 13:59]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 13:59]
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-07 23:10]
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2006-05-24 19:19]
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2006-05-24 19:19]
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2006-05-24 19:19]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 18:46:32 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - -Mariltn.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-12-31 07:21:36 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 09:29:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 9:35:21 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 07:35:06
.
2007-12-21 21:25:55 --- E O F ---

seitti · Dec 31, 2007

ja toinen

ComboFix 07-12-31.4 - -Mariltn 2007-12-31 10:00:02.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT 2:00]
Running from: C:\Documents and Settings\-Mariltn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\-Mariltn\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\ascltynv.dll
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\netms.dll
C:\WINDOWS\system32\Netverchk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\ascltynv.dll
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\Netverchk.exe
C:\WINDOWS\system32\SearchTool
C:\WINDOWS\system32\SearchTool\nsm3.dll
C:\WINDOWS\system32\SearchTool\SearchTool.dll
C:\WINDOWS\system32\SearchTool\uninstallSE.exe
C:\WINDOWS\system32\SmartShopper
C:\WINDOWS\system32\SmartShopper\js.dll
C:\WINDOWS\system32\SmartShopper\msvcr71d.dll
C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll
C:\WINDOWS\system32\SmartShopper\uninstallSE.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 08:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 08:34 . 2007-12-31 09:25 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 08:34 . 2007-12-31 09:25 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 08:29 . 2007-12-31 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-31 08:28 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-31 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-31 08:28 . 2007-12-31 08:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-31 08:26 . 2007-12-31 08:26 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-28 22:16 . 2007-12-28 22:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 21:26 . 2007-12-28 21:28 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-28 21:26 . 2007-12-28 21:28 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-30 23:55 . 2007-11-30 23:55 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 10:49 . 2004-08-04 05:00 100,096 --a------ C:\WINDOWS\system32\netms.2
2007-11-29 10:49 . 2004-08-04 05:00 83,456 --a------ C:\WINDOWS\system32\netms.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 08:07 49 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb41.dat
2007-12-31 08:07 381 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb1942.dat
2007-12-31 08:06 3,932,160 ---ha-w C:\Documents and Settings\-Mariltn\NTUSER.DAT
2007-12-31 07:03 20,480 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb4827.dat
2007-12-31 06:12 523 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb1409.dat
2007-12-28 19:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-28 19:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-29 08:49 40,723 ----a-w C:\WINDOWS\system32\adspipe-uninst.exe
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 06:13 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-10-01 12:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 12:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-10 16:35 379 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb1942.dat
2007-09-06 14:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-01-01 10:41 20,480 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb3881.dat
2007-01-01 10:40 151 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb7698.dat
2007-01-01 10:40 13,046 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8564.dat
2007-01-01 10:40 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8994.dat
2007-01-01 10:39 6,144 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb4087.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb8457.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb7887.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb2478.dat
2007-01-01 10:06 0 ----a-w C:\Documents and Settings\Ruut-\Application Data\internaldb1436.dat
2006-11-16 20:39 0 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb5436.dat
2006-11-09 20:59 9,216 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb8467.dat
2006-11-09 20:59 0 ----a-w C:\Documents and Settings\-Mariltn\Application Data\internaldb6334.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_ 9.33.29.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Chckup"="C:\WINDOWS\system32\Netverchk.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 21:22 68856]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="" []
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-04-27 12:10 151552]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 12:11 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-27 23:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-06-23 06:59 602112]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40 413696]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 11:37:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 16:14]
R2 DritekPortIO;Dritek General Port I/O;C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2005-12-23 01:13]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 13:59]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 13:59]
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-07 23:10]
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2006-05-24 19:19]
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2006-05-24 19:19]
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2006-05-24 19:19]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 18:46:32 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - -Mariltn.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-12-31 07:21:36 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 10:08:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 10:11:04
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 08:10:52
C:\qoobox\ComboFix2.txt 2007-12-31 07:35:24
.
2007-12-21 21:25:55 --- E O F ---

kalminen · Dec 31, 2007

Laittaisitko HJT:n login.

seitti · Dec 31, 2007

Sori jäi homma kesken aamupäivällä. Jostain syystä HijackThis ei löytänyt koneelta ollenkaan seuraavia tiedostoja:

O2 - BHO: (no name) - {4EED7723-60D0-4E54-9D27-E3B8AA0FF65A} -C:\WINDOWS\system32\netms.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsm3.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AD Bot - {BCBCEE7B-2001-4971-B991-EB6E81C96CC5} - C:\WINDOWS\system32\adspipe.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\ascltynv.dll
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify

Poistin kuitenkin nuo mitkä löytyivät. Tässä tuore HJT logi.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:46, on 31.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=5812
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '-Mariltn')
O4 - HKUS\S-1-5-21-4221637149-2004414757-2591421042-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '-Mariltn')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?3908b298c40f4b34935250fcce58284d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?3908b298c40f4b34935250fcce58284d
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 9118 bytes

kalminen · Dec 31, 2007

Pääasia että rivit poistuivat.

Sulla on Nortoni ja ZoneAlarm kumman poistat. ?????
Jos Zone on Sekurity Suite versio Suosittelen pitämään.

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)
Mustalla listatut ova täysin tarpeettomia käynnistyksessä Käynnistyvät normaalisti niinkuin ennenkin. Poistetaan kuten punaiset.(oman harkintasi mukaan)

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
-----------------------------------------
Lataa Atribunen ATF Cleaner
Ohjeet;
Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.

Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi

Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasi

Klikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Teknistä tukea tulee jos tupla-klikkaat sähköpostiosoitetta joka sijaitsee jokaisen menun alapuolella kyseisessä työkalussa. (Huomatkaa että se tuki on sitten englanniksi)

--------------------------------------------------------
Lataa: RegSeeker.zip työpöydälle:

Pura zip C:\RegSeeker\ kansioon. Sieltä käynnistät RegSeeker.exe ohjelman.
Oikeasa yläkulmassa on Languages.... linkki, josta valitset Suomenkielen.
Vasemmasta alakulmasta ruksit Luo vrmuuskopio ja sitten linkki Puhdista rekisteri
Ruksit kaikkiin muihin kohtiin paitsi "Käyttökelvottomat.." sitten "OK" (odotat hetken).
Ruutuun ilmestyy lista epäkelvoista rekisterimerkinnöistä, jotka alapalkista Valitse kohdasta
klikkaat Valitse kaikki jolloin valitut saavat keltaisen pohjavärin.
Alapalkin Toiminnot linkistä klikkaat Poista valitut kohteet
Ponnahdusikkunaan "Kaikki valitut kohteet poistetaan ? vastaat "OK".
Seuraavaan Ponnahdusikkunaan "Varmuuskopiot" vastaat "OK".
Klikaa vasemmalta Lopeta RegSeeker ja käynnistä koneesi uudelleen.
----------------------------------
Varmistetaan pahan infetion jälkeen:
Toimii ainoastaan Explorerilla ==> salli ActiveX
Skannaa koneesi Kaspersky Online Skannerilla

Sinulta kysytään sallitko ActiveX -komponentin asentamisen Kasperskyltä, klikkaa Kyllä.
* Ohjelma käynnistyy ja aloittaa viimeisimpien tunnistetiedostojen lataamisen.
* Kun skanneri on asennettu ja tunnistetiedot ladattu, klikkaa Next.
* Klikkaa nyt asetuksia, Scan Settings
* Tarkista asetuksista, että seuraavat ovat valittuina:

o Scan using the following Anti-Virus database:

+ Extended (Jos valittavissa, muuten valitse Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

* Klikkaa OK
* Nyt valitse "select a target to scan" otsikon alta Oma Tietokone, My Computer
* Skannaus vie aikaa, joten ole kärsivällinen. Kun skannaus on valmis saat ilmoituksen, jos koneesi on saastunut.
* Klikkaa nyt Save as Text-painiketta.
* Tallenna tiedosto työpöydällesi.
* Kopioi ja Liitä tiedoston sisältö seuraavaan vastaukseesi.

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:

* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* Kaperskyn raportti

* Auttaisitko mua tutkimustyössä Ajamalla ComboFixin vielä kerran ???
ja logi siitä lopuksi.
* Haluaisin tietää rittääkö RegSeekkeri roskien poistoon.
* Kiitos jo etukäteen.

Log in or Sign up

popupeja aukenee jatkuvasti, netti pätkii

seitti Member

kalminen Regular member

seitti Member

seitti Member

kalminen Regular member

seitti Member

kalminen Regular member

Share This Page

Log in or Sign up

popupeja aukenee jatkuvasti, netti pätkii

seitti Member

kalminen Regular member

seitti Member

seitti Member

kalminen Regular member

seitti Member

kalminen Regular member

Share This Page

Useful Searches