rootkit

jssi · Feb 17, 2008

AVG Anti-Rootkit skanneri tekee .sys päätteisen "löydöksen", joka aina poistamisen jälkeen löytyy taas uudelleen,
nimi on vaan muuttunut esim. näin:

C:\WINDOWS\System32\Drivers\ajyjcffo.SYS, Hidden driver file

Esim.Lavasoftin ja Pandan Rootkit skannerit ei löydä mitään.
Combofix ja HJT logit ohessa. onkohan pöpöjä koneella ?

ComboFix 08-02-17.2 - Juho 2008-02-17 19:18:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.195 [GMT 2:00]
Running from: C:\Documents and Settings\Juho\Työpöytä\Siivous ja viritystyökalut\Troijalaisten poisto\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\eecbafddc2_r.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.cõj
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-17 to 2008-02-17 )))))))))))))))))
.

2008-02-17 15:27 . 2008-02-17 15:27 7,680 --a------ C:\WINDOWS\system32\drivers\RKL1528.tmp.sys
2008-02-17 14:37 . 2008-02-17 14:37 0 --a------ C:\23990098.$$$
2008-02-17 12:28 . 2008-02-17 12:59 <KANSIO> d-------- C:\Downloads
2008-02-16 10:48 . 2008-02-16 10:48 7,680 --a------ C:\WINDOWS\system32\drivers\RKL54.tmp.sys
2008-02-15 11:55 . 2008-02-17 15:27 250 --a------ C:\WINDOWS\gmer.ini
2008-02-09 18:37 . 2008-02-09 18:37 23 --a------ C:\WINDOWS\system32\cde8_r.ocx
2008-02-07 12:59 . 2008-02-07 12:59 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Grisoft
2008-02-07 12:58 . 2008-02-07 12:58 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 12:58 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-06 17:07 . 2008-02-06 17:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-06 17:07 . 2008-02-06 17:07 3,451 --a------ C:\WINDOWS\unins000.dat
2008-02-04 14:20 . 2008-02-04 15:50 <KANSIO> d-------- C:\RegSeeker
2008-02-01 19:55 . 2008-02-01 19:55 <KANSIO> d-------- C:\WINDOWS\InCD
2008-02-01 19:55 . 2006-03-07 16:27 3,067,904 --------- C:\WINDOWS\NuNinst.exe
2008-02-01 19:55 . 2006-03-23 17:15 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-02-01 19:55 . 2006-03-24 11:12 59,278 --------- C:\WINDOWS\NuNinst.cfg
2008-02-01 19:55 . 2006-03-23 17:15 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-02-01 19:55 . 2006-03-23 17:15 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-02-01 19:55 . 2006-03-23 17:00 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-02-01 19:42 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-02-01 19:41 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-02-01 19:41 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-02-01 19:41 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-02-01 19:41 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-02-01 19:31 . 2008-02-01 19:31 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Ahead
2008-02-01 19:23 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-02-01 19:23 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-01 19:23 . 2004-01-14 18:57 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-02-01 19:23 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-26 15:12 . 2008-01-26 15:12 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Photodex
2008-01-25 22:21 . 2008-01-25 22:21 <KANSIO> d-------- C:\Program Files\MSBuild
2008-01-25 22:11 . 2008-01-25 23:00 <KANSIO> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-25 22:09 . 2008-01-25 22:09 <KANSIO> d-------- C:\Program Files\Reference Assemblies
2008-01-23 16:40 . 2008-01-23 16:49 442 --a------ C:\WINDOWS\CDPLAYER.UNI

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 16:53 5,685,760 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-17 16:53 141,824 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-17 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 16:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-16 12:23 63,488 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-16 12:23 5,673,984 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-15 20:49 98,816 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-15 09:27 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-15 09:27 5,664,256 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-13 13:28 5,654,528 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-13 13:28 173,056 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-11 14:40 90,624 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-11 14:40 5,631,488 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-09 17:03 5,629,952 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-09 17:03 131,072 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-09 14:19 --------- d-----w C:\Program Files\Creative
2008-02-01 17:23 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-28 10:37 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-15 12:45 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-01-11 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 14:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-07 18:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-07 16:48 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 12:31 --------- d-----w C:\Documents and Settings\Juho\Application Data\Nero
2008-01-03 11:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 11:47 185,824 ----a-w C:\WINDOWS\system32\05f16.sys
2007-12-29 10:17 --------- d-----w C:\Program Files\Ontrack
2007-12-18 14:58 --------- d-----w C:\Documents and Settings\Juho\Application Data\Notepad++
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 08:41 --------- d-----w C:\Documents and Settings\Juho\Application Data\Ashampoo
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-07-28 14:08 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\oodishi]
@={14A94384-BBED-47ed-86C0-6BF63FD892D0}

[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2007-08-15 14:49 111872 --a------ D:\Ohjelmatiedostot\OO Software\Diskimage\oodishi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE" [2000-03-09 01:15 89088]
"UIWatcher"="D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe" [2007-07-09 13:13 1741168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="D:\OHJELM~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 14:42 176128]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"ZoneAlarm Client"="D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe" [2007-03-08 23:02 919280]
"DefragTaskBar"="D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 15:31 169312]
"InCD"="D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"!AVG Anti-Spyware"="D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 11:25 6731312 D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-03-02 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrvR"=2 (0x2)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 15:47]
R0 oodisr;O&O DiskImage Snapshot/Restore Driver;C:\WINDOWS\system32\DRIVERS\oodisr.sys [2007-08-15 14:52]
R0 oodisrh;oodisrh;C:\WINDOWS\system32\DRIVERS\oodisrh.sys [2007-08-15 14:52]
R0 oodivd;O&O DiskImage Virtual Disk Driver;C:\WINDOWS\system32\DRIVERS\oodivd.sys [2007-08-15 14:52]
R0 oodivdh;oodivdh;C:\WINDOWS\system32\DRIVERS\oodivdh.sys [2007-08-15 14:52]
R0 OODrvled;OODrvled;C:\WINDOWS\system32\DRIVERS\OODrvled.sys [2004-09-22 13:57]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe [2007-06-16 08:30]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 07:22]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20:11]
R3 BENDER;Pinnacle DV/AV Capture;C:\WINDOWS\system32\drivers\bender.sys [2003-07-09 13:35]
R3 KMWDFilter;KMWDFilter;C:\WINDOWS\System32\Drivers\KMWDFilter.SYS [2007-06-13 10:09]
S3 05f16;05f16;C:\WINDOWS\system32\05f16.sys [2007-12-30 13:47]
S3 Amps2prt;Trust Ami PS/2 Port Mouse Driver (6);C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2001-10-19 14:57]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\41.tmp []
S3 SFC4;SFC4;C:\WINDOWS\system32\drivers\SFC4.sys [1998-09-16 09:07]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 19:22:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 19:23:13
ComboFix-quarantined-files.txt 2008-02-17 17:23:05
ComboFix2.txt 2008-01-21 12:25:39
.
2008-02-13 11:02:24 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
D:\Ohjelmatiedostot\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.exe
D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\oodag.exe
D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
D:\OHJELM~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe
D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
D:\Ohjelmatiedostot\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HJT\Skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.luukku.com/luukku
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Star Downloader Toolbar Helper - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\OHJELM~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\OHJELM~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [InCD] D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TClockEx] D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [UIWatcher] D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - D:\Ohjelmatiedostot\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174492377000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172738028281
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
O23 - Service: AshampooDefragService - - D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7515 bytes

Hujo · Feb 18, 2008

Lataa GMER http://www.gmer.net/gmer.zip ja tallenna se työpöydällesi:

• Pura se työpöydälle ja tuplaklikkaa tiedostoa GMER.exe
• Klikkaa rootkit-välilehteä ja sitten klikkaa scan.
• Älä rastita "Show All" boksia skannauksen aikana!
• Kun skannaus on valmis, klikkaa Copy.
• Tämä kopioi lokin leikepöydälle (voit tallentaa lokin varmuuden vuoksi tekstitiedostoon).
• Liitä loki sitten viestiketjuusi.

===========

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

============

Tarkista koneesi F-Securen online skannerilla

Huom, skanneri toimii vain Internet Explorer selaimella

* Lue sivun ohjeet huolella läpi
* Klikkaa Start scanning
* Mikäli saat Internet Explorer -suojausvaroituksen, klikkaa Asenna
* Klikkaa Accept
* Klikkaa Custom Scan
* Säädä asetukset seuraavasti

o "Virus Scan Option" kohdasta valitse Scan whole system
o "Other Scan Option" kohdasta valitse Scan All Files
o Valitse Scan whole system for rootkits
o Valitse Scan whole system for spyware
o Laita ruksi kohtaan Scan inside archives
o Varmista että Use advanced heuristics on valittuna

* Klikkaa Start
* Skannaus käynnistyy kun tarvittavat tiedostot/päivitykset on ladattu
* Odota kärsivällisesti
* Kun sakannaus on suoritettu, klikkaa Automatic cleaning
* Klikkaa Show Report
* Raportti aukeaa selaimessa, kopioi teksti kokonaan
* Liitä kopioitu teksti esim. muistioon tai Wordiin ja tallenna työpöydälle
* Voit sulkea skannerin
* Lähetä raportti viestiketjuusi

Älä tee muuta sillä voi aiheuttaa koneen jumiutumisen

jssi · Feb 18, 2008

Kiitos Hujo,
Sorry, että ehdin vastata vasta nyt. Teen nuo mainitsemasi putsaukset todennäköisesti huomenissa, ja sopiihan että palaan senjälkeen asiaan uusin logein.

Hujo · Feb 18, 2008

juu kerkee sen

jssi · Feb 19, 2008

No nyt on tehty nämäkin putsaukset, mutta se AVG Anti-Rootkit "löytää" edelleen sieltä (C:\WINDOWS\System32\Drivers\)jonkun .sys päätteisen jota ei näy resurssienhallinnassa.
Tässä nämä logit:

SDFix: Version 1.143

Run by Juho on 2008-02-19 at 11:25

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\DOCUME~1\Juho\TYPYT~1\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:35:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:50,1a,86,71,5c,48,ee,1c,16,c4,10,f6,d6,6d,14,93,03,67,34,7f,62,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:d9bb4918
"s2"=dword:39d00c63
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:76,cb,c9,7a,92,86,73,92,2b,7e,cc,3b,5d,6a,fd,ad,aa,2f,94,6b,99,..
"p0"="D:\Ohjelmatiedostot\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:76,cb,c9,7a,92,86,73,92,2b,7e,cc,3b,5d,6a,fd,ad,aa,2f,94,6b,99,..
"p0"="D:\Ohjelmatiedostot\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd3w\2]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="59168F7D2512AB576185E749E7FC795BD4C6D5C50FDC50901F675609B9C1B3E41285C3DF647A72AEDE75EA8F4082E9E6DB6FF71462FA197B95D5A979C1B2FA2A3406DE427D453EEEB1BB6B5F03C3BF865E8242B370ED5EFAB03AED2B597D99BD7025D7E64D81045D2890E2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6171C11EC38DE3DFEBC9E127BECC74CA6171C11EC38DE3DE856AF18BF3524E729D40ADB7AEA653F1DA0C8DC5298614BD65639CED035F98D5549CC9051501D71B418EE183102E9E35C7FF4398F32E0394D0E932F98ABA6E6F01FEC036704D88C85A32ABAF0CAEE4C8F44A55886912AF3664AA228E0409DF1465C1EE63FB93DA4F58AA4AE194B806A812F3CB9D77B9411FC17626FA893208B60FA9344D90C157A63D467F3C9BD940480F5BBF365645DFCF2F4EC4D347853E2CFE9213CFC4D102330FC239CEA8E0232DE3E4E2D577725F4285985A18D75C1FB2B8B42FE3082BD08C0F02ACFA6DE8263F326BCA29713EE8C862E105BFDC656AE88B49353C1E2166400957249E90538599ABBF9A4574AA4AAF9509501985D642587305893C2DA74C95BBF17D8E60B25A9B08417178764120AF00FC22B2EDAA161C63C74AD098B159EC33D5861942E30BD1A774EF160596738DF316787DA17A5B56A0A74252CC99C19AE4A185A2DDFA555BB027AC1DDD9B91ABEEEFAD6779EEF4B9C40848E8A1D0F46971C5DCDAE45347F81821BA7BDC780E4887616EEA530601D0AF7779545C25909F958535CDAB7EFA3594ED35704391A243C66733A493F3DF9E1C041F741ABC814591B483938C450FAB62D6E1977F9C3365FD6F4B20BF3AF865A9B7E07A67A8EF03AF1B0AB902FAF139059D5492307244D784E9F6CD528C43B2B006BABE30B43FCA561210F736B4E4FDF861957569442F1134B9C8C5B6E6E6311D56A5D2A66DFE7AA60D551B0A250E22555ED4824070DFC3F3E39CA8E87809ECDFB82AB6D4F43B75B582EF75F343BD961DFAAB4637AD19E118B65F5A86CB6DFA4C4DA396839AFC34BAAAB185AAFFB909CB0CA48B0BD47D89E0EB66E25C72EF0DD7643BB17CD4BBA9528765EBFDAE03A60486F44E9D105038491652AC37AE6EBC84A2DFC3B67211B57985809F1B09E5A3C9B5D7B326E864762564F320995C64132EDAFDC5A991FBA33B7C1EC945DCBCDC112F9D6717DAD24DC93F4A23D6317B3718582CBBC269842CCB4C46F95C2E2BF090752D2D19E3EED1A70F92FEC5E065D5F2585D0EE8742AFCFB0170D207645B22CCB97004323E04A468A291B67B5A4A7D757B8074369B7D1E9C49555A74235FC49A31C82791221341172EE40C14DE7543B9A449ACFAB774ECAFA3EEAE123DA470446D712E92670FA2E2E5B0BD2BB2A756D6070D06B"
"OODI01.00.00.01PRO"="6896969673EE079B8842CE102C3C031A697EB664E084935765666AF6477F897C33DCC048D07D7938F936CCF2B2DBE2CA47F0AD39B506A71AC183B3265C8A55593E33C9395B3B3FBB17813A27565D63C159A440A77C74A60B449464D1E40ADBBB91A3308E4C1A1CF514262D138FFEEDE024B537730AF3C03BDB701BBD31AD3306A75C86AA90742C3918CD4C5A885FC3889863EFA4650FF93E6B0F89F3C505C29D6EB1F53BC904DBDB3F44546B9D83F42223955B87C93228AEC79077425908C6EC4B1A38ACCE68FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933D43B53A6A336DB94E181860570907FA7E871CD0781A89EC049A22CC8A2C0804FDA2350295A34B7B52C9E242EE1A396E9229128E3DB356F275E1522DEED5D2EB3792F15C09B47BBAF07BD91D8F93BAF79726DD2CAAB9FD81F253AA54938890E64020FAEE0A5D4D5CEA8636A546D5D584E93F614833B32266B7B974E697EEA490C96781FA44A062D4798133C928352D3C39125A979667455AD15342443D26FB9B7AFA25D49EEC6192EB4D68BAA16AA951AD0F2433D1CB8196F771BA381D8C76FD899CB53B00F4A27FE2DBCCF5817B7C8F2055F0502E110581EFDDC3EEE4C662D4473B25E61B883169685D6717A870F4856396B06A050D1AC08580D58FC78846CB3B01E51848EADDBB8993A52927F8BA8314A205315131AE4E308424CC13F1F57C49A56F06946C39F8B9380C4C92AC9AED1EA076D7DEAC705C7E498E57416744EF84BA6797F2B09BF98F4470E68472F526A9F2D471FAA7D4132183066F305096335B361965E1901CB4F92B06B5FA8DEC2944428C8E2BB238582232D04BFABA65F4395596BC084F5888216E18B4138C360CA048CCD521CE2707DD5B5E6FBB957BC510C680E8273F46DE67A848F446E0D426C62F5289FD7AC54C9D8762B73746C2C6E00EA08277F4E2897914711C25C2CB03C34021A9C1733B676A59EE292B5F99013B2C15754D6981A9481DA193DA4D62961A4D4DBC211EDD2F28C621369EAD88195B752EE523D2B55BD40F328D5FD07DCE9AF931AAD909818132F78B4AD14244B36768335118724245B9BCE30D3357C33C2A96AF41C77312811849D35B7C83BEB932B4281A120E48317362698212837C33FB58680F3B97BD986D7917584AFC318B5E401A43A0612A17E02BE3CCECA00DD184E9B43BBDFFDB6F4C79649358726370508325F34CA166585C9DBEA0D245F80E741603B9F84057F41C6F57A10A18D634E4D50680E941C66022947E63450A2642FB18E576FDA9E24B49BF9C6FA626A6F423D57E8E81E96712E12CFE63EFC5DEF4F93E47B1F241FCC79E0735E84C4705B783BC67F8B363A86A849C6"
"OODEFRAG10.00.00.01WORKSTATION"="395677F14C74DB2F5BD56E3DA2ED0DA06B9D1F3D05D30D762A62914F7F1FA63081A38F598D42CA23E98AE40B6559FC438FEBF12B85EB89F9D7D289F59D42FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DA9C6AECB7A5D14076CF78DACDDE4EEDA6E1417B31C5F416964C84228F56DFECFCA51573CA376B425B56DA073FAE0801489B9632C4B70FA2F0516AEBD9034E7531C18751F7407BB971999FB221D1CF1551CC415404D1A2FB4E1C62CF3D6D3385259792720DAFA34718E368C12577641BFE4A004818C3FD9A21B1821B4284B0CA0A8A400A54B127550E00434BF5415A2D7713E80250883AC88A6CB688FF7632EF504CA88364ED489322F47C64C51E0FE092792CB06D0500B58CB2850B64E25226E38A2BCFD7F8FAFFC6A478E7C9F04EF9F3C959CA00F530DE828F59E0345DD1C07E8E78BCC9050D978DBCEC63924EF45CC3DC49B987B7D80F3AC83076C8CA185250A59D99644E9ADD29C2F22905758822609216732E404E4171EA2B69368C5FD10E6380074F37387991C3AC53147B5E02555AD12582E606FD614A8CB3C2E63D4F11C4C499F0CC875C39CC8C8F116C3C9A62873A298CC4E87997CEED8CACA5A105C1CE0F6790B09382836B63A4AF703DEEC5E0191264AD0CB27185366CCBC4BE9C0ABC13B850817480351E29A5837B7711D27E34D5447AC8A307B386EEF179DCF76E6453F6DA81A4F76AE31DDDC2FE90A408634B89FF36A49C51081DF0681F962BAB8BF9F7AAAFC2D8561096E3BD2E5E3C4538729A317564160119A9D873850F62BE48C6A1FDD6FF2194DD6287E27BA6F7ABBFC68A48B045ED711F0008F0952194C7F0AA56C26E3E6FC3109DD52453E4F973DB33506BE4641EB7375D0DBD6F48405741B491D7D9205619915D2085A07DAB62C5041D334383D3FF11E50CF9BF32CA07F263F0CED76F9DCE8704014A8721FD331FB323B01345C57986430725F4CB4CEB4166938994DAA65D69853108321D9CF46E3238DCFDEDB9F4846976E44C0F6A2F7599BC6B31C2B58ED8C2EB755757F713DB721405F9B29E5B5C422927BD6019383E29D7D05A8C7F50DCF646D9B98B7E1B8AC2E6F0192EBDC6B66DE524D59957E64A9AB4BE97E7E62676A80B567765D2DB0FA40571CB27A99C3B350C393D5A8207E27753E51EC01A702677E385D3F004671DF425A2AAC6318EFBCEEA3409FE39D055A9E8BC00737AFB9D64FC2B8E663821A1C917F39F466B67610A24E544CA57E83C74089D0253B4D3C4C574744267F1A9D7301EDECC5F6372F45CDC8E7357F2DD774E5342DDFDAB20D5F71D862787FABC5AED4757A1BBD404575423826F9B5F9336A10AC969799F982AB6932099E4338AD1B4807AB3719DCBB3E"
"OODLED02.00.00.02WSSV"="5BB785864BD65EDA33E66AC6756F4BF69481C408CCFEAD3DAF5492326B3A48AE9B4CF5924F885F979F18664A07E09504CDCC2F4BBC3F8BC9F2A540688626609BD14ACF778F3274AFB0AB48F787BB0779B2ED0E56E8879BEA87E2893A8E8F31CF67130CE61ACCCDB25D5D7E2220A057D36718E3BDB8C4B72C5F57A51C484B590AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555FEBC9E127BECC74CFEBC9E127BECC74C1A730CD4074A4D9AAF245D9E47218E261B3727A43560AA80D24A97E0D41A6EAD879AFC3AF3E1B5D20FC9979577CD6553A0A0B970850932EEE1EB3796F378B47E446B26579068DC3831C4705CB5D42006841332022EB6856C5A01EB4968EA00812E7085D67BA194F141B9187EFE6254985E6E94E3A89DA3A4613F3128C85051D113DA2AA887B584AB5B6F554E00087065B734FB692058DB440C021525DCECFE0DB8FCB900BAB0279491D5805D1FBC324F8F8A98277567D3FB65473A75A467B2D656D06AD250034BE067FB080673D7AD3AD6B92A75BDAA04036D33DA934F4BE85498718BDB368113C8D697EAE24698CB8E733209F2C1EA3912170C3F3FC30874B11F9D7A1C8EE47507CB01C0D31A9EC6B8C0041E007CD093E6C83E49F81B717B9C7DB9ACD63048BDDA2935B17EA1F0B0A90BE5E640206A8943DED5E986A23E77C8BCCEA91126AD0B88C256FB4A42F76A569531F79F902C626D2787A9F2DC0AB66C57088F18AEF74ED86227EF631A02ADB615E376C9E5EA3BAD64A9A20CFDD55941BF358C79BCF1D0954391733A773F0648B5A01C306D6105D24EB706E471825787574A668975C42B109822FE02DEC5538A932C3887262E05AE10D09553D159788078DFF45FB483CD1A078B2034070FC7834271ACC9C7535216483629EFF2045B736DB0A4D409A07A8CA620F88CDAF7EDBB467D6F3337375BE20A512C1BD91471AA761D750AB376C8C384DA3E0B7A421FBE9A838A45132560F2DC2A9D75407A8175C8A9FA63AC40229D22D739723A930C1E2CD79C45AB4A76283B7290E5939024A58BFCDF051D9D467FF3D6464D21F4B76DDEF5D9BD84BA86E6937BAD95749148135A635DDC6515C84F64BED8E6EA54FB4707F98578D76ACB9ACABC2EF3B91CAE97C64EC519960D0E79CF9774CE050382C56FA77A8990B5D9B0B54F62336CB3ED125350FB2C7753D3EE868EB2D916B54C0CD6E2A845CFDA9299A1F42E484940EFE47820F9CD839727214E7340207407ACBD6CB79044EAFA30CB4B0F076E428CF076231C4AF9E6ED6A095F3C607DAA724B03DAD2CA64691EBFC067A47AA2FDC883B232438EEE86CF552268816691795BA408B786FE46872DA0F59CE026A8D4078E8779B87AAE7898726C08803C4153868780"

scanning hidden files ...

C:\Documents and Settings\Juho\My Private Folder\prvflder.dat 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Puhelin TeleFinland.txt 215 bytes
C:\Documents and Settings\Juho\My Private Folder\Puhelin TeleFinland.txt.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\salasanat.xls 20992 bytes
C:\Documents and Settings\Juho\My Private Folder\salasanat.xls.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\A-L Saaren perunkirjaliite.rtf 5917 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\A-L Saaren perunkirjaliite.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\As lainan maksusitoumus.tif 3951590 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\As lainan maksusitoumus.tif.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ilmoitus.txt 153 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ilmoitus.txt.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.doc 20992 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.doc.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.rtf 5114 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\KESKINÄINEN TESTAMENTTI.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kuitti.rtf 3752 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kuitti.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA1.rtf 4921 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA1.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA2.rtf 4890 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA2.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA3.rtf 4955 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA3.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA4.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA5.rtf 5010 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA5.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA6.rtf 4976 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA6.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA7.rtf 5044 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA7.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA8.rtf 5109 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA8.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LULUN MÖKILLE AJO.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ohjelmistoa.rtf 6635 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ohjelmistoa.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Piia&Mika.rtf 7025 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Piia&Mika.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Reijalle.rtf 1019 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Reijalle.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Siljan tiliote051028034011.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\testamentin tiedoksisaanti malli.rtf 2427 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\testamentin tiedoksisaanti malli.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tilioteSILJA.pdf 11632 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tilioteSILJA.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tiliote_lukuohje_hopea_fi.pdf 252548 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tiliote_lukuohje_hopea_fi.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\VELKAKIRJA.rtf 6397 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\VELKAKIRJA.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\vhamylly.doc 247808 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\vhamylly.doc.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\KESKINÄINEN TESTAMENTTI.rtf 5708 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA4.rtf 4987 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LULUN MÖKILLE AJO.rtf 15158 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Siljan tiliote051028034011.pdf 11632 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 56

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

Files with Hidden Attributes:

Sat 28 Jul 2007 12,208 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Finished!

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-18 21:15:35
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spab.sys ZwEnumerateKey [0xF84F5CA2]
SSDT spab.sys ZwEnumerateValueKey [0xF84F6030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82F6E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs OODrvled.sys (O&O DriveLED Pro Filter Driver/O&O Software GmbH)
AttachedDevice \FileSystem\Ntfs \Ntfs oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat 82CEB500

AttachedDevice \FileSystem\Fastfat \Fat OODrvled.sys (O&O DriveLED Pro Filter Driver/O&O Software GmbH)
AttachedDevice \FileSystem\Fastfat \Fat oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

F-secure / Scanning Report
Tuesday, February 19, 2008 14:39:57 - 16:49:34

Computer name: KOTIKONE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\

Result: 4 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
W32/Tibs.BHFK (virus)
D:\Ohjelmatiedostot\UltraISO\crk\UltraISO_Premium_Edition_8.6.5.2140.zip\run.exe
D:\Ohjelmatiedostot\UltraISO\crk\UltraISO_Premium_Edition_8.6.5.2140A.zip\run.exe
Statistics

Scanned:
Files: 161920
System: 3997
Not scanned: 64
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
x�

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2008-02-18
F-Secure AVP: 7.0.171, 2008-02-19
F-Secure Orion: 1.2.37, 2008-02-19
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2008-02-13
F-Secure Pegasus: 1.20.0, 2008-01-18
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
D:\Ohjelmatiedostot\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
C:\WINDOWS\system32\oodag.exe
D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
D:\OHJELM~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.luukku.com/luukku
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Star Downloader Toolbar Helper - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\OHJELM~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\OHJELM~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [InCD] D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TClockEx] D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [UIWatcher] D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - D:\Ohjelmatiedostot\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174492377000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172738028281
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
O23 - Service: AshampooDefragService - - D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7384 bytes

Miltä nämä näyttää ?

Hujo · Feb 19, 2008

ei ainakaan mainittua näy

jssi · Feb 20, 2008

Kiitos Hujo,
Jatketaanpa sitten näin ja täytynee jättää tuo AVG Anti-Rootkitin antama herja sitten vaan huomiotta.
Terveisin, jssi

Log in or Sign up

rootkit

jssi Member

Hujo Guest

jssi Member

Hujo Guest

jssi Member

Hujo Guest

jssi Member

Share This Page

Log in or Sign up

rootkit

jssi Member

Hujo Guest

jssi Member

Hujo Guest

jssi Member

Hujo Guest

jssi Member

Share This Page

Useful Searches