Eräänä päivä Antivir rupesi vain valittamaan, että troijalaisia löytynyt wowfx.dll tiedostosta. Siitä sitten äkkiä vaan Malwarebytes' Anti-Malwarella scannasin ja poistin kaikki saastuneet. Siinä sitten boottasin ja windows ei enää käynistynytkään niin kuin pitäisi. WELCOME tekstin jälkeen tulee toi DATA EXECUTION PREVENTION error ja pelkkä taustakuva. Safe modellia menin sisään ja olin pistämässä DEPia pois. Mutta kun menin Control Panel/System/ niin tulee 'Windows cannot find C:\Windows\system32\rundll32.exe'. Eli konetta ei nyt saa mitenkään toimimaan. Tässä Hijack: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:46:29, on 23.3.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: Shell=c:\windows\explorer.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Windows System Update] C:\WINDOWS\TEMP\CSRSS.EXE O4 - HKLM\..\Run: [Language_Shortcut] C:\WINDOWS\TEMP\IEXPLORE.EXE O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe O4 - HKLM\..\Run: [RUNDLL32] C:\WINDOWS\TEMP\rundll32.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to Core Temp.lnk = C:\Program Files\CoreTemp\Core Temp.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing) -- End of file - 7135 bytes Ken vaan osaa, nii auttakoon. Kiitos!
Vaikka pahalta kuullostaa, niin nopein ja vaivattomin tapa on asentaa kaikki uusiksi. Jos ei c: asemassa ole mitään tärkeetä, niin xp:n asennus cd:llä täysformatointi c:lle ensin. Tai vaikka boottidisketillä format c: Jos on jotain tärkeetä, niin Live Linux cd:llä tuhoten c:\windows kansio, kaikki c:\ juuresta. Ja siirtäen 'vanhat-talteen' kansiooon Documents and settings ja program files sisältö. Jos tila tee tiukkaa, nin siirrät vaan tiedostot noiden alta. sitten kun xp on asennettu ja virustutka kunnossa, niin skannaten toi 'vanhat-talteen' kansio ja putsaten loputkin örkit. Tai skannaten koko kone. Odotella voit, että joku osaa kertoa saastan putsaamiset kunnolla. 'Windows cannot find *****' Palautuskonsoli, Recovery console, xp-cd:llä bootaten ja (tässä e: on cd/dvd aseman kirjain tunnus. Vaihdat oman koneesi mukaisesksi) expand e:\i386\rundll32.ex_ c:\windows\system32\rundll32.exe Tolla kopsataan kadonnut tai viallinen tiedosto sinne, mistä uupuu. i386 kansiossa cd:llä on kaikki winukan tiedostot, viimeinen merkki vaihdettuna _ josta ne on helppo päätellä mikä sen nimi siellä cd:llä pakattuna on.
no huh.. on aika sekasotku tuo HJT, miten sinne noin paljon tavaraa saa mahtumaan kokeiles: RUN>MSCONFIG valitse SELECTIVE STARTUP ruksi veke kaikista kohdista SERVICES välilehti kaikki pois STARTUP välilehti kaikki pois REBOOT Jos käynnistyy niin poista kaikki ylimääräiset ohjelmat hae esimerkiksi comodo internet security paketti + BOclean ja putsaa kone perusteellisesti. seuraavaksi putsaa rekisteri. ccleaner on pätevä ohjelma tähän. scannaa ja poista virheet (muista tehdä varmuuskopio) scannaa uudestaan ja poista virheet jne kunnes kaikki korjattu. Tarkista SYSTEM kansio epäilyttävien tiedostojen varalta. seuraavaksi voi ms configista laittaa tarvittavat palvelut ja ohjelmat käynnistymään. Reboot ja ja hjt loki tänne.
Tein noin, mutta mikään ei näyttänyt auttavan. Otin myös CD:ltä uuden rundll32.exen. Sen jälkeen eksyin vetämään koneeseen ComboFixin. Sen jälkeen kone ainakin käynisty normaalisti. Tässä on ComboFixin logi ja HJT logi ComboFix 09-03-25.04 - Aaro 2009-03-26 20:51:32.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1759 [GMT 2:00] Sijainti: c:\documents and settings\Aaro\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\1.bat F:\Autorun.inf Saastunut kopio tiedostosta c:\windows\explorer.exe löytyi ja poistettiin Puhdas kopio palautettiin paikasta - c:\qoobox\Quarantine\C\WINDOWS\explorer.exe.vir[/COL OR] . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-02-26 to 2009-03-26 ))))))))))))))))) . 2009-03-26 20:51 . 2009-03-26 20:51 180,224 --a------ c:\windows\system32\javaws.dll 2009-03-26 20:12 . 2004-08-04 00:56 33,280 --a------ c:\windows\system32\rundll32.exe 2009-03-26 19:56 . 2009-03-26 19:56 180,224 --a------ c:\windows\system32\nvudisp.dll 2009-03-26 19:56 . 2009-03-26 19:56 131,072 --a------ c:\windows\system32\test52.exe 2009-03-22 21:30 . 2009-03-22 21:30 <DIR> d-------- c:\program files\Trend Micro 2009-03-22 16:37 . 2009-03-22 16:37 180,224 --a------ c:\windows\system32\ntbackup.dll 2009-03-21 16:48 . 2009-03-26 19:56 1,136,132 --a--c--- c:\windows\system32\dllcache\explorer.exe 2009-03-12 23:15 . 2009-03-12 23:15 <DIR> d-------- c:\windows\Sun 2009-03-11 18:51 . 2009-03-11 18:51 <DIR> d-------- c:\program files\Java 2009-03-11 18:51 . 2009-03-11 18:51 410,984 --a------ c:\windows\system32\deploytk.dll 2009-03-11 18:51 . 2009-03-11 18:51 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-11 15:39 . 2006-07-17 23:47 659,456 --a------ c:\windows\system32\snapapi32.dll . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-22 14:37 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS 2009-03-18 22:44 --------- d-----w c:\program files\BitComet 2009-03-17 06:53 138,584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-16 22:58 --------- d-----w c:\documents and settings\Aaro\Application Data\NoNameScript 2009-03-16 20:14 --------- d---a-w c:\program files\mIRC 2009-03-15 18:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-11 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-20 17:23 --------- d-----w c:\program files\CasinoEuro 2009-02-17 10:22 --------- d-----w c:\program files\OpenAL 2009-02-17 10:22 --------- d-----w c:\documents and settings\All Users\Application Data\Eidos 2009-02-17 08:07 --------- d-----w c:\program files\mp3DirectCut 2009-02-14 16:34 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-14 16:34 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3 2009-02-14 16:33 --------- d-----w c:\program files\MSBuild 2009-02-14 16:30 --------- d-----w c:\program files\Reference Assemblies 2009-02-14 16:12 22,328 ----a-w c:\documents and settings\Aaro\Application Data\PnkBstrK.sys 2009-02-14 15:40 --------- d-----w c:\program files\Common Files\InstallShield 2009-02-11 18:01 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coin staller_Critical.Wdf 2009-02-11 18:01 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007. Wdf 2009-02-11 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Nokia 2009-02-11 17:59 --------- d-----w c:\program files\Nokia 2009-02-11 17:58 --------- d-----w c:\program files\Common Files\Nokia 2009-02-11 17:58 --------- d-----w c:\documents and settings\All Users\Application Data\Installations 2009-02-11 17:57 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coin staller_Critical.Wdf 2009-02-11 17:57 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005. Wdf 2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-09 19:46 --------- d-----w c:\program files\Steam 2009-02-09 16:20 --------- d-----w c:\documents and settings\Aaro\Application Data\AdobeUM 2009-02-09 06:34 --------- d-----w c:\program files\Microsoft Works 2009-02-08 18:01 --------- d-----w c:\documents and settings\Aaro\Application Data\Apple Computer 2009-02-08 17:57 --------- d-----w c:\program files\QuickTime 2009-02-08 17:57 --------- d-----w c:\program files\Apple Software Update 2009-02-08 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-08 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2009-02-04 18:01 --------- d-----w c:\documents and settings\Aaro\Application Data\uTorrent 2009-02-04 07:25 --------- d-----w c:\program files\MSXML 4.0 2009-02-03 11:58 --------- d-----w c:\documents and settings\Aaro\Application Data\Locktime 2009-02-03 11:57 --------- d-----w c:\documents and settings\All Users\Application Data\Locktime 2009-02-03 11:50 --------- d-----w c:\program files\Logitech 2009-02-03 11:50 --------- d-----w c:\documents and settings\All Users\Application Data\MediaLife 2009-02-03 11:49 --------- d-----w c:\documents and settings\Aaro\Application Data\MediaLife 2009-02-03 11:34 --------- d-----w c:\documents and settings\Aaro\Application Data\Logitech 2009-02-03 11:31 --------- d-----w c:\program files\Common Files\Logitech 2009-02-03 11:08 --------- d-----w c:\program files\CyberLink DVD Solution 2009-02-02 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink 2009-02-02 21:51 --------- d-----w c:\documents and settings\Aaro\Application Data\CyberLink 2009-02-02 15:44 --------- d-----w c:\program files\Common Files\LightScribe 2009-02-02 15:43 --------- d-----w c:\program files\CyberLink 2009-02-02 15:43 --------- d-----w c:\program files\Common Files\Ahead 2009-02-02 15:43 --------- d-----w c:\program files\Ahead 2009-02-02 15:30 --------- d-----w c:\documents and settings\Aaro\Application Data\Ventrilo 2009-01-27 20:49 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2009-01-27 20:45 --------- d-----w c:\program files\Common Files\Adobe 2009-01-27 20:45 --------- d-----w c:\program files\Bonjour 2009-01-27 20:40 --------- d-----w c:\program files\Common Files\Macrovision Shared 2009-01-27 19:29 --------- d-----w c:\program files\VentriloMIX 2009-01-27 18:17 --------- d-----w c:\documents and settings\All Users\Application Data\Creative 2009-01-27 17:32 --------- d-----w c:\program files\Ipswitch 2009-01-27 17:32 --------- d-----w c:\documents and settings\Aaro\Application Data\Ipswitch 2009-01-27 17:12 --------- d-----w c:\program files\Last.fm 2009-01-27 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm 2009-01-27 12:43 --------- d-----w c:\program files\Windows Live 2009-01-27 12:43 --------- d-----w c:\program files\Microsoft 2009-01-27 12:42 --------- d-----w c:\program files\Windows Live SkyDrive 2009-01-27 12:39 --------- d-----w c:\program files\Common Files\Windows Live 2009-01-26 20:10 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL 2009-01-23 18:15 60,416 ----a-w c:\windows\ALCFDRTM.EXE 2004-10-01 13:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe . ------- Sigcheck ------- 2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys 2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys 2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB951748_0$\tcpip.sys 2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS 2009-02-03 13:00 361600 cd00787894008369f56153b91fc28847 c:\windows\system32\dllcache\TCPIP.SYS 2009-03-22 16:37 361600 ebe577dbd6eea7792471cb1cb9598ec1 c:\windows\system32\drivers\TCPIP.SYS . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren tVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 148888] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "NeroFilterCheck"="c:\windows\system32\NeroCheck.ex e" [2001-07-09 155648] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Curr entVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Aaro\Start Menu\Programs\Startup\ Shortcut to Core Temp.lnk - c:\program files\CoreTemp\Core Temp.exe [2009-01-23 198144] Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-01-23 3581680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-03 450560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2009-01-23 20:50 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\ securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpol icy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Media\\Games\\Left 4 Dead\\left4dead.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Media\\Games\\Half Life 2\\hl2-steam -console.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Media\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\\Media\\Games\\Burnout Paradise\\BurnoutLauncher.exe"= "c:\\Media\\Games\\Burnout Paradise\\BurnoutConfigTool.exe"= "c:\\Media\\Games\\Burnout Paradise\\BurnoutParadise.exe"= "c:\\Media\\Games\\Call of Duty 5 - World at War\\CoDWaW.exe"= "c:\\Media\\Games\\Call of Duty 5 - World at War\\CoDWaWmp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "f:\\Media\\Games\\Q2\\aq2.exe"= "c:\\WINDOWS\\system32\\svchost.exe"= "c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"= "c:\\WINDOWS\\system32\\nvsvc32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpol icy\standardprofile\GloballyOpenPorts\List] "23277:TCP"= 23277:TCP:BitComet 23277 TCP "23277:UDP"= 23277:UDP:BitComet 23277 UDP "4719:TCP"= 4719:TCP:4719 "22059:TCP"= 22059:TCP:BitComet 22059 TCP "22059:UDP"= 22059:UDP:BitComet 22059 UDP R3 ALSysIO;ALSysIO;\??\c:\docume~1\Aaro\LOCALS~1\Temp ALSysIO.sys --> c:\docume~1\Aaro\LOCALS~1\Temp\ALSysIO.sys [?] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-02-11 138112] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-02-11 8320] [HKEY_CURRENT_USER\software\microsoft\windows\current version\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\current version\explorer\mountpoints2\{59590acf-e974-11dd-9fe3 -806d6172696f}] \Shell\AutoRun\command - D:\Autorun.exe root.ini [HKEY_CURRENT_USER\software\microsoft\windows\current version\explorer\mountpoints2\{dadf8d2c-00d2-11de-b5cb -00508d97e863}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . - - - - POISTETUT JÄMÄRIVIT - - - - HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe . ------- Täydentävä tarkistus ------- . uInternet Settings,ProxyOverride = *.local IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Aaro\Application Data\Mozilla\Firefox\Profiles\nidsrchw.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.fi . ********************************************************* ***************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-26 20:59:32 Windows 5.1.2600 Service Pack 3 NTFS tarkistaa piilotettuja prosesseja ... tarkistaa piilotettuja käynnistysarvoja ... tarkistaa piilotettuja tiedostoja ... tarkistus on valmis piilotetut tiedostot: 0 ********************************************************* ***************** . --------------------- Prosesseihin ladatut DLLt --------------------- - - - - - - - > 'winlogon.exe'(684) c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll . ------------------------ Muut prosessit ------------------------ . c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\wdfmgr.exe c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE c:\program files\Windows Live\Contacts\wlcomm.exe . ********************************************************* ***************** . Valmistumisajankohta: 2009-03-26 21:02:04 - kone käynnistettiin uudelleen [Aaro] ComboFix-quarantined-files.txt 2009-03-26 19:02:01 Ennen ajoa: 222 755 491 840 bytes free Ajon jälkeen: 223,167,680,512 bytes free 233 --- E O F --- 2009-03-14 21:33:55 --------------------------------------------------------- - ja HTJ LOGI Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:06:15, on 26.3.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CoreTemp\Core Temp.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Inter net Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to Core Temp.lnk = C:\Program Files\CoreTemp\Core Temp.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/oc...PID.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 7615 bytes Miltäs näyttää?
Varmuuskopiot kaikesta tärkeestä, kun kerran kone toimii nyt jotenkin. (Vaikka olisvat saastuneita) Pelien save gamet jne. talteen, niin uudelleen asennuksella jatkat siitä mihin jäit.. Niin tolkuttoman pitkä postaus, kun en oo noihin perehtynyt, ei mitään mielenkiintoo alkaa googlailla ja selvitteleen onko mhadollisesti haitake vai kuuluuko ohjelmaan X, joka sulla ehkä on. Kone sileeks ja kaikki uusiksi asentaen. Takuusti lähtee haitakkeet. Ja tulee samalla winukkakin ihan toiseen kuntoon. Se kun rampautuu aikaa myöten itsestään. Ja jos olet asennellut ja poistellut lähtee ne jämät. Kuin myös vanhat ajurien rippeet, jos on tullut päiviteltyä tai rautaa vaihdettua. Saattaahan joku sulle vastauksen osata kertoa, jos hirvee hinku paikkailla tota takaisin toimivaksi.
