TaskManager.Hijack ei lähde pois. Hjt Logi

Jead · Dec 7, 2008

En ole laittanut tikkua vielä edes kiinni mutta combofixin jälkeen SYSMON.EXE näkyy silti hjt logissa. Ja alustan tämän tikun aina tältä koneelta saastuneelle koneelle siirrettäessä.

ComboFix 08-12-05.06 - Jarezed 2008-12-07 11:04:41.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.445 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
c:\windows\system32\drivers\SYSMON.EXE
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-07 to 2008-12-07 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-07 11:11 694,304 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-07 10:45 9,392 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-07 10:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-07 10:50 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-07 10:11 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 07:30 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 21:32 1,225,227 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 08:47:47 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 08:47:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_100.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [BU]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 11:10:42
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\System32\tabhook.dll
c:\windows\system32\msi.dll
.
Valmistumisajankohta: 2008-12-07 11:13:40
ComboFix-quarantined-files.txt 2008-12-07 09:13:29
ComboFix2.txt 2008-12-07 08:44:51
ComboFix3.txt 2008-12-06 21:29:14
ComboFix4.txt 2008-12-06 21:03:49
ComboFix5.txt 2008-12-07 09:03:24

Ennen ajoa: 1 317 306 368 tavua vapaana
Ajon jälkeen: 1,294,393,344 tavua vapaana

188

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:55, on 7.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\adaware\aawservice.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
E:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5972 bytes

Hujo · Dec 7, 2008

Etsi tuo polkua seuraten löytyykö tuolta

C:\WINDOWS\system32\drivers\SYSMON.EXE

Käynnistä > suorita kirjoita msconfig > ok
Käynnistys välilehti

Ota alla olevien edestä ruksi pois

SYSMON

käytä ja ok
Käynnistä kone uudelleen ja laita pikkuseen neliöön ruksi ja paina sitten vasta ok

Jead · Dec 7, 2008

SYSMON.EXE ei löytynyt manuualisesti kansiosta mutta sain sen pois msconfigista. Ei käynnistynyt enää. Voinko nyt olla varma ettei se tule takaisin? AVG löytää jotain troijalaisiin viittaavaa aina välillä kyllä ja hälyttää niistä mutta ei kuitenkaan suostu tekemään asialle mitään.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:12, on 7.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\adaware\aawservice.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
E:\hijack\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6184 bytes

Hujo · Dec 7, 2008

scannaa nyt uusi combofix loki

Jead · Dec 7, 2008

ComboFix 08-12-05.06 - Jarezed 2008-12-07 21:32:55.15 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.418 [GMT 2:00]
Running from: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 21:30 . 2008-12-07 21:31 <KANSIO> d-------- C:\32788R22FWJFW
2008-12-06 17:26 . 2008-12-07 21:40 1,460,256 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-07 19:31 18,152 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-07 19:34 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-07 19:35 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-07 12:22 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 17:32 1,825,679 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-07 07:30 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 17:33:21 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 17:33:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SYSMON - c:\windows\system32\drivers\SYSMON.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 21:39:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2608)
c:\windows\System32\tabhook.dll
c:\windows\system32\msi.dll
.
Completion time: 2008-12-07 21:43:00
ComboFix-quarantined-files.txt 2008-12-07 19:42:48
ComboFix2.txt 2008-12-07 09:13:45
ComboFix3.txt 2008-12-07 08:44:51
ComboFix4.txt 2008-12-06 21:29:14
ComboFix5.txt 2008-12-07 19:32:00

Pre-Run: 1 344 831 488 tavua vapaana
Post-Run: 1,318,252,544 tavua vapaana

186

Hujo · Dec 7, 2008

Jokos helpotti koneen toiminta? näytti poistaneen sen mitä jahdatiin.

Jead · Dec 8, 2008

Nyt toimii ja ei ole ainakaan vielä törmännyt takaisin. VVVVValtavan suuri tervehdys eä ja kiitos kun sain tämän nyt kuntoon!! Pelastit meikäläisen saatanalliselta forkkausprosessilta. RLY thänks!

Log in or Sign up

TaskManager.Hijack ei lähde pois. Hjt Logi

Jead Member

Hujo Guest

Jead Member

Hujo Guest

Jead Member

Hujo Guest

Jead Member

Share This Page

Log in or Sign up

TaskManager.Hijack ei lähde pois. Hjt Logi

Jead Member

Hujo Guest

Jead Member

Hujo Guest

Jead Member

Hujo Guest

Jead Member

Share This Page

Useful Searches