Troijalainen ja spy-/adware-ongelma

starkjo · Jun 29, 2008

Moikka,

muutaman päivän ajan F-Secure on valittanut mm. AdWare.Win32.Virtumondesta ja Trojan.Win32.Monderista. Tässä lokitiedostot. Ensin HJT:

HJT:
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:31, on 28.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9DAF430D-90AE-4250-AFC0-AD16C3AE4ABC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {41019521-648d-aebb-e814-c09e66b7ee7b} - {b7ee7b66-e90c-418e-bbea-d84612591014} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0F2F3121-75E2-4C60-9977-C1ADC3D5F3DC} - http://web01.ifi.fi/Webupload/ActiveX/IfiUploader.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - http://84.248.71.232:1024/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157287667460
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://odencam.surbrunn.net/activex/AxisCamControl.cab
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} - file://C:\Documents and Settings\Administrator\Local Settings\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL rtwwgkim.dll
O20 - Winlogon Notify: bYOfdCvv - bYOfdCvv.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Desktop-hanteraren 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 11115 bytes
---------------------------

Sitten ComboFix:
------------------------
ComboFix 08-06-20.4 - Administrator 2008-06-29 12:46:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1386 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\My Documents\Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM12aaba2a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxxcmthv.ini
C:\WINDOWS\system32\idbmqcfn.ini
C:\WINDOWS\system32\jjTBaKkj.ini
C:\WINDOWS\system32\jjTBaKkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sxraodhl.ini
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 17:32 . 2008-06-28 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:24 . 2008-06-28 17:24 <DIR> d-------- C:\Program Files\CCleaner
2008-06-28 17:13 . 2008-06-28 17:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-28 17:12 . 2008-06-29 10:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 17:12 . 2008-06-28 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 17:12 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 17:12 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-25 16:35 . 2008-06-25 16:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 16:35 . 2008-06-25 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-23 22:06 . 2008-06-23 22:17 <DIR> d-------- C:\Program Files\SimCity 4 Deluxe
2008-06-20 15:00 . 2008-06-21 19:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-06-20 15:00 . 2008-06-20 15:00 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 14:27 . 2008-06-22 20:44 <DIR> d-------- C:\Program Files\Sid Meier's Railroads
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Skype
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-19 14:19 . 2008-06-19 14:19 <DIR> d-------- C:\Program Files\CM2008 Editor
2008-06-18 07:35 . 2008-06-18 08:54 <DIR> d-------- C:\Program Files\GameShadow
2008-06-11 21:31 . 2008-06-20 14:23 <DIR> d-------- C:\Program Files\Eidos
2008-06-11 20:56 . 2008-06-11 20:56 <DIR> d-------- C:\Program Files\Uniblue
2008-06-11 08:58 . 2008-06-13 16:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:58 . 2008-06-13 16:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:03 . 2008-06-11 20:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-06-03 22:21 . 2008-06-03 22:21 <DIR> d-------- C:\Program Files\Mininova
2008-06-03 22:21 . 2008-06-03 22:21 <DIR> d-------- C:\Program Files\Conduit
2008-05-31 17:14 . 2008-05-31 17:14 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-31 16:08 . 2008-05-31 16:08 <DIR> d-------- C:\Program Files\eRightSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 13:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 13:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-23 18:39 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-06-21 16:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-06-18 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 14:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\wsInspector
2008-06-14 14:00 --------- d-----w C:\Program Files\InterVideo
2008-06-14 13:59 --------- d-----w C:\Program Files\Sonic
2008-06-14 13:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 04:55 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-13 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-11 18:03 --------- d-----w C:\Program Files\Windows Media Connect
2008-06-03 19:33 --------- d-----w C:\Program Files\Google
2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 19:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-09-08 13:43 56 --sha-w C:\WINDOWS\SMINST\hpboot.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 11:46 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 00:43 45056]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 21:56 122880]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 09:11 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 19:46 761948]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 20:49 454656]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 23:38 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 18:03 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 02:51 1187840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-05 18:13 155648]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-15 00:31 61440]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2006-12-09 12:48 172081]
"F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2006-12-09 12:48 724992]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-03 22:33 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-15 16:16:02 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOfdCvv]
bYOfdCvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL rtwwgkim.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"MIDI1"= diomidi.dll
"wave1"= Digi32.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Documents and Settings\\Administrator\\My Documents\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2006-12-09 12:48]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure\HIPS\fshs.sys [2006-12-09 12:49]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2006-12-09 12:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 13:46]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 16:26]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 15:27]
S3 GoogleDesktopManager-051608-133132;Google Desktop-hanteraren 5.7.805.16405;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-03 22:33]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2006-12-09 12:48]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2006-12-09 12:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{520a4b32-3b42-11dc-abc1-0016d43010ba}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 04:31:26 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-Secure\ANTI-V~1\report.txt
"2008-06-21 18:13:11 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-10 18:03:46 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 12:54:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xc??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\F-Secure\ANTI-V~1\fsav32.exe
C:\PROGRA~1\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
.
**************************************************************************
.
Completion time: 2008-06-29 13:01:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 10:01:47

Pre-Run: 4,321,619,968 bytes free
Post-Run: 4,406,878,208 bytes free

204 --- E O F --- 2008-06-20 06:32:03

------------------------

Sitten Malwarebytes:
-----------------------------
Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 2

12:12:51 29.6.2008
mbam-log-6-29-2008 (12-12-51).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 172450
Time elapsed: 1 hour(s), 31 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Conduit\Community Alerts\Alert.dll (Adware.Agent) -> Quarantined and deleted successfully.

kalminen · Jun 29, 2008

Olitpa tehnyt hyvät alkuvalmistelut !!!

Etsi ja poista tämä jos löytyy => rtwwgkim.dll

------------------------------------------------

Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOfdCvv]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

Click to expand...

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)

Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

---------------------------------------------------------

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

R3 - URLSearchHook: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O2 - BHO: (no name) - {9DAF430D-90AE-4250-AFC0-AD16C3AE4ABC} - (no file)
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - (no file)
O2 - BHO: {41019521-648d-aebb-e814-c09e66b7ee7b} - {b7ee7b66-e90c-418e-bbea-d84612591014} - (no file)
O3 - Toolbar: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: bYOfdCvv - bYOfdCvv.dll (file missing)

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

starkjo · Jun 29, 2008

Kiitos kun autat, arvostan suuresti!

Edellisestä vastauksestasi vielä: tein kaikki ohjeiden mukaan. Tuo rtwwgkim.dll ei löytynyt. Hijackilla ei myöskään löytynyt noin puolet noista mainitsemastasi kohdista (muistaakseni seuraavat eivät löytyneet:
O2 - BHO: (no name) - {9DAF430D-90AE-4250-AFC0-AD16C3AE4ABC} - (no file)
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - (no file)
O2 - BHO: {41019521-648d-aebb-e814-c09e66b7ee7b} - {b7ee7b66-e90c-418e-bbea-d84612591014} - (no file)
O20 - Winlogon Notify: bYOfdCvv - bYOfdCvv.dll (file missing)

Mutta tässä lokitiedostot.

Ensin HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:04, on 29.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\F-Secure\Common\FSLAUNCHER1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0F2F3121-75E2-4C60-9977-C1ADC3D5F3DC} - http://web01.ifi.fi/Webupload/ActiveX/IfiUploader.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - http://84.248.71.232:1024/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157287667460
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://odencam.surbrunn.net/activex/AxisCamControl.cab
O16 - DPF: {9522589E-57B9-46C5-9A77-1F1C1CCBE550} - file://C:\Documents and Settings\Administrator\Local Settings\Temp\OnlineScanner\is2007ols\fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL rtwwgkim.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Desktop-hanteraren 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 9937 bytes

Sitten ComboFix:

ComboFix 08-06-20.4 - Administrator 2008-06-29 20:27:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1522 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 17:32 . 2008-06-28 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:24 . 2008-06-28 17:24 <DIR> d-------- C:\Program Files\CCleaner
2008-06-28 17:13 . 2008-06-28 17:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-28 17:12 . 2008-06-29 10:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 17:12 . 2008-06-28 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 17:12 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 17:12 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-25 16:35 . 2008-06-25 16:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 16:35 . 2008-06-25 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-23 22:06 . 2008-06-23 22:17 <DIR> d-------- C:\Program Files\SimCity 4 Deluxe
2008-06-20 15:00 . 2008-06-21 19:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-06-20 15:00 . 2008-06-20 15:00 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 14:27 . 2008-06-22 20:44 <DIR> d-------- C:\Program Files\Sid Meier's Railroads
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Skype
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-20 09:29 . 2008-06-20 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-19 14:19 . 2008-06-19 14:19 <DIR> d-------- C:\Program Files\CM2008 Editor
2008-06-18 07:35 . 2008-06-18 08:54 <DIR> d-------- C:\Program Files\GameShadow
2008-06-11 21:31 . 2008-06-20 14:23 <DIR> d-------- C:\Program Files\Eidos
2008-06-11 20:56 . 2008-06-11 20:56 <DIR> d-------- C:\Program Files\Uniblue
2008-06-11 08:58 . 2008-06-13 16:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:58 . 2008-06-13 16:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:03 . 2008-06-11 20:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-06-03 22:21 . 2008-06-03 22:21 <DIR> d-------- C:\Program Files\Mininova
2008-06-03 22:21 . 2008-06-03 22:21 <DIR> d-------- C:\Program Files\Conduit
2008-05-31 17:14 . 2008-05-31 17:14 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-31 16:08 . 2008-05-31 16:08 <DIR> d-------- C:\Program Files\eRightSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 13:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 13:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-23 18:39 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-06-21 16:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-06-18 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 14:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\wsInspector
2008-06-14 14:00 --------- d-----w C:\Program Files\InterVideo
2008-06-14 13:59 --------- d-----w C:\Program Files\Sonic
2008-06-14 13:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 04:55 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-13 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-11 18:03 --------- d-----w C:\Program Files\Windows Media Connect
2008-06-03 19:33 --------- d-----w C:\Program Files\Google
2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 19:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-09-08 13:43 56 --sha-w C:\WINDOWS\SMINST\hpboot.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_13.01.32.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 09:53:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-29 16:44:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 11:46 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 12:11 925696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 00:43 45056]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 21:56 122880]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 09:11 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 19:46 761948]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 20:49 454656]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 23:38 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 18:03 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 02:51 1187840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-05 18:13 155648]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-15 00:31 61440]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2006-12-09 12:48 172081]
"F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2006-12-09 12:48 724992]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-03 22:33 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-15 16:16:02 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL rtwwgkim.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"MIDI1"= diomidi.dll
"wave1"= Digi32.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Documents and Settings\\Administrator\\My Documents\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2006-12-09 12:48]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure\HIPS\fshs.sys [2006-12-09 12:49]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2006-12-09 12:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 13:46]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 16:26]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 15:27]
S3 GoogleDesktopManager-051608-133132;Google Desktop-hanteraren 5.7.805.16405;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-03 22:33]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2006-12-09 12:48]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2006-12-09 12:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{520a4b32-3b42-11dc-abc1-0016d43010ba}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 04:31:26 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-Secure\ANTI-V~1\report.txt
"2008-06-21 18:13:11 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-10 18:03:46 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 20:27:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???Xd??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-29 20:29:12
ComboFix-quarantined-files.txt 2008-06-29 17:28:21
ComboFix2.txt 2008-06-29 17:00:53
ComboFix3.txt 2008-06-29 10:01:55

Pre-Run: 4,361,977,856 bytes free
Post-Run: 4,347,760,640 bytes free

167 --- E O F --- 2008-06-20 06:32:03

kalminen · Jun 29, 2008

Toiset ohjelmat on siivonneet osan riveistä.

GoogleToolbaarin jämät pois HJT:llä
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Muiltaosin logit on OK.
Roskat vain pois:

******************************************
Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK
*************************************************************
******************************************
Käynnistä Malwarebytes Karanteeni välileti ja tyhjennä roskat.
**********************************************************

starkjo · Jun 29, 2008

Kaikki tehty. Kiitos avustasi, kärsivällisyydestäsi ja ajastasi! Syvä kumarrus täältä. I owe you one.

Log in or Sign up

Troijalainen ja spy-/adware-ongelma

starkjo Member

kalminen Regular member

starkjo Member

kalminen Regular member

starkjo Member

Share This Page

Log in or Sign up

Troijalainen ja spy-/adware-ongelma

starkjo Member

kalminen Regular member

starkjo Member

kalminen Regular member

starkjo Member

Share This Page

Useful Searches