Troijalaisia, matoja yms valtavasti

hhynynen · Jan 4, 2009

Elikkä Avira AntiViruksen mukaan koneessa yli 200 matoa/troijalaista ynnä muuta. En pahemmin luota ohjelman tehokkuuteen, joten tässä HiJackThis-logi, jos joku asiantuntija voisi tarkistaa.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40:35, on 4.1.2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSI\SecureDoc\Logon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\SoftwareDistribution\Download\29ae998a5fafcba9b7f8be6fa56c3bff\update\update.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://haku.soneraplaza.fi/haku/queryie5.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Spool Services (WinSpoolSvc) - Unknown owner - C:\WINDOWS\system32\csrsc.exe (file missing)

--
End of file - 6148 bytes

kalminen · Jan 4, 2009

***********************'

Laita varmuudeksi Windowsin palomuuri päälle Ohjauspanelin => tietoturvakeskuksesta.

****************************************

1. Lataa combofix.exe työpöydällesi mistä tahansa alla olevasta linkistä:
Linkki 1
Linkki 3

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

Lähetä HJT logi ja (C:\ComboFix.txt)

D: =>
.

hhynynen · Jan 4, 2009

Combofix-logi:

ComboFix 09-01-02.01 - Heikki Hynynen 2009-01-04 15:32:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.1023.767 [GMT 2:00]
Running from: c:\temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\.exe
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000014_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000016_.tmp.dll
c:\windows\system32\_000017_.tmp.dll
c:\windows\system32\i
c:\windows\system32\ntos.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSWINDOWS
-------\Legacy_WINSPOOLSVC
-------\Service_MSWindows
-------\Service_WinSpoolSvc

((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 15:32 . 2009-01-04 15:32 <KANSIO> d-------- c:\windows\LastGood
2009-01-04 15:31 . 2009-01-04 15:31 <KANSIO> d-------- c:\documents and settings\LocalService.NT-HALLINTA\K„ynnist„-valikko
2009-01-04 15:24 . 2009-01-04 15:24 2,888,012 -ra------ c:\temp\ComboFix.exe
2009-01-04 15:15 . 2004-09-15 01:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-04 14:45 . 2009-01-04 14:45 <KANSIO> d-------- c:\documents and settings\J„rjestelm„nvalvoja
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Verkkoymp„rist”
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Ty”p”yt„
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Tulostinymp„rist”
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Suosikit
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Omat tiedostot
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Mallit
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\K„ynnist„-valikko
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Application Data\Sun
2009-01-04 14:45 . <KANSIO> c:\documents and settings\Järjestelmänvalvoja\Application Data\Microsoft
2009-01-03 22:00 . 2009-01-03 22:00 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 22:00 . 2009-01-03 22:00 <KANSIO> d-------- c:\documents and settings\Heikki Hynynen\Application Data\Malwarebytes
2009-01-03 22:00 . 2009-01-03 22:00 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-03 22:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 22:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 20:43 . 2009-01-04 15:25 <KANSIO> d-------- c:\program files\WinClamAVShield
2009-01-03 20:42 . 2009-01-04 15:25 <KANSIO> d-------- c:\documents and settings\Heikki Hynynen\Application Data\Spyware Terminator
2009-01-03 20:42 . 2009-01-03 20:51 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator
2009-01-03 20:42 . 2009-01-03 20:42 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-01-03 20:40 . 2009-01-03 20:40 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2009-01-03 20:35 . 2009-01-03 20:35 <KANSIO> d-------- c:\program files\Avira
2009-01-03 20:35 . 2009-01-03 20:35 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-01-03 20:18 . 2009-01-03 22:03 <KANSIO> d-------- c:\program files\AvastAntivirus4
2009-01-03 17:18 . 2009-01-03 17:18 187,904 --a------ c:\windows\system32\kr-p.x
2009-01-03 17:18 . 2009-01-03 17:18 187,904 -r-hs---- c:\windows\system\wuauclt.exe
2009-01-03 17:13 . 2005-03-02 20:08 2,181,632 --a------ c:\windows\system32\ntoskrnl.exe
2009-01-03 17:13 . 2005-03-02 20:08 2,059,136 --a------ c:\windows\system32\ntkrnlpa.exe
2009-01-03 17:13 . 2004-10-28 03:28 722,432 --a------ c:\windows\system32\lsasrv.dll
2009-01-03 17:13 . 2004-10-28 03:14 448,128 --a------ c:\windows\system32\drivers\mrxsmb.sys
2009-01-03 17:13 . 2004-10-28 03:13 174,592 --a------ c:\windows\system32\drivers\rdbss.sys
2009-01-03 17:07 . 2009-01-03 17:07 359 --a------ c:\windows\system32\MRT.INI
2009-01-03 16:59 . 2004-12-07 21:34 96,768 --a------ c:\windows\system32\srvsvc.dll
2009-01-03 16:49 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2009-01-03 16:49 . 2004-09-14 16:12 11,776 --------- c:\windows\system32\spnpinst.exe
2009-01-03 16:49 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig
2009-01-03 16:49 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat
2009-01-03 16:08 . 2004-09-15 01:11 1,082,368 --a------ c:\windows\system32\esent.dll
2009-01-03 16:08 . 2005-10-21 00:34 991,232 --a------ c:\windows\system32\SET227.tmp
2009-01-03 15:59 . 2005-06-28 09:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-01-03 15:58 . 2004-09-15 01:12 351,232 --a------ c:\windows\system32\winhttp.dll
2009-01-03 15:58 . 2004-09-15 01:11 18,944 --a------ c:\windows\system32\qmgrprxy.dll
2009-01-03 15:58 . 2004-09-15 01:11 8,192 --------- c:\windows\system32\bitsprx2.dll
2009-01-03 15:58 . 2004-09-15 01:11 7,168 --------- c:\windows\system32\bitsprx3.dll
2009-01-03 15:56 . 2009-01-03 15:56 <KANSIO> d---s---- c:\documents and settings\Heikki Hynynen\UserData
2009-01-03 14:32 . 2009-01-03 14:32 <KANSIO> d-------- c:\program files\uTorrent
2009-01-03 14:32 . 2009-01-04 00:34 <KANSIO> d-------- c:\documents and settings\Heikki Hynynen\Application Data\uTorrent
2009-01-03 14:08 . 2009-01-03 14:09 <KANSIO> d-------- c:\documents and settings\Heikki Hynynen\Application Data\Winamp
2009-01-03 12:33 . 2009-01-03 12:33 <KANSIO> d-------- c:\documents and settings\Saara Hynynen\Application Data\MSN6
2009-01-03 12:17 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2009-01-03 12:17 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2009-01-03 12:17 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-03 12:17 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll
2009-01-03 12:17 . 2004-08-03 14:03 186,648 --a------ c:\windows\system32\wuaueng1.dll
2009-01-03 12:17 . 2004-08-03 14:02 168,728 --a------ c:\windows\system32\wuauclt1.exe
2009-01-03 12:17 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2009-01-03 11:56 . 2007-09-15 04:19 356,352 --a------ c:\windows\system32\nvunrm.exe
2009-01-03 11:56 . 2007-10-12 10:14 194,048 -ra------ c:\windows\system32\fdco1ins.dll
2009-01-03 11:56 . 2007-10-12 10:14 194,048 -ra------ c:\windows\system32\fdco1.dll
2009-01-03 11:56 . 2007-10-12 10:15 54,144 -ra------ c:\windows\system32\drivers\NVENETFD.sys
2009-01-03 11:56 . 2007-09-06 12:10 4,805 --a------ c:\windows\system32\nvnrm.nvu
2009-01-03 11:56 . 2007-05-27 15:57 1,732 -ra------ c:\windows\system32\drivers\nvphy.bin
2009-01-03 11:55 . 2007-09-20 13:07 888,064 -ra------ c:\windows\system32\drivers\nvnrm.sys
2009-01-03 11:55 . 2007-09-15 04:19 37,376 -ra------ c:\windows\system32\nvconrm.dll
2009-01-03 11:55 . 2007-09-20 13:07 22,016 -ra------ c:\windows\system32\drivers\nvnetbus.sys
2009-01-03 11:55 . 2007-09-20 13:06 9,216 -ra------ c:\windows\system32\bdco1ins.dll
2009-01-03 11:55 . 2007-09-20 13:06 9,216 -ra------ c:\windows\system32\bdco1.dll
2009-01-03 11:52 . 2006-06-09 23:41 18,796,544 -ra------ c:\windows\system32\ALSNDMGR.CPL
2009-01-03 11:52 . 2006-06-09 23:56 10,527,744 -ra------ c:\windows\system32\RTLCPL.EXE
2009-01-03 11:52 . 2006-06-16 05:24 3,972,672 -ra------ c:\windows\system32\drivers\ALCXWDM.SYS
2009-01-03 11:52 . 2006-05-31 01:24 577,536 -ra------ c:\windows\SOUNDMAN.EXE
2009-01-03 11:52 . 2005-11-18 05:20 217,088 -ra------ c:\windows\Alcrmv.exe
2009-01-03 11:52 . 2006-06-08 02:00 143,360 -ra------ c:\windows\system32\RTLCPAPI.dll
2009-01-03 11:52 . 2002-02-05 07:54 141,016 -ra------ c:\windows\system32\ALSNDMGR.WAV
2009-01-03 11:52 . 2004-08-04 08:07 60,288 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-03 11:22 . 2009-01-04 00:07 69 --a------ c:\windows\NeroDigital.ini
2009-01-03 11:20 . 2009-01-03 11:20 <KANSIO> d-------- c:\program files\DIFX
2009-01-03 11:20 . 2006-07-01 23:37 39,424 --a------ c:\windows\system32\drivers\AmdK8.sys
2009-01-02 20:28 . 2001-10-05 15:59 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 20:28 . 2001-10-05 15:59 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 20:28 . 2001-08-17 22:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 20:28 . 2001-08-17 22:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-01-02 18:32 . 2009-01-02 18:32 <KANSIO> d-------- c:\documents and settings\Saara Hynynen\Zebra
2009-01-02 18:32 . 2006-11-26 10:41 144,411,427 --a------ c:\documents and settings\Saara Hynynen\LFS_S2_ALPHA_U.zip
2009-01-02 18:30 . 2009-01-02 18:30 <KANSIO> d-------- c:\documents and settings\Saara Hynynen\Application Data\HP
2009-01-02 18:29 . 2009-01-02 14:33 <KANSIO> d--h----- c:\documents and settings\Saara Hynynen\Verkkoymp„rist”
2009-01-02 18:29 . 2009-01-02 14:45 <KANSIO> d-------- c:\documents and settings\Saara Hynynen\Ty”p”yt„
2009-01-02 18:29 . 2009-01-02 14:33 <KANSIO> d--h----- c:\documents and settings\Saara Hynynen\Tulostinymp„rist”
2009-01-02 18:29 . 2009-01-02 18:30 <KANSIO> dr------- c:\documents and settings\Saara Hynynen\Suosikit
2009-01-02 18:29 . 2009-01-02 18:30 <KANSIO> dr------- c:\documents and settings\Saara Hynynen\Omat tiedostot
2009-01-02 18:29 . 2009-01-02 14:39 <KANSIO> d--h----- c:\documents and settings\Saara Hynynen\Mallit
2009-01-02 18:29 . 2009-01-02 14:33 <KANSIO> dr------- c:\documents and settings\Saara Hynynen\K„ynnist„-valikko
2009-01-02 18:29 . 2009-01-03 23:22 <KANSIO> d-------- c:\documents and settings\Saara Hynynen
2009-01-02 17:20 . 2009-01-02 17:20 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 17:10 . 2009-01-02 17:10 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2009-01-02 16:59 . 2009-01-03 21:05 <KANSIO> d-------- c:\documents and settings\Heikki Hynynen\Application Data\Ahead
2009-01-02 16:59 . 2009-01-02 16:59 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LightScribe
2009-01-02 16:56 . 2009-01-02 16:56 <KANSIO> d-------- c:\program files\Common Files\LightScribe
2009-01-02 16:54 . 2009-01-02 16:54 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Ahead
2009-01-02 16:52 . 2009-01-02 16:52 <KANSIO> d-------- c:\program files\Nero
2009-01-02 16:52 . 2009-01-02 16:52 <KANSIO> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-01-02 16:48 . 2009-01-02 16:48 <KANSIO> d--h-c--- c:\windows\$MSI30UninstallMSI30-KB884016$
2009-01-02 16:46 . 2009-01-04 15:37 <KANSIO> d-------- c:\program files\lg_fwupdate
2009-01-02 16:46 . 1998-06-24 00:00 115,016 --a------ c:\windows\system32\MSINET.OCX
2009-01-02 16:46 . 1998-07-22 00:00 102,912 --a------ c:\windows\system32\Vb6stkit.dll
2009-01-02 16:46 . 1998-07-22 00:00 102,160 --a------ c:\windows\system32\VB6KO.DLL
2009-01-02 16:46 . 2001-08-29 21:00 59,904 --a------ c:\windows\system32\wbemdisp.tlb
2009-01-02 16:46 . 2006-02-17 14:19 16,384 --a------ c:\windows\system32\lgfwunis.exe
2009-01-02 16:46 . 2009-01-04 15:37 265 --a------ c:\windows\lgfwup.ini
2009-01-02 16:42 . 2004-09-15 01:11 384,512 --a------ c:\windows\system32\mp4sdmod.dll
2009-01-02 16:42 . 2009-01-04 15:31 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-02 16:42 . 2004-09-15 01:11 310,272 --a------ c:\windows\system32\mp43dmod.dll
2009-01-02 16:42 . 2004-09-15 01:11 240,640 --a------ c:\windows\system32\mpg4dmod.dll
2009-01-02 16:41 . 2007-01-08 22:17 27,168 --------- c:\windows\system32\msxml3a.dll
2009-01-02 16:40 . 2009-01-02 16:43 <KANSIO> d-------- c:\program files\CyberLink
2009-01-02 16:34 . 2007-12-05 01:41 356,352 --a------ c:\windows\system32\nvuninst.exe
2009-01-02 16:34 . 2007-12-05 01:41 356,352 --a------ c:\windows\system32\nvudisp.exe
2009-01-02 16:34 . 2009-01-02 17:11 163,353 --a------ c:\windows\system32\nvapps.xml
2009-01-02 16:34 . 2007-12-05 01:41 17,737 --a------ c:\windows\system32\nvdisp.nvu
2009-01-02 16:31 . 2009-01-02 14:47 237 --a------ c:\windows\system32\$winnt$.inf
2009-01-02 16:23 . 2009-01-02 16:23 <KANSIO> d-------- c:\windows\Sivuhistoria
2009-01-02 16:23 . 2009-01-02 16:24 7,581 --a------ c:\windows\Active Setup Log.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 13:25 --------- d-----w c:\program files\Spyware Terminator
2009-01-03 20:18 --------- d-----w c:\program files\Steam
2009-01-03 09:30 --------- d-----w c:\program files\MSI
2009-01-02 14:54 --------- d-----w c:\program files\Common Files\Ahead
2009-01-02 14:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-02 12:43 --------- d-----w c:\program files\Java
2008-12-22 22:17 --------- d-----w c:\documents and settings\Heikki\Application Data\Azureus
2008-12-22 22:16 --------- d-----w c:\program files\RevConnect
2008-12-22 21:20 --------- d-----w c:\documents and settings\Heikki\Application Data\Lavasoft
2008-12-22 21:12 --------- d-----w c:\program files\mIRC
2008-12-22 06:48 --------- d-----w c:\documents and settings\Saara\Application Data\Spyware Terminator
2008-12-21 17:12 --------- d-----w c:\documents and settings\Heikki\Application Data\Spyware Terminator
2008-12-20 16:48 --------- d-----w c:\program files\QuickTime
2008-12-19 15:45 --------- d-----w c:\program files\Ahead
2008-12-19 15:44 --------- d-----w c:\program files\Qtracker
2008-12-19 14:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-15 14:02 --------- d-----w c:\documents and settings\Heikki\Application Data\Winamp
2008-12-15 13:40 --------- d-----w c:\program files\DivX
2008-12-15 10:59 --------- d-----w c:\documents and settings\Saara\Application Data\Azureus
2008-12-09 16:11 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 15:28 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-28 15:18 --------- d-----w c:\documents and settings\Heikki\Application Data\DAEMON Tools
2008-11-27 16:08 22,328 ----a-w c:\documents and settings\Heikki\Application Data\PnkBstrK.sys
2008-11-27 16:03 --------- d-----w c:\program files\Ubisoft
2008-11-14 15:33 --------- d-----w c:\documents and settings\Heikki\Application Data\AdobeUM
2008-11-13 18:41 --------- d-----w c:\program files\DeepBurner
2008-11-13 18:37 --------- d-----w c:\documents and settings\Heikki\Application Data\DeepBurner
2008-11-13 18:08 --------- d-----w c:\program files\MSXML 6.0
2008-06-16 12:58 94,208 ----a-w c:\documents and settings\Heikki\Application Data\ezplay.sys
2008-06-16 12:58 47,360 ----a-w c:\documents and settings\Heikki\Application Data\pcouffin.sys
2008-04-13 12:57 94,208 ----a-w c:\documents and settings\Saara\Application Data\ezplay.sys
2008-04-13 12:57 47,360 ----a-w c:\documents and settings\Saara\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-15 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 2295072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2009-01-02 32881]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-05 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-05-09 1817600]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-05-31 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-15 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-01-03 141312]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-01-02 31872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\WebReg Deskjet F300 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-06-07 16:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.soneraplaza.fi/
uInternet Settings,ProxyServer = proxy.dial.inet.fi:800
uInternet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;<local>
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 15:37:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ëcÓw*NULL*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\MSI\SecureDoc\Logon.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2009-01-04 15:45:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 13:40:02

Pre-Run: 30,876,262,400 tavua vapaana
Post-Run: 33,150,976,000 tavua vapaana

271 --- E O F --- 2009-01-04 13:26:46

ja HijackThis-logi:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:03, on 4.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSI\SecureDoc\Logon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5483 bytes

kalminen · Jan 5, 2009

Hienoa kun päivitit winukan.
Jatka vielä SP3.

-----------------------------------------------------

Mene Windowsin ControlPaneliin (Ohjauspaneli) ja sieltä Lisää / Poista sovellus
Vistassa Ohjelmat ja toiminnot
Etsi ja poista ohjelma jonka nimessä on:

SpywareTerminator

------------------------------------------------------------------

Asenna koneellesi YKSI palomuuriohjelma yhdeltä näistä loistavilta tietoturvataloilta NYT:

1) ZoneAlarm
(Asennuksessa poista rasti kohdasta "Include a ZoneAlarm Spy Blocker", koska tämä työkalupalkki ei ole suositeltava.
2) Agnitum
3) Sunbelt/Kerio
4) Comodo
(Asennuksessa poista rasti kohdista "Install Comodo SafeSurf..", Make Comodo my default
search provider" ja "Make Comodo Search my homepage". Nämä eivät ole suositeltavia.
Ota asennuksessa rasti myös pois kohdasta "Install Comodo Antivirus", jos käytät muuta
virustorjuntaa.)

Jos käytät sisäänrakennettua Windowsin palomuuria, se ei ole suositeltua sillä se ei
estä koneelta ulosmeneviä yhteyksiä. Tämä tarkoittaa että mikä tahansa haittaohjelma
koneellasi on vapaa tekemään mitä tahansa internet -yhteydelläsi. Yksinkertaisesti
sanottuna, Windows XP sisältää keskivertoa huonomman palomuurin. Tämä palomuuri EI ole
mikään korvike omistautuneelle palomuuriratkaisulle. Muista käyttää vain yhtä
palomuuria kerrallaan.

----------------------------------------------------------------

Sinulla ei ole anti-virusta koneellasi. Tietokoneesi on avoin viruksille ja muille lisäsaasteille jos aktiivista suojaa ei ole.

Asenna koneellesi YKSI anti-virus ohjelma [/color][/b] NYT :

1) Antivir PersonalEdition Classic - Ilmainen anti-virus Windowsille. Ilmainen tuki.
2) avast! 4 Home Edition - Ilmainen anti-virus Windowsin kotikäyttäjille.
3) AVG Anti-Virus Free Edition - Ilmainen anti-virus Windowsin kotikäyttäjille.

On vahvasti suositeltua että käytät vain yhtä anti-virusta kerrallaan. Pitämällä enempää kuin yhtä anti-virus softaa
aktiivisena muistissa käyttää liikaa koneen resursseja ja voi johtaa vääriin hälytyksiin sekä ohjelmien välisiin konflikteihin.
Jos välttämättä haluat asentaa useamman kuin yhden anti-virus ohjelman koneellesi, vain yhden niistä pitää olla aktiivisena
suojaamassa.

-------------------------------------------------------

Lataa JavaRa ja pura se työpöydällesi.

***Sulje kaikki päällä olevat Internet Explorerin ikkunat ennen jatkamista!***

* Tuplaklikkaa JavaRa.exeä käynnistääksesi ohjelma.
* Valitse English pudotusvalikosta valitaksesi kieleksi englannin ja klikkaa Select.
* Klikkaa Remove Older Versions poistaaksesi vanhat Java-versiot koneeltasi.
* Klikkaa Yes kun pyydetään. Kun JavaRa on valmis, se ilmoittaa, että lokitiedosto on luotu. Klikkaa OK.
* Lokitiedosto avautuu. Lähetä sen sisältö seuraavassa viestissäsi.

Tämän jälkeen lataa ja asennaJava SE Runtime Environment (JRE) 6 Update 10.
jre-6u11-windows-i586-p.exe => 15.?? MB

---------------------------------------------------------------

Ajoitko lauantaina => Malwarebytes' Anti-Malware
löysikö se mitään ???

------------------------------------------------------------------

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
*
*

hhynynen · Jan 5, 2009

Poistin Spyware Terminatorin, latasin ja asensin ZoneAlarmin ja AVG Antiviruksen. Poistin Avira Antiviruksen sen tilalta, sillä se ei ollut koko ajan päällä, eikä käynnistynyt Windowsin mukana. Latasin ja asensin JavaRan ja Java SE Runtime Environment (JRE) 6 Update 11:n.

Muistaakseni Malwarebyte's Anti-Malware löysi jotain, jotka poistin.

----------------------------------------------------------------------

Ajoin HiJackThis-scannin, ja poistin kohdat:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

-------------------------------------------------------------------

Tässä uusi HiJackThis-logi:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53:30, on 5.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSI\SecureDoc\Logon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6530 bytes

kalminen · Jan 6, 2009

Tämähän näyttää hyvältä !!!

* Vanha HOSTS tiedosto poistetaan. Käynnistä kone vikasietotilaan => OHJE
Tämä C:\WINDOWS\system32\drivers\etc\HOSTS tiedosto pois
* Käynnistä koneesi normaalitilaan.
* Lataa HOSTS: Täältä Työpöydällesi.
* Pura: hosts.zip C:\WINDOWS\system32\drivers\etc kansioon.

Lopuksi Voit varmistaa, että siellä on HOSTS niminen tiedosto ilman tiedostopäätettä. Koko n.700 kt tai n.1700 kt.
Suoja activoituu seuraavan käynnistyksen yhteydessä.(ei kuormita muistia)

Houstiin päivitykset: Täältä
Mitä HOSTS tekee: Opas Täällä

PS.
Tämän jälkeen Zone Alarnin asetuksista kannattaa
lukita HOST tiedosto.

-----------------------------------------------------

Asenna SpywareBlaster!
SpywareBlaster estää haittaohjelmien asentumista koneelle.
Lataa: TÄÄLTÄ

Opas: TÄÄLTÄ

Onko vielä Ongelmia ???

D:
.

hhynynen · Jan 7, 2009

Kiitos kalminen!

Poistin ja latasin uudet hosts tiedostot ja asensin SpyWare Blasterin. Koneessa ei ole enää ilmennyt örkkejä taikka ongelmia. Kiitokset sinulle avusta!

Log in or Sign up

Troijalaisia, matoja yms valtavasti

hhynynen Member

kalminen Regular member

hhynynen Member

kalminen Regular member

hhynynen Member

kalminen Regular member

hhynynen Member

Share This Page

Log in or Sign up

Troijalaisia, matoja yms valtavasti

hhynynen Member

kalminen Regular member

hhynynen Member

kalminen Regular member

hhynynen Member

kalminen Regular member

hhynynen Member

Share This Page

Useful Searches