1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Turhia pop-uppeja

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by Ileh, Feb 4, 2008.

  1. Hujo

    Hujo Guest

    ajas toi nolop

    Mitäs ne popupit on mitä siellä pomppii
    Last edited by a moderator: Feb 8, 2008
  2. Ileh

    Ileh Member

    Feb 3, 2008
    Likes Received:
    Trophy Points:
    noloppi ei löytäny mitää... minkähänlainen pöpö mulla täs koneella oikein on... =D
  3. Hujo

    Hujo Guest

    lataa Silent Runners http://www.silentrunners.org/Silent Runners.vbs

    • Tallenna ohjelma työpöydällesi.
    • Aja Silent Runners kaksoisklikkaamalla "Silent Runners" kuvaketta työpöydälläsi.
    • Tekstitiedosto ilmestyy työpöydällesi - skannaus ei ole vielä valmis, anna ohjelman tehdä työnsä
    (näyttää kuin ohjelma ei tekisi mitään!)
    • Kun saat ilmoituksen "All Done!", kaksoisklikkaa uutta tekstitiedostoa työpöydälläsi, kopioi ja liitä koko loki tänne
    *HUOM* Jos sinua varoitetaan skriptien ajamisesta, salli ajo.


    Kysyn vielä
    Mitäs ne popupit on mitä siellä pomppii?
    Last edited by a moderator: Feb 8, 2008
  4. Ileh

    Ileh Member

    Feb 3, 2008
    Likes Received:
    Trophy Points:
    Oon jo ainakin kerran ketjun aikana vastannut kysymykseen...

    Pop-uppeja tulee vain silloin kun surffaan IE:llä tai FF:llä. Pop-up aukeaa aina IE:ssä ja n. 50% niistä on jotain mainoksia ja toinen puoli on url.adtrgt.com/(tähän tulee random juttuja mutta erotettavissa on iposoitteeni ja sen hetkinen sivu jolla surffaan, eli jonkinlainen vakoilujuttu?)

    "Silent Runners.vbs", revision 55, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "msnmsgr" = ""C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "HP Software Update" = "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
    "hpWirelessAssistant" = "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
    "SynTPStart" = "C:\Program Files\Synaptics\SynTP\SynTPStart.exe" ["Synaptics, Inc."]
    "QlbCtrl" = "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start"
    "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "High Definition Audio Property Page Shortcut" = "CHDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
    "WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]
    "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
    "NotebookHardwareControl" = ""C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet" [null data]
    "ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
    >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
    >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Liven kirjautumisapuohjelma"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL -laajennus"
    -> {HKLM...CLSID} = "Display Panning CPL -laajennus"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-kuvakkeen tunniste"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {HKLM...CLSID} = "NVIDIA CPL Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {HKLM...CLSID} = "nView Desktop Context Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "Omat jaettavat kansiot"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
    <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

    Group Policies {GPedit.msc branch and setting}:

    Note: detected settings may not have any effect.


    "DisableRegistryTools" = (REG_DWORD) dword:0x00000000
    {User Configuration|Administrative Templates|System|
    Prevent access to registry editing tools}


    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    Active Desktop and Wallpaper:

    Active Desktop may be disabled at this entry:

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\web\wallpaper\Maisema.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\WINDOWS\web\wallpaper\Maisema.bmp"

    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

    Running Services (Display Name, Service Name, Path {Service DLL}):

    .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
    Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
    avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
    avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
    avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
    avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
    AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
    hpqwmiex, hpqwmiex, ""C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe"" ["Hewlett-Packard Development Company, L.P."]
    Messengerin jaettavien kansioiden USN Journal -lokin lukupalvelu, usnjsvc, ""C:\Program Files\Windows Live\Messenger\usnsvc.exe"" [MS]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

    ---------- (launch time: 2008-02-09 10:56:45)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 58 seconds, including 7 seconds for message boxes)
    Last edited: Feb 9, 2008
  5. Sakuuu

    Sakuuu Member

    May 26, 2007
    Likes Received:
    Trophy Points:
    Mulla oli sama core.cache.dsk
    Asensin windowsin uudestaan vanhan päälle niin että ohjelmat jäi, niin se lähti, koitin kyllä ensin ettiä kaikenmaailman ohjeita googlesta mut ei toiminu...

    tätä kokeilin ainakin mutta ei mulla ollut CORE kansiota

    How to Remove Core.sys

    Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.

    1) Boot into Safe Mode
    2) Click on Start, Search, and choose All Files and Folders
    3) In the all or part of file name box, type the following


    4) In the Look In box, choose local hard drives and click Search
    5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
    6) Repeat steps 2-5 for the file core.cache.dsk
    7) Close the Search box
    8) Click on Start, Run and type REGEDIT and press Enter
    9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
    10) Click the plus next to SYSTEM
    11) Click the plus next to CurrentControlSet
    12) Click the plus next to Services
    13) Find the folder called CORE and right-click on it and choose Delete

    *** WARNING *** If the folder CORE does not exist, dont do anything

    14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

    15) Reboot your computer in Normal mode
    16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.


    17) Scan your computer and delete any other files flagged as problems.

    Your computer should now be free of these vicious popups.
    Last edited: Feb 9, 2008
  6. JayKay76

    JayKay76 Member

    Feb 12, 2008
    Likes Received:
    Trophy Points:
    Minulla tuli myös viikon vanhaan koneeseeni sama core.cache.dsk, joka aiheutti samoja pop-uppeja. Löysin eräältä tech support foorumilta pulmaan samanlaiset ohjeet kuin tässä ketjussa(SDfix ja Combofix). SDFix ei pyörähtänyt käyntiin ollenkaan, eikä core.cache.dsk tiedostoa löytynyt vikasietotilassa manuaalisesti etsimällä. Combofix ei myöskään suostunut lähtemään käyntiin ennen kuin ajoin sen vikasietotilassa. Silloin tuo core.cache.dsk lähti kuin kuppa Töölöstä. Combofix poisti kuitenkin myös jotain muita tiedostoja ja huolestuin asiasta. Koneeni toimii aivan normaalisti, mutta voisiko joku asiaatunteva ottaa kantaa siihen kannattaako Combofixiä ajaa vikasietotilassa ollenkaan. Laitan tähän oman combofix raporttini ja olisin kiitollinen jos joku osaa sanoa mitä nuo muut sen poistamat tiedostot ovat. Yksi tiedostoista oli joku Norton Antivirus ohjelman rekisterin osa, mutta se oli helposti korjattavissa. Loppujen osalta olen huolissani ja pelkään ikäviä yllätyksiä:

    ComboFix 08-02.05.3 - Jukka 2008-02-05 16:35:27.1 - NTFSx86 MINIMAL
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1035.18.2474 [GMT 2:00]
    Running from: C:\Users\Jukka\Desktop\ComboFix.exe

    Systeemioikeuksien saaminen epäonnistui

    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


    ----- BITS: Possible infected sites -----

    hxxp://www.download.wõj+|�C�ü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ºD˜QÄ{¶ÀzΉZ˜®ÞÛO…ŸmOÌ¢Ÿºª Qç˜5ÙGšó]ëõñ�WU Client Download S-1-5-18 @x€`lð@\???? 6ÚVwoQZC¬¬D¢HÿóMsC:\Windows\SoftwareDistribution\Download\d45065281eb60e3ce99b1626269da350\bd585ca264188b2a7d90675d2a79365ff30afb30†
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-05 to 2008-02-05 )))))))))))))))))

    2008-02-04 01:44 . 2008-02-04 01:44 <KANSIO> d-------- C:\Users\All Users\PC Tools
    2008-02-04 01:44 . 2008-02-04 01:44 <KANSIO> d-------- C:\Program Files\Common Files\PC Tools
    2008-02-04 01:44 . 2008-02-04 01:44 <KANSIO> d-------- C:\PROGRA~2\PC Tools
    2008-02-04 01:44 . 2008-02-04 01:44 218,504 --a------ C:\Windows\System32\drivers\pctfw2.sys
    2008-02-04 01:12 . 2008-02-04 01:12 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\PC Tools
    2008-02-04 01:12 . 2008-02-05 16:42 <KANSIO> d-a------ C:\Users\All Users\TEMP
    2008-02-04 01:12 . 2008-02-05 16:41 <KANSIO> d-------- C:\Program Files\Spyware Doctor
    2008-02-04 01:12 . 2008-02-05 16:42 <KANSIO> d-a------ C:\PROGRA~2\TEMP
    2008-02-04 01:12 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
    2008-02-04 01:12 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
    2008-02-04 01:12 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
    2008-02-04 01:12 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
    2008-02-03 23:52 . 2008-02-03 23:52 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\PeerNetworking
    2008-02-03 20:58 . 2008-02-04 02:15 <KANSIO> d-------- C:\Users\All Users\Lavasoft
    2008-02-03 20:58 . 2008-02-04 02:15 <KANSIO> d-------- C:\PROGRA~2\Lavasoft
    2008-02-03 00:20 . 2008-02-03 00:20 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\Yahoo!
    2008-02-03 00:20 . 2008-02-03 12:27 <KANSIO> d-------- C:\Users\All Users\Yahoo! Companion
    2008-02-03 00:20 . 2008-02-03 00:20 <KANSIO> d-------- C:\Program Files\Yahoo!
    2008-02-03 00:20 . 2008-02-03 12:27 <KANSIO> d-------- C:\PROGRA~2\Yahoo! Companion
    2008-02-03 00:19 . 2008-02-03 00:19 <KANSIO> d-------- C:\Windows\cache
    2008-02-02 22:59 . 2008-02-02 22:59 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
    2008-02-02 22:59 . 2008-02-02 22:59 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
    2008-02-02 22:59 . 2008-02-02 22:59 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
    2008-02-02 22:59 . 2008-02-02 22:59 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
    2008-02-02 22:59 . 2008-02-02 22:59 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
    2008-02-02 22:59 . 2008-02-02 22:59 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
    2008-02-02 22:59 . 2008-02-02 22:59 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
    2008-02-02 03:19 . 2008-02-02 03:19 <KANSIO> d-------- C:\Users\All Users\ConeXware
    2008-02-02 03:19 . 2008-02-02 03:19 <KANSIO> d-------- C:\PROGRA~2\ConeXware
    2008-02-02 00:22 . 2008-02-03 13:05 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\BSplayer PRO
    2008-02-01 23:57 . 2008-02-01 23:57 <KANSIO> d-------- C:\Program Files\Windows Live
    2008-02-01 23:57 . 2008-02-02 00:04 <KANSIO> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
    2008-02-01 23:56 . 2008-02-01 23:56 <KANSIO> d-------- C:\Users\All Users\WLInstaller
    2008-02-01 23:56 . 2008-02-01 23:56 <KANSIO> d-------- C:\PROGRA~2\WLInstaller
    2008-02-01 22:01 . 2008-02-01 22:01 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\HP
    2008-02-01 21:50 . 2008-02-01 21:50 <KANSIO> d-------- C:\Users\All Users\HP Product Assistant
    2008-02-01 21:50 . 2008-02-01 21:50 <KANSIO> d-------- C:\PROGRA~2\HP Product Assistant
    2008-02-01 21:46 . 2008-02-01 21:46 1,584,128 --a------ C:\Windows\System32\setupapi.dll
    2008-02-01 21:43 . 2008-02-01 21:57 147,375 --a------ C:\Windows\hpiins06.dat
    2008-02-01 21:43 . 2007-04-23 13:31 0 --------- C:\Windows\hpimdl06.dat
    2008-02-01 21:23 . 2008-02-02 00:12 <KANSIO> d-------- C:\Program Files\Webteh
    2008-02-01 20:18 . 2008-02-01 20:19 <KANSIO> d-------- C:\Program Files\Microsoft Expression
    2008-02-01 20:14 . 2008-02-02 22:54 39 --a------ C:\Windows\vbaddin.ini
    2008-02-01 20:13 . 2008-02-03 00:50 162 --a------ C:\Windows\ODBC.INI
    2008-02-01 20:11 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
    2008-02-01 20:08 . 2008-02-01 20:08 <KANSIO> d-------- C:\Windows\PCHEALTH
    2008-02-01 20:08 . 2008-02-01 20:08 <KANSIO> d-------- C:\Program Files\Microsoft.NET
    2008-02-01 20:06 . 2008-02-01 20:06 <KANSIO> d-------- C:\Program Files\Microsoft Visual Studio 8
    2008-02-01 20:05 . 2008-02-03 00:51 <KANSIO> d-------- C:\Users\All Users\Microsoft Help
    2008-02-01 20:05 . 2008-02-03 00:51 <KANSIO> d-------- C:\PROGRA~2\Microsoft Help
    2008-02-01 20:04 . 2008-02-01 20:04 <KANSIO> dr-h----- C:\MSOCache
    2008-02-01 18:58 . 2008-02-01 18:58 <KANSIO> d-------- C:\Program Files\PowerArchiver
    2008-02-01 18:11 . 2008-02-01 18:11 <KANSIO> d-------- C:\Program Files\uTorrent
    2008-02-01 18:10 . 2008-02-04 16:01 <KANSIO> d-------- C:\Users\Jukka\AppData\Roaming\uTorrent
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> dr------- C:\Users\Mcx1\Videos
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> d-------- C:\Users\Mcx1\Saved Games
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> dr------- C:\Users\Mcx1\Pictures
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> dr------- C:\Users\Mcx1\Music
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> dr------- C:\Users\Mcx1\Links
    2008-02-01 15:14 . 2006-11-02 12:23 <KANSIO> dr------- C:\Users\Mcx1\Downloads
    2008-02-01 15:14 . 2008-02-01 15:14 <KANSIO> dr------- C:\Users\Mcx1\Documents
    2008-02-01 15:14 . 2008-02-01 15:15 <KANSIO> d--h----- C:\Users\Mcx1\AppData
    2008-02-01 15:01 . 2008-01-12 18:32 23,904 --a------ C:\Windows\System32\drivers\COH_Mon.sys
    2008-02-01 15:01 . 2008-01-15 09:54 10,537 --a------ C:\Windows\System32\drivers\COH_Mon.cat
    2008-02-01 15:01 . 2008-01-15 05:28 706 --a------ C:\Windows\System32\drivers\COH_Mon.inf
    2008-02-01 14:57 . 2008-02-01 14:57 2,923,520 --a------ C:\Windows\explorer.exe
    2008-02-01 14:56 . 2008-02-01 14:56 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
    2008-02-01 14:56 . 2008-02-01 14:56 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
    2008-02-01 14:56 . 2008-02-01 14:56 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
    2008-02-01 14:56 . 2008-02-01 14:56 216,760 --a------ C:\Windows\System32\drivers\netio.sys
    2008-02-01 14:56 . 2008-02-01 14:56 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
    2008-02-01 14:56 . 2008-02-01 14:56 24,064 --a------ C:\Windows\System32\netcfg.exe
    2008-02-01 14:56 . 2008-02-01 14:56 22,016 --a------ C:\Windows\System32\netiougc.exe
    2008-02-01 14:56 . 2008-02-01 14:56 7,680 --a------ C:\Windows\System32\spwmp.dll
    2008-02-01 14:56 . 2008-02-01 14:56 4,096 --a------ C:\Windows\System32\msdxm.ocx
    2008-02-01 14:56 . 2008-02-01 14:56 4,096 --a------ C:\Windows\System32\dxmasf.dll
    2008-02-01 14:55 . 2008-02-01 14:55 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
    2008-02-01 14:55 . 2008-02-01 14:55 1,686,016 --a------ C:\Windows\System32\gameux.dll
    2008-02-01 14:53 . 2008-02-01 14:53 1,327,104 --a------ C:\Windows\System32\quartz.dll
    2008-02-01 14:53 . 2008-02-01 14:53 1,244,672 --a------ C:\Windows\System32\mcmde.dll
    2008-02-01 14:53 . 2008-02-01 14:53 223,232 --a------ C:\Windows\System32\WMASF.DLL
    2008-02-01 14:53 . 2008-02-01 14:53 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
    2008-02-01 14:53 . 2008-02-01 14:53 2,048 --a------ C:\Windows\System32\asferror.dll
    2008-02-01 14:52 . 2008-02-01 14:52 1,984,512 --a------ C:\Windows\System32\authui.dll
    2008-02-01 14:52 . 2008-02-01 14:52 712,192 --a------ C:\Windows\System32\WindowsCodecs.dll
    2008-02-01 14:52 . 2008-02-01 14:52 269,824 --a------ C:\Windows\System32\schannel.dll
    2008-02-01 14:52 . 2008-02-01 14:52 220,160 --a------ C:\Windows\System32\ntprint.dll
    2008-02-01 14:52 . 2008-02-01 14:52 120,320 --a------ C:\Windows\System32\dhcpcsvc6.dll
    2008-02-01 14:52 . 2008-02-01 14:52 61,440 --a------ C:\Windows\System32\ntprint.exe
    2008-02-01 14:52 . 2008-02-01 14:52 10,240 --a------ C:\Windows\System32\dhcpcmonitor.dll
    2008-02-01 14:49 . 2008-02-01 14:49 3,505,848 --a------ C:\Windows\System32\ntkrnlpa.exe
    2008-02-01 14:49 . 2008-02-01 14:49 3,472,056 --a------ C:\Windows\System32\ntoskrnl.exe
    2008-02-01 14:49 . 2008-02-01 14:49 788,992 --a------ C:\Windows\System32\rpcrt4.dll
    2008-02-01 14:49 . 2008-02-01 14:49 750,080 --a------ C:\Windows\System32\qmgr.dll
    2008-02-01 14:49 . 2008-02-01 14:49 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
    2008-02-01 14:49 . 2008-02-01 14:49 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
    2008-02-01 14:49 . 2008-02-01 14:49 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
    2008-02-01 14:49 . 2008-02-01 14:49 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
    2008-02-01 14:49 . 2008-02-01 14:49 2,048 --a------ C:\Windows\System32\tzres.dll
    2008-01-27 17:30 . 2008-01-27 17:30 <KANSIO> dr------- C:\Users\Onni\Videos

    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    2008-02-03 23:26 --------- d-----w C:\PROGRA~2\Symantec
    2008-02-01 19:51 --------- d-----w C:\Program Files\Common Files\HP
    2008-02-01 19:50 --------- d-----w C:\PROGRA~2\HP
    2008-02-01 19:45 --------- d-----w C:\Program Files\HP
    2008-02-01 18:09 --------- d-----w C:\Program Files\MSBuild
    2008-02-01 18:09 --------- d-----w C:\Program Files\Microsoft Works
    2008-02-01 13:45 174 --sha-w C:\Program Files\desktop.ini
    2008-02-01 13:41 --------- d-----w C:\Program Files\Windows Sidebar
    2008-02-01 13:41 --------- d-----w C:\Program Files\Windows Mail
    2008-02-01 13:41 --------- d-----w C:\Program Files\Windows Calendar
    2008-02-01 12:58 8,192 ----a-w C:\Windows\System32\riched32.dll
    2008-02-01 12:58 77,824 ----a-w C:\Windows\System32\rascfg.dll
    2008-02-01 12:58 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
    2008-02-01 12:58 694,784 ----a-w C:\Windows\System32\localspl.dll
    2008-02-01 12:58 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
    2008-02-01 12:58 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
    2008-02-01 12:58 52,736 ----a-w C:\Windows\System32\rasdiag.dll
    2008-02-01 12:58 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
    2008-02-01 12:58 384,000 ----a-w C:\Windows\System32\netcfgx.dll
    2008-02-01 12:58 36,864 ----a-w C:\Windows\System32\cdd.dll
    2008-02-01 12:58 33,280 ----a-w C:\Windows\System32\traffic.dll
    2008-02-01 12:58 32,768 ----a-w C:\Windows\System32\rasmxs.dll
    2008-02-01 12:58 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
    2008-02-01 12:58 22,016 ----a-w C:\Windows\System32\rasser.dll
    2008-02-01 12:58 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
    2008-02-01 12:58 15,360 ----a-w C:\Windows\System32\pacerprf.dll
    2008-02-01 12:58 134,656 ----a-w C:\Windows\System32\dps.dll
    2008-02-01 12:58 13,824 ----a-w C:\Windows\System32\wshqos.dll
    2008-02-01 12:58 13,824 ----a-w C:\Windows\System32\icsunattend.exe
    2008-02-01 12:57 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
    2008-02-01 12:57 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
    2008-02-01 12:57 542,720 ----a-w C:\Windows\System32\sysmain.dll
    2008-02-01 12:57 502,784 ----a-w C:\Windows\System32\wlansvc.dll
    2008-02-01 12:57 47,104 ----a-w C:\Windows\System32\wlanapi.dll
    2008-02-01 12:57 297,984 ----a-w C:\Windows\System32\wlansec.dll
    2008-02-01 12:57 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
    2008-02-01 12:57 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
    2008-02-01 12:57 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
    2008-02-01 12:57 2,028,544 ----a-w C:\Windows\System32\win32k.sys
    2008-02-01 12:55 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-02-01 12:55 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
    2008-02-01 12:55 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
    2008-02-01 12:55 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
    2008-02-01 12:51 88,576 ----a-w C:\Windows\System32\avifil32.dll
    2008-02-01 12:51 84,480 ----a-w C:\Windows\System32\INETRES.dll
    2008-02-01 12:51 82,944 ----a-w C:\Windows\System32\mciavi32.dll
    2008-02-01 12:51 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
    2008-02-01 12:51 737,792 ----a-w C:\Windows\System32\inetcomm.dll
    2008-02-01 12:51 69,632 ----a-w C:\Windows\System32\sendmail.dll
    2008-02-01 12:51 65,024 ----a-w C:\Windows\System32\avicap32.dll
    2008-02-01 12:51 31,232 ----a-w C:\Windows\System32\msvidc32.dll
    2008-02-01 12:51 123,904 ----a-w C:\Windows\System32\msvfw32.dll
    2008-02-01 12:51 12,800 ----a-w C:\Windows\System32\msrle32.dll
    2008-02-01 12:51 11,776 ----a-w C:\Windows\System32\sbunattend.exe
    2008-02-01 12:50 824,832 ----a-w C:\Windows\System32\wininet.dll
    2008-02-01 12:50 56,320 ----a-w C:\Windows\System32\iesetup.dll
    2008-02-01 12:50 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
    2008-02-01 12:50 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
    2008-01-27 10:38 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
    2008-01-27 10:38 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
    2008-01-27 10:38 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
    2008-01-27 10:38 --------- d-----w C:\Program Files\Symantec
    2008-01-27 10:38 --------- d-----w C:\Program Files\Norton Internet Security
    2008-01-27 10:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-01-27 10:27 --------- d-----w C:\Program Files\Google
    2008-01-26 18:35 1,836 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_GU638AA-UUW m9062.sc_YC_0Pavi_QCZH742_E74FIv3PrA2_49_INARRA2_SASUSTek Computer INC._V2.00_B5.11_T070716_WUH0_L40B_M3071_J320_7AMD_8Athlon 64 X2 Dual Core_92.6_#080126_N10DE03EF_Z_G10DE0402.MRK
    2008-01-26 18:31 --------- d-sh--w C:\PROGRA~2\Työpöytä
    2008-01-26 18:31 --------- d-sh--w C:\PROGRA~2\Tiedostot
    2008-01-26 18:31 --------- d-sh--w C:\PROGRA~2\Suosikit
    2008-01-26 18:31 --------- d-sh--w C:\PROGRA~2\Mallit
    2008-01-26 18:31 --------- d-sh--w C:\PROGRA~2\Käynnistä-valikko

    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-01 14:51 1232896]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
    "PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2008-01-24 19:37 141352]

    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-03 02:54 1006264]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 17:01 65536]
    "KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 18:16 65536]
    "OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 13:59 118784]
    "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 15:15 86016]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 15:15 8466432]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 15:15 81920]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 13:06 4669440 C:\Windows\RtHDVCpl.exe]
    "HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 12:13 71176]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 01:56 54936]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:59 115816]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22 517768]
    "WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 14:35 176128]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
    "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

    "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

    "LogonHoursAction"= 2 (0x2)
    "DontDisplayLogonHoursWarnings"= 1 (0x1)

    R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080122.002\IDSvix86.sys [2007-12-04 17:51]
    R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-02-04 01:44]
    R2 Automaattinen LiveUpdate-ajastustoiminto;Automaattinen LiveUpdate-ajastustoiminto;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-09-26 12:53]
    R2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 17:19]
    R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-06-11 11:49]
    R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2007-04-20 19:21]
    S3 UMPass;Microsoft UMPass-ohjain;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 10:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    *Newly Created Service* - COMHOST

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-05 16:41:51
    Windows 6.0.6000 NTFS

    detected NTDLL code modification:

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ------------------------ Other Running Processes ------------------------
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    Completion time: 2008-02-05 16:44:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-05 14:44:29
    2008-02-02 20:59:28 --- E O F ---
  7. Hujo

    Hujo Guest

    Aloita oma viestiketju
    Jos tarvetta on
    Last edited by a moderator: Feb 13, 2008
  8. KurkoFi

    KurkoFi Member

    Feb 8, 2007
    Likes Received:
    Trophy Points:
    Itsellänikin oli core.cache.dsk ja onnistuin poistamaan sen.

    elikkä c:\windows\system32\drivers\ kansiossa on tiedosto core.cache.dsk
    mutta siellä on myös toinen tiedosto jolla on aivan sama muokkaus päivämäärä kuin tiedostolla core.cache.dsk (tämän tiedoston nimi on sattumanvarainen itselläni mpioo.sys)

    Poistin kummakkin tiedostot windowssin levyllä olevalla korjauskonsolilla...

    cd system32
    cd drivers
    del core.cache.dsk
    del mpioo.sys

Share This Page