Viruksia?

Burni · Oct 1, 2010

Moro! Taas on kadonnut pari salasanaa koneelta. HJT-loki, jos ongelma löytyisi.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:55:20, on 1.10.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\Bin\Nnf.exe
C:\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Npm\Bin\scheduler.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Norman\npf\bin\npfuser.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Lisää tämä blogiin tuotteessa Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Norman Network Filtering service (NNFSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nnf.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe
O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 11302 bytes

kalminen · Oct 2, 2010

.
Tämä on meillä ollut aiemminkin esillä.

Lataa SystemLook by. jpshortstuff TÄÄLTÄ. ja tallenna se työpöydälle.

Tupla-klikkaa SystemLook.exe ajaaksesi sen.

Kopioi(CTRL+C) alla olevasta laatikosta kaikki teksti, tekstialueeseen.
Code:
:regfind
svchost.exe

:filefind 
data.dat
svchost.exe

:dir
C:\WINDOWS\system32\drivers\etc /s
Klikkaa nappulaa Look aloittaaksesi skannauksen.

Kun skannaus on valmis avautuu muistio joka sisältää lokitiedot
Klikkaa lokia hiiren oikealla painikkeella ja valitse "Valitse kaikki"
Kopio ja liitä se seuraavaan viestiisi.
(Loki löytyy myös työpöydältäsi nimellä SystemLook.txt)

Burni · Oct 2, 2010

Skannaus tehty, tässä loki.

SystemLook 04.09.10 by jpshortstuff
Log created at 18:34 on 02/10/2010 by Omistaja
Administrator - Elevation successful

========== regfind ==========

Searching for "svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1E75357-881A-419E-83E2-BB16DB197C68}\LocalServer32]
@="C:\WINDOWS\system32\svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1F4E726-8CF1-11D1-BF92-0060081ED811}\LocalServer32]
@="C:\WINDOWS\system32\svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]
@="C:\WINDOWS\system32\svchost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\c:|WINDOWS|Microsoft.NET|Framework|v3.0|Windows Communication Foundation|SMSvcHost.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\c:/WINDOWS/Microsoft.NET/Framework/v3.0/Windows Communication Foundation/SMSvcHost.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AEE78A24C9FCFD40973A8BF5EC68951]
"0DC1503A46F231838AD88BCDDC8E8F7C"="c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58DDB613B09F145B340BA37BA5D320]
"0DC1503A46F231838AD88BCDDC8E8F7C"="c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Alerter]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudioSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Browser]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthServ]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k bthsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CryptSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dmserver]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k NetworkService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dot3svc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k dot3svc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EapHost]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k eapsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventSystem]
"ImagePath"="C:\WINDOWS\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkmsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTPFilter]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k HTTPFilter"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LmHosts]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netman]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"=""c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nla]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtmsSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasAuto]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seclogon]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShellHWDetection]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSDPSRV]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stisvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k imgsvc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TapiSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Themes]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\upnphost]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WebClient]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSN]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WudfSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k WudfServiceGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xmlprov]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Alerter]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AudioSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BITS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Browser]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BthServ]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k bthsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CryptSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dhcp]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dmserver]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dnscache]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k NetworkService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dot3svc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k dot3svc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\EapHost]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k eapsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ERSvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\EventSystem]
"ImagePath"="C:\WINDOWS\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FastUserSwitchingCompatibility]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\helpsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HidServ]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hkmsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTPFilter]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k HTTPFilter"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanserver]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanworkstation]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LmHosts]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Messenger]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\napagent]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Netman]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetTcpPortSharing]
"ImagePath"=""c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Nla]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NtmsSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RasAuto]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RasMan]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Schedule]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seclogon]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SENS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ShellHWDetection]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srservice]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SSDPSRV]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\stisvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k imgsvc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TapiSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Themes]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TrkWks]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\upnphost]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\W32Time]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WebClient]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winmgmt]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WmdmPmSN]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wscsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wuauserv]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WudfSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k WudfServiceGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WZCSVC]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xmlprov]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthServ]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k bthsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k NetworkService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot3svc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k dot3svc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k eapsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"ImagePath"="C:\WINDOWS\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkmsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k HTTPFilter"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing]
"ImagePath"=""c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k imgsvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc]
"ImagePath"="%SystemRoot%\system32\svchost.exe -k WudfServiceGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]
"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"

========== filefind ==========

Searching for "data.dat"
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data\data.dat --a---- 3066 bytes [06:59 18/10/2006] [07:06 18/10/2006] D9B13B122170670F5F772553C301A034

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [13:34 27/08/2008] [12:00 15/09/2004] 34C8D42B876703B3ABF0562307428561
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [16:12 14/04/2008] [16:12 14/04/2008] 6138D30346CF435D2BF32CBC1437F625
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [12:00 15/09/2004] [16:12 14/04/2008] 6138D30346CF435D2BF32CBC1437F625

========== dir ==========

C:\WINDOWS\system32\drivers\etc - Parameters: "/s "

---Files---
hosts --a---- 665 bytes [12:00 15/09/2004] [12:00 15/09/2004]
hosts.msn --a---- 665 bytes [18:00 18/01/2007] [12:00 15/09/2004]
lmhosts.sam --a---- 3705 bytes [12:00 15/09/2004] [12:00 15/09/2004]
networks --a---- 416 bytes [12:00 15/09/2004] [12:00 15/09/2004]
protocol --a---- 829 bytes [12:00 15/09/2004] [12:00 15/09/2004]
services --a---- 7151 bytes [12:00 15/09/2004] [12:00 15/09/2004]

No folders found.

-= EOF =-

kalminen · Oct 2, 2010

.
KeyLockeria siellä ei näy olevan, mutta HOSTS on
6 vuotta vanha.

* Lataa HOSTS: Täältä Työpöydällesi.
* Vanha HOSTS tiedosto poistetaan. Käynnistä kone vikasietotilaan => OHJE
Tämä C:\WINDOWS\system32\drivers\etc\HOSTS tiedosto pois
* Pura: hosts.zip C:\WINDOWS\system32\drivers\etc kansioon.
* Käynnistä koneesi normaalitilaan.

Lopuksi Voit varmistaa, että siellä on HOSTS niminen tiedosto ilman tiedostopäätettä. Koko n.700 kt.
Suoja activoituu seuraavan käynnistyksen yhteydessä.(ei kuormita muistia)

Houstiin päivitykset: Täältä
Mitä HOSTS tekee: Opas Täällä

-----------------------------------------------------

Ole hyvä ja lataa Combofix yhdestä alla olevista linkeistä:

Linkki 3

* TÄRKEÄÄ !!! Tallenna ComboFix.exe työpöydällesi

* Sulje/ota pois päältä kaikki virustorjunta- ja haittaohjelmien poisto-ohjelmat, jotta ne eivät häiritse ComboFixin ajoa.
(ei palomuuria)
* Tuplaklikkaa Combofix.exe ja noudata ohjeita.

* Osana skannausta Combofix tarkistaa onko palautuskonsoli asennettuna. Nykypäivän haittaohjelmien takia on erittäin suositeltua olla asennettuna palautuskonsoli ennen haittaohjelmien poistoa. Windowsin palautuskonsoli mahdollistaa käynnistyksen erityiseen palautustilaan. Palautuskonsolin kautta voimme auttaa sinua helpommin mikäli haittaohjelmien poiston yhteydessä ilmenee ongelmia.

* Seuraa ohjeita ja salli Combofixin ladata ja asentaa Microsoftin palautuskonsoli, ja kun pyydetään, hyväksy ohjelman takuuehdot asentaaksesi palautuskonsolin.

**Huomaa: Jos palautuskonsoli on jo asennettuna, Combofix jatkaa eteenpäin.

Kun Microsoftin palautuskonsoli on asennettu, sinun pitäisi nähdä seuraava viesti:

Klikkaa Kyllä jatkaaksesi skannausta.

Kun ComboFix on valmis, se luo raportin. Ole hyvä ja kopioi/liitä seuraavat raportit vastaukseesi:
C:\ComboFix.txt
Uusi HijackThis-loki

Varoitus: ÄLÄ aja ComboFixia ilman valvontaa. Se ei ole lelu ja sitä ei tule käyttää rutiininomaisesti päivittäin.

Jos tarvitset apua, katso yksityiskohtaisempi ohje:
http://www.bleepingcomputer.com/combofix/fi/combofixin-kayttoohje

C:\ComboFix.txt
Uusi HijackThis-loki

Burni · Oct 6, 2010

Noniin, sain ComboFixin skannauksen tehtyä. Ensin HJT-loki.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:33:44, on 6.10.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\Bin\Nnf.exe
C:\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Npm\Bin\scheduler.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\npf\bin\npfuser.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Omistaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: Lisää tämä blogiin - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Lisää tämä blogiin tuotteessa Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Norman Network Filtering service (NNFSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nnf.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe
O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 10546 bytes

Sitten ComboFix.txt.

ComboFix 10-10-05.04 - Omistaja 06.10.2010 15:15:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.358.1035.18.1023.490 [GMT 3:00]
Sijainti: c:\documents and settings\Omistaja\Työpöytä\ComboFix.exe
AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
FW: Norman Security Suite *disabled* {83B29CE9-9DE2-2CB5-9AB3-780D70FF12B0}
* Uusi palautuspiste luotu
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Omistaja\WoW-2.0.12.6546-to-0.1.0.6577-enGB-patch.exe
c:\documents and settings\Omistaja\WoW-2.1.3.6898-to-0.2.0.6932-enGB-patch.exe
c:\documents and settings\Omistaja\WoW-2.3.0.7561-to-0.3.2.7627-enGB-patch.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2010-09-06 to 2010-10-06 )))))))))))))))))
.

2010-09-30 13:19 . 2010-09-30 13:19 -------- d-----w- c:\program files\iPod
2010-09-30 13:19 . 2010-09-30 13:19 -------- d-----w- c:\program files\iTunes
2010-09-30 13:05 . 2010-09-30 13:05 -------- d-----w- c:\program files\Bonjour
2010-09-30 13:01 . 2010-09-30 13:01 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-30 12:58 . 2010-09-30 12:58 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-25 12:14 . 2010-09-25 12:14 -------- d-----w- c:\program files\Common Files\Skype
2010-09-16 14:18 . 2010-08-19 07:12 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2010-09-16 14:18 . 2010-08-19 07:12 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2010-09-13 12:38 . 2010-09-13 12:38 -------- d-----w- c:\documents and settings\Omistaja\Application Data\Malwarebytes
2010-09-13 12:37 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 12:37 . 2010-09-13 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-13 12:37 . 2010-09-13 12:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 12:37 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 11:35 . 2010-09-12 11:35 388096 ----a-r- c:\documents and settings\Omistaja\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-12 11:35 . 2010-09-12 11:35 -------- d-----w- c:\program files\Trend Micro
2010-09-12 11:30 . 2010-09-24 10:36 -------- d-----w- c:\documents and settings\Omistaja\Local Settings\Application Data\Temp
2010-09-12 11:30 . 2010-09-12 11:30 -------- d-----w- c:\documents and settings\Omistaja\Local Settings\Application Data\Deployment
2010-09-12 07:28 . 2010-09-12 07:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2010-09-07 12:45 . 2010-09-07 12:45 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-06 11:50 . 2010-04-03 19:34 -------- d-----w- c:\documents and settings\Omistaja\Application Data\Skype
2010-10-06 11:50 . 2010-04-19 18:49 -------- d-----w- c:\documents and settings\Omistaja\Application Data\Xfire
2010-10-06 11:48 . 2006-10-21 13:58 -------- d-----w- c:\program files\Steam
2010-10-06 08:43 . 2008-03-06 11:29 -------- d-----w- c:\documents and settings\Omistaja\Application Data\skypePM
2010-10-03 19:52 . 2007-03-03 13:07 -------- d-----w- c:\program files\RevConnect
2010-10-01 15:20 . 2007-08-25 08:09 233960 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-01 15:01 . 2007-08-25 08:09 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-01 10:19 . 2010-04-19 18:49 -------- d-----w- c:\program files\Xfire
2010-09-30 13:19 . 2007-12-24 21:36 -------- d-----w- c:\program files\Common Files\Apple
2010-09-30 13:13 . 2009-09-30 17:52 -------- d-----w- c:\program files\QuickTime
2010-09-30 12:59 . 2009-06-20 09:19 -------- d-----w- c:\program files\Safari
2010-09-30 12:49 . 2009-10-03 16:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-25 12:15 . 2010-04-03 19:33 -------- d-----r- c:\program files\Skype
2010-09-25 12:14 . 2007-07-14 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-24 10:28 . 2006-12-08 19:00 -------- d-----w- c:\program files\World of Warcraft
2010-09-21 18:54 . 2008-02-08 13:23 -------- d-----w- c:\documents and settings\Omistaja\Application Data\uTorrent
2010-09-21 12:32 . 2006-10-19 07:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-08 13:42 . 2008-02-08 13:23 -------- d-----w- c:\program files\uTorrent
2010-08-27 12:35 . 2010-08-27 12:35 -------- d-----w- c:\program files\Common Files\Java
2010-08-27 12:34 . 2006-10-17 12:19 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2005-06-10 23:53 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 15:00 . 2004-09-15 12:00 85728 ----a-w- c:\windows\system32\perfc00B.dat
2010-08-12 15:00 . 2004-09-15 12:00 416580 ----a-w- c:\windows\system32\perfh00B.dat
2010-08-05 13:56 . 2010-08-05 13:56 61440 ----a-w- c:\documents and settings\Omistaja\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7e3126a6-n\decora-sse.dll
2010-08-05 13:56 . 2010-08-05 13:56 503808 ----a-w- c:\documents and settings\Omistaja\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7008ed07-n\msvcp71.dll
2010-08-05 13:56 . 2010-08-05 13:56 499712 ----a-w- c:\documents and settings\Omistaja\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7008ed07-n\jmc.dll
2010-08-05 13:56 . 2010-08-05 13:56 348160 ----a-w- c:\documents and settings\Omistaja\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7008ed07-n\msvcr71.dll
2010-08-05 13:56 . 2010-08-05 13:56 12800 ----a-w- c:\documents and settings\Omistaja\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7e3126a6-n\decora-d3d.dll
2010-08-05 13:55 . 2010-07-01 14:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 15:44 . 2010-07-27 15:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 15:44 . 2010-07-27 15:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:46 . 2004-09-15 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 04:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 02:00 . 2010-05-02 06:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"Google Update"="c:\documents and settings\Omistaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-12 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2010-01-29 189824]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"SoundMan"="SOUNDMAN.EXE" [2006-10-12 577536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Omistaja\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\ruynv\\counter-strike\\hl.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe"=
"c:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Omistaja\\Omat tiedostot\\Lataukset\\WoW-3.0.1.8874-PTR-EU-Installer-downloader(4).exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-enGB-ptr-downloader.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\ruynv\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

P2 NPFSvc32;Norman Personal Firewall Service;c:\norman\npf\bin\npfsvc32.exe [16.9.2010 17:18 288936]
R1 NGS;Norman General Security Driver;c:\norman\Ngs\Bin\ngs.sys [25.6.2010 23:58 26744]
R1 NPROSEC;Norman Security driver;c:\norman\Ngs\Bin\nprosec.sys [25.6.2010 23:58 72392]
R1 tdi_nf;Norman Network Filter TDIL driver;c:\windows\system32\drivers\tdi_nf.sys [25.6.2010 23:58 376136]
R2 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [16.10.2009 10:47 22880]
R2 NNFSVC;Norman Network Filtering service;c:\norman\Ngs\Bin\nnf.exe [25.6.2010 23:58 219904]
R2 NPROSECSVC;Norman Security service;c:\norman\Ngs\Bin\nprosec.exe [25.6.2010 23:58 103016]
R2 nregsec;Norman Registry Security driver;c:\norman\Ngs\Bin\nregsec.sys [25.6.2010 23:58 40384]
R2 NVOY;Norman Resource Provider;c:\norman\npm\bin\nvoy.exe [16.5.2009 21:32 98776]
R3 nnetsec;Norman Network Security service;c:\windows\system32\drivers\nnetsec.sys [25.6.2010 23:58 48272]
R3 NNetSecC;Norman Network Filter NDIS common driver;c:\norman\Ngs\Bin\nnetsecc.sys [25.6.2010 23:58 29968]
R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [17.6.2010 22:03 282624]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [10.5.2007 17:36 21832]
R3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [16.8.2010 18:00 210248]
R3 PCnetHL;AMD PCnet-Home Adapter Driver;c:\windows\system32\drivers\pcntn5hl.sys [17.10.2006 18:09 30282]
R3 Scheduler;Norman Scheduler Service;c:\norman\npm\bin\scheduler.exe [16.5.2009 21:32 133272]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [18.10.2006 10:14 9032]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [18.10.2006 10:14 32584]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [18.10.2006 10:14 132168]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [18.10.2006 10:14 25544]
S3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\Nvc\BIN\NVCSCHED.EXE --> c:\norman\Nvc\BIN\NVCSCHED.EXE [?]

--- Muut muistissa olevat ajurit/palvelut ---

*Deregistered* - mchInjDrv
.
'Ajoitetut tehtävät'-kansion sisältö

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-527237240-839522115-1003Core.job
- c:\documents and settings\Omistaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-12 11:30]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-527237240-839522115-1003UA.job
- c:\documents and settings\Omistaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-12 11:30]
.
.
------- Täydentävä tarkistus -------
.
uInternet Settings,ProxyOverride = *.local
LSP: c:\norman\ngs\bin\nlf.dll
.
- - - - POISTETUT JÄMÄRIVIT - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|ù•Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\Ati2evxx.dll
.
Valmistumisajankohta: 2010-10-06 15:25:37
ComboFix-quarantined-files.txt 2010-10-06 12:25

Ennen ajoa: 196 348 497 920 tavua vapaana
Ajon jälkeen: 196 885 413 888 tavua vapaana

WindowsXP-KB310994-SP2-Home-BootDisk-FIN.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0A514C5BD4F572163D621F5D6A49B316

Miltäs näyttää?

kalminen · Oct 6, 2010

.
Varo tuon "pätsejä" => World of Warcraft

-------------------------------------------------------

Hiukan oli tauhkaa.

Kirjoita windowsin käynnistävalikon suorita-kenttään Combofix /uninstall paina OK

********************************************************

Tehdään vielä "syväpuhdistus" !!!

* Lataa OTM by OldTimer.
* Tallenna se työpöydällesi.
* Tuplaklikkaa OTM.exe käynnistääksesi sen.
* Kopioi (CTRL+C) alla olevasta laatikosta kaikki teksti.
Code:
:Processes
explorer.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]
* Palaa takaisin OtmoveIt3, paina oikeanpuoleista hiiren nappia Paste Instructions for Items to be Move-ikkunassa (Keltaisen palkin alla) ja paina Liitä.
* Paina punaista MoveIt! -nappia.
* Kopioi (CTRL+C) ja liitä (CTRL+V) Results-ikkunaan (Vihreän palkin alla) tullut teksti seuraavaan viestiisi.
* Sulje OTM.

Jos jotain tiedostoa/kansiota ei voitu siirtää heti, ohjelma ehdottaa koneen uudelleenkäynnistystä. Vastaa ehdotukseen Yes, jolloin OtMoveIt käynnistää koneesi uudelleen.

Lähetä => OTMoveIt logi.

Burni · Oct 6, 2010

Results-ikkunaan ei tullut mitään, koska OTM käynnisti koneen uudestaan. Mutta koneen käynnistyessä uudestaan aukesi OTM-loki, joka ajaa varmaan saman asian, joten tässä OTM-loki.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 78639121 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->Flash cache emptied: 348 bytes

User: Omistaja
->Temp folder emptied: 18657 bytes
->Temporary Internet Files folder emptied: 2624652 bytes
->Java cache emptied: 86609876 bytes
->Google Chrome cache emptied: 338751118 bytes
->Flash cache emptied: 106148 bytes

%systemdrive% .tmp files removed: 1231 bytes
%systemroot% .tmp files removed: 2504491 bytes
%systemroot%\System32 .tmp files removed: 5050326 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 491,00 mb

OTM by OldTimer - Version 3.1.16.1 log created on 10062010_215401

Files moved on Reboot...
File C:\Documents and Settings\LocalService\Local Settings\Temp\nvcbin.def.466e1048.tmp not found!
C:\Documents and Settings\Omistaja\Local Settings\Temporary Internet Files\Content.IE5\CN6QVPZL\messengerscripttracking[1].htm moved successfully.
File C:\Documents and Settings\Omistaja\Local Settings\Temporary Internet Files\Content.IE5\79NI89KO\ADSAdClient31[1].htm not found!

Registry entries deleted on Reboot...

kalminen · Oct 7, 2010

.
Nyt pitäisi olla puhdasta !!!

Lopuksi poistamme kaikki käytetyt työkalut roskineen.

* TuplaklikkaaOTM.exe.
* Klikkaa CleanUp!.
* Valitse Yes kun kysytään "Begin cleanup Process?".
* Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.
* OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

.

Burni · Oct 7, 2010

Noniin! Kiitoksia jälleen avusta!!

Log in or Sign up

Viruksia?

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

Share This Page

Log in or Sign up

Viruksia?

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

kalminen Regular member

Burni Guest

Share This Page

Useful Searches