Viruksia

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by mheikki5, Jan 2, 2007.

  1. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Noniin nyt on kinkut syöty ja pääsin taas tämän koneen kimppuun. Aikaisempi thread kerettiin jo ilmeisesti sulkea. Tässä linkki siihen:
    http://keskustelu.afterdawn.com/thread_view.cfm/438764#2654724
    Tein kaiken mitä ohjeissa pyydettiin. Tässä eScan AntiVirus Logi:

    File C:\WINDOWS\system32\jtxdmvyc.exe tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
    File C:\WINDOWS\system32\yafjowmt.exe tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
    File C:\Documents and Settings\ED\Local Settings\Temp\mst87.tmp infected by "Packed.Win32.Klone.v" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP35\A0041730.exe tagged as not-a-virus:AdTool.Win32.MyWebSearch.ak. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP36\A0041975.DLL tagged as not-a-virus:AdTool.Win32.MyWebSearch.l. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP36\A0041976.DLL tagged as not-a-virus:AdTool.Win32.MyWebSearch.i. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP37\A0042030.DLL tagged as not-a-virus:AdTool.Win32.MyWebSearch.ak. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP37\A0042034.dll tagged as not-a-virus:AdTool.Win32.MyWebSearch.ak. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP53\A0045887.0LL infected by "Trojan.Win32.BHO.g" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP53\A0045893.dll tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP55\A0048125.dll tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP60\A0048466.0LL infected by "Trojan-Spy.Win32.VBStat.j" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP60\A0048467.0LL infected by "Trojan-Spy.Win32.VBStat.j" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP60\A0048468.0LL infected by "Trojan-Spy.Win32.VBStat.j" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP60\A0048469.0LL infected by "Trojan-Spy.Win32.VBStat.j" Virus. Action Taken: File Deleted.
    File C:\System Volume Information\_restore{8FA4D74A-B6E4-4BD5-814D-D31EA5DF011D}\RP60\A0048470.0LL infected by "Trojan-Spy.Win32.VBStat.j" Virus. Action Taken: File Deleted.
    File C:\WINDOWS\system32\jtxdmvyc.exe tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
    File C:\WINDOWS\system32\yafjowmt.exe tagged as not-a-virus:AdWare.Win32.Agent.at. No Action Taken.
     
    mheikki5, Jan 2, 2007
    #1
  2. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 19:02:03, on 2.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Power Manager\PM.exe
    C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\ViewMate Wireless Mouse MW407\MOUSE32A.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\kaspersky\mwavscan.com
    c:\kaspersky\kavss.exe
    C:\Program Files\utorrent-1.6.1-beta-build-483.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\ED\Työpöytä\hijackthis_self\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

     
    mheikki5, Jan 2, 2007
    #2
  3. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    tapiiri, Jan 2, 2007
    #3
  4. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 18:27:40, on 7.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\Power Manager\PM.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\ViewMate Wireless Mouse MW407\MOUSE32A.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ED\Työpöytä\hijackthis_self\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

     
    mheikki5, Jan 7, 2007
    #4
  5. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Kunnossa on :D
     
    tapiiri, Jan 7, 2007
    #5
  6. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Tein kaikki mitä pyydettiin, tosin noiden kahden tiedoston poistaminen ei onnistunut vikasietotilassa koska se kieltäytyi toimimasta. Se kyllä aukeaa mutta sitten kuvakkeet ja käynnistä-valikko vain välähtävät ruudussa eivätkä palaa. Poistin tiedostot normaalitilassa.
    F-Secure tarkistaa viruksia tällä hetkellä ja on löytänyt jo kahdeksan. Lisäksi Windows palomuuria avattaessa kone herjaa: "Tunnistamattoman ongelman vuoksi Windows ei voi näyttää Windows palomuurin asetuksia." Ja ruudulle pomppaa aina välillä jokin kasino popup ikkuna.
     
    mheikki5, Jan 7, 2007
    #6
  7. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    ahaa, tee sitten näin kun f-secure on saanut scannattua.
    Tallenna Securen loki.

    Boottaa kone

    1. Lataa combofix.exe tiedosto työpöydällesi.
    2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
    3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
    Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

    Lähetä:
    F-securen loki
    Combofix loki
    Uusi hijack loki
     
    tapiiri, Jan 7, 2007
    #7
  8. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    F-secure loki:
    Scanning Report
    07 January 2007 19:14:54 - 19:14:56
    Computer name: YOUR-DB8C97692D
    Scanning type: Scan target for viruses
    Target: C:\


    --------------------------------------------------------------------------------

    Result: 8 malware found
    Packed.Win32.Klone.v (virus)
    C:\WINDOWS\system32\winjnr32.dll
    Packed.Win32.Klone.g (virus)
    C:\WINDOWS\Temp\win1614.tmp.exe
    C:\WINDOWS\Temp\win13FF.tmp.exe
    C:\WINDOWS\Temp\win12EB.tmp.exe
    C:\WINDOWS\Temp\win1292.tmp.exe
    C:\WINDOWS\Temp\win127C.tmp.exe
    C:\WINDOWS\Temp\win1278.tmp.exe
    C:\WINDOWS\Temp\win1111.tmp.exe


    --------------------------------------------------------------------------------

    Statistics
    Files:
    Scanned: 33236
    System: 0
    Not scanned: 3
    Result:
    Viruses: 8
    Spyware: 0
    Suspected: 0
    Actions:
    Disinfected: 0
    Renamed: 0
    Deleted: 0
    Quarantined: 0
    Failed: 8
    Boot Sectors:
    Scanned: 1
    Infected: 0
    Suspected: 0
    Disinfected: 0
    Files not scanned:
    Cannot open file C:\hiberfil.sys
    Cannot open file C:\pagefile.sys
    Cannot open file C:\WINDOWS\system32\config\default


    --------------------------------------------------------------------------------

    Options
    Definitions version:
    Viruses: 2007-01-07_01
    Spyware: 2007-01-02_03
    Scanning Engines:
    F-Secure AVP: 6.00.169, 2007-01-07
    F-Secure Libra: 2.03.08, 2007-01-03
    F-Secure Orion: 1.02.37, 2007-01-07
    F-Secure Draco: 1.00.35, 2006-12-27
    Scanning options:
    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML AVB BAT CEO CMD LSP MAP MHT MIF PHP POT WMF NWS TAR TGZ ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
    Scan inside archives
    Actions:
    Viruses: Ask after scan
    Spyware: Ask after scan

    --------------------------------------------------------------------------------

    Copyright © 1998-2005 Product support | Send virus sample to F-Secure
    F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

    Combofix loki:
    ED - 07-01-07 19:17:27,44 Service Pack 2
    ComboFix 06.11.27 - Running from: "C:\Documents and Settings\ED\Ty”p”yt„"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\{2851715D-0574-1035-0929-0529050166}
    C:\Program Files\Common Files\{3851715D-0574-1035-0929-0529050166}


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


    2007-01-02 16:46 <KANSIO> d-------- C:\Downloads
    2007-01-02 16:46 <KANSIO> d-------- C:\Bases
    2007-01-02 16:38 <KANSIO> d-------- C:\Kaspersky
    2006-12-28 15:42 2,505,472 --a------ C:\Program Files\bsplayer100.812.exe
    2006-12-27 21:29 44,060 --a------ C:\WINDOWS\system32\pfcceabd.dll
    2006-12-27 20:12 44,060 --a------ C:\WINDOWS\system32\wujvdwfh.dll
    2006-12-27 19:52 44,060 --a------ C:\WINDOWS\system32\buwxstjj.dll
    2006-12-25 21:58 <KANSIO> d-------- C:\Documents and Settings\ED\Application Data\Sun
    2006-12-22 19:09 <KANSIO> d-------- C:\Documents and Settings\ED\Application Data\F-Secure
    2006-12-22 19:02 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
    2006-12-22 19:02 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
    2006-12-22 19:02 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe
    2006-12-22 19:01 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
    2006-12-22 18:46 <KANSIO> d-------- C:\Program Files\F-Secure
    2006-12-22 18:44 39,012,201 --a------ C:\Program Files\fsavcs_ltystandalone601.exe
    2006-12-21 12:53 <KANSIO> d-------- C:\WINDOWS\Sun
    2006-12-16 14:08 177,251 --a------ C:\Program Files\utorrent-1.6.1-beta-build-483.exe
    2006-12-16 14:00 118,804 --a------ C:\WINDOWS\system32\u4utogtnp.dll
    2006-12-16 08:51 44,052 --a------ C:\WINDOWS\system32\kvsrqoyi.dll
    2006-12-16 08:51 118,804 --a------ C:\WINDOWS\system32\msoutehd.dll
    2006-12-10 14:00 715,201 ---hs---- C:\WINDOWS\system32\xxycf.bak2
    2006-12-10 08:47 581,068 ---hs---- C:\WINDOWS\system32\xxycf.ini2
    2006-12-09 20:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2006-12-09 19:42 <KANSIO> d-------- C:\WINDOWS\Internet Logs
    2006-12-09 16:23 4,677,544 --a------ C:\Program Files\Windows-KB890830-V1.22.exe
    2006-12-09 14:00 276,532 ---hs---- C:\WINDOWS\system32\fcyxx.dll
    2006-12-09 14:00 1,288,319 ---hs---- C:\WINDOWS\system32\xxycf.bak1
    2006-12-09 14:00 <KANSIO> d-------- C:\Program Files\VSAdd-in
    2006-12-09 14:00 <KANSIO> d-------- C:\Documents and Settings\ED\Application Data\SearchToolbarCorp
    2006-12-09 13:45 19,456 --a------ C:\WINDOWS\system32\winjnr32.dll
    2006-12-09 12:07 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2006-12-09 10:36 <KANSIO> d-------- C:\Program Files\ffdshow
    2006-12-09 10:35 <KANSIO> d-------- C:\Program Files\MyGlobalSearch
    2006-12-08 23:08 <KANSIO> d-------- C:\Documents and Settings\ED\Application Data\BSplayer
    2006-12-08 23:07 <KANSIO> d-------- C:\Program Files\Webteh


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-07 19:19 -------- d-------- C:\Program Files\Common Files
    2007-01-07 17:53 -------- d-------- C:\Documents and Settings\ED\Application Data\uTorrent
    2007-01-07 16:02 -------- d-------- C:\Program Files\Winamp
    2007-01-01 16:30 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-12-22 18:52 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-12-22 18:32 -------- d-------- C:\Program Files\Internet Explorer
    2006-12-17 21:26 -------- d-------- C:\Program Files\directx
    2006-12-15 22:16 -------- d-------- C:\Program Files\Outlook Express
    2006-12-15 22:16 -------- d-------- C:\Program Files\Common Files\System
    2006-12-13 20:18 -------- d-------- C:\Program Files\Common Files\Adobe
    2006-12-13 20:18 -------- d-------- C:\Documents and Settings\ED\Application Data\AdobeUM
    2006-12-10 15:30 -------- d---s---- C:\Documents and Settings\ED\Application Data\Microsoft
    2006-12-10 15:29 -------- d-------- C:\Program Files\Common Files\InstallShield
    2006-12-07 07:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
    2006-12-06 12:06 -------- d-------- C:\Program Files\Java
    2006-12-06 12:01 -------- d-------- C:\Program Files\Common Files\Java
    2006-12-05 22:31 -------- d-------- C:\Program Files\Windows Media Player
    2006-12-02 16:06 -------- d-------- C:\Documents and Settings\ED\Application Data\Help
    2006-12-02 13:54 -------- d-------- C:\Program Files\WinRAR
    2006-12-02 13:21 -------- d-------- C:\Program Files\Smart Projects
    2006-11-29 18:52 -------- d-------- C:\Documents and Settings\ED\Application Data\Macromedia
    2006-11-11 15:25 -------- d-------- C:\Program Files\Common Files\EasyInfo
    2006-11-08 07:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-10-20 03:39 713728 --a------ C:\WINDOWS\system32\sxs.dll
    2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
    2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
    2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
    2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
    2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
    2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
    2006-10-13 14:37 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "VTTrayp"="VTtrayp.exe"
    "VTTimer"="VTTimer.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "AGRSMMSG"="AGRSMMSG.exe"
    "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
    "ProgramPath"="C:\\Program Files\\Power Manager\\PM.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "FLMOFFICE4DMOUSE"="C:\\Program Files\\ViewMate Wireless Mouse MW407\\MOffice.exe"
    "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
    "F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
    "F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Nykyinen kotisivu"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyxx
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjnr32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    Completion time: 07-01-07 19:21:31.56
    C:\ComboFix.txt ... 07-01-07 19:21

    HJT loki:
    Logfile of HijackThis v1.99.1
    Scan saved at 19:28:08, on 7.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\Power Manager\PM.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\ViewMate Wireless Mouse MW407\MOUSE32A.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Games\NES\nester.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\ED\Työpöytä\hijackthis_self\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

    Sitten tällainen osoite on siinä popup ikkunassa:
    http://a.as-eu.falkag.net/dat/dlv/aslframe.html?dat=659712&kid=321583&xl=0&yl=0&mod=111

    Tyhjensin temp kansion ja koitin poistaa
    C:\WINDOWS\system32\winjnr32.dll
    mutta tätä klikatessa tulee lisää viruksia ja käyttö estetty
     
    mheikki5, Jan 7, 2007
    #8
  9. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Toi filu ei lähde tavallisilla konsteilla :

    Lataa VundoFix.exe työpöydällesi.
    • Tupla-klikkaa VundoFix.exe ajaaksesi sen.
    • Klikkaa Scan for Vundo valintaa.
    • Kun skannaus on valmis, klikkaa Remove Vundo valintaa.
    • Sinulta kysytään haluatko poistaa filut - klikkaa YES.
    • Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
    • Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
    • Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

    Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
    Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

    Uudelleen nimeä hijackthis. exe esim sanneri.exe :ksi ja laita uusi loki
    lähetä myös vundofixin loki :D
     
    Last edited: Jan 7, 2007
    tapiiri, Jan 7, 2007
    #9
  10. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    No niin, tutkittuani combon lokia, tee seuraavaa :

    Lataa Killbox Option^Explicitiltä.

    Huomaa: Jos sinulla on jo Killbox, tämä on uusi versio joka sinun tulee asentaa. Poista aikaisempi.

    • Tallenna työpöydällesi.
    • Tupla-klikkaa Killbox.exe ajaaksesi ohjelman.
    • Valitse:
      • Delete on Reboot
      • sitten klikkaa All Files valintaa.
    • Kopioi ja liitä alapuolella olevat tiedostopolut leikepöydälle mustaamalla KAIKKI ne ja painamalla CTRL + C (tai, mustaamisen jälkeen, oikea klikki hiirellä ja valitse kopioi):

      C:\WINDOWS\system32\pfcceabd.dll
      C:\WINDOWS\system32\wujvdwfh.dll
      C:\WINDOWS\system32\buwxstjj.dll
      C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe
      C:\Program Files\fsavcs_ltystandalone601.exe
      C:\WINDOWS\system32\winjnr32.dll

    • Palaa Killboxiin, mene File valikkoon, ja valitse Paste from Clipboard.
    • Klikkaa puna-valkoista Delete File valintaa. Klikkaa Yes "Delete on Reboot" pyyntöön. Klikkaa OK mihin vain PendingFileRenameOperations pyyntöön (ja anna fixaajan tietää jos jokin tälläinen tulee!).
    Käynnistä koneesi itse jos se ei sitä automaattisesti tee.

    Jos saat tälläisen viestin: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." Kun yrität ajaa KillBoxia, klikkaa tätä ladataksesi ja ajaaksesi Missingfilessetup.exe;n. Sitten koita KillBoxia uudestaan.

    Lähetä edellisessä viestissäni pyytämäni lokit :D
     
    tapiiri, Jan 7, 2007
    #10
  11. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 18:06:00, on 8.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Power Manager\PM.exe
    C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\ViewMate Wireless Mouse MW407\MOUSE32A.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ED\Työpöytä\hijakki\skanneri.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {506DA788-8A5E-4027-AAC8-65B3107AD4B6} - C:\WINDOWS\system32\fcyxx.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pfcceabd.dll (file missing)
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O20 - Winlogon Notify: winjnr32 - winjnr32.dll (file missing)
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE


    VundoFix V6.2.13

    Checking Java version...

    Java version is 1.5.0.9

    Scan started at 17:28:55 8.1.2007

    Listing files found while scanning....

    C:\WINDOWS\system32\fcyxx.dll
    C:\WINDOWS\system32\xxycf.ini
    C:\WINDOWS\system32\xxycf.bak1
    C:\WINDOWS\system32\xxycf.bak2
    C:\WINDOWS\system32\xxycf.ini2
    C:\WINDOWS\system32\xxycf.tmp

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\fcyxx.dll
    C:\WINDOWS\system32\fcyxx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xxycf.ini
    C:\WINDOWS\system32\xxycf.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xxycf.bak1
    C:\WINDOWS\system32\xxycf.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xxycf.bak2
    C:\WINDOWS\system32\xxycf.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xxycf.ini2
    C:\WINDOWS\system32\xxycf.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xxycf.tmp
    C:\WINDOWS\system32\xxycf.tmp Has been deleted!

    Performing Repairs to the registry.
    Done!
     
    Last edited: Jan 8, 2007
    mheikki5, Jan 8, 2007
    #11
  12. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Rupiaa kaunistumaan :D

    Lataa AVG Anti-Spyware 7.5 ja tallenna ohjelma työpöydällesi.
    • Kun olet ladannut ohjelman, kaksoisklikkaa asennuohjelman pikakuvaketta työpöydälläsi, asennus alkaa.
    • Asennuksen jälkeen täytyy ohjelma käynnistää ja sen tunnisteet päivittää.
    • Käynnistä AVG Anti-Spyware.
    • Klikkaa "Update" kuvaketta päävalikossa. Sen jälkeen klikkaa "Update now" painiketta.
      • Sitten klikkaa "Start Update" kuvaketta jolloin päivitys alkaa.
    • Kun päivitykset on ladattu, klikkaa "Scanner" kuvaketta ikkunan ylälaidassa. Valitse sitten "Settings" välilehti.
    • Kun "Settings" valikko on auennut, klikkaa "Recommended actions" ja sitten valitse "Quarantine".
    • Sitten "Reports" valikon alta:
      • Laita täppi kohtaan "Automatically generate report after every scan"
      • Ota täppi pois kohdasta"Only if threats were found"
    • Sitten klikkaa "Shield" kuvaketta ikkunan ylälaidassa
    • "Resident shield is", muuta tila active:sta inactive:ksi
    • Sulje ohjelma, ÄLÄ skannaa vielä.

      Scannaa hijckilla ja ruksaa :

      O2 - BHO: (no name) - {506DA788-8A5E-4027-AAC8-65B3107AD4B6} - C:\WINDOWS\system32\fcyxx.dll (file missing)
      O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pfcceabd.dll
      O20 - Winlogon Notify: winjnr32 - winjnr32.dll (file missing)

      Sammuta muut ohjelmat ja paina fix checked.
    Käynnistä koneesi vikasietotilaan, Ohje!

    Poista : C:\WINDOWS\system32\ >>pfcceabd.dll <<

    HUOM! Älä käytä muita ohjelmia AVG skannauksen aikana, tämä saattaa häiritä skannausta.
    • Kun vikasietotilassa, käynnistä AVG Anti-Spyware.
    • Klikkaa "Scanner" kuvaketta ikkunan ylälaidassa ja valitse "Scan" välilehti. Sitten klikkaa "Complete System Scan".
    • AVG aloittaa nyt tietokoneen skannaamisen, ole kärsivällinen sillä skannaus vie aikaa.

      Kun skannaus on valmis:
      TÄRKEÄÄ : Älä klikkaa "Save Scan Report" ennen kuin klikkaat "Apply all Actions"
    • Varmistu, että Set all elements to: näyttää Quarantine (1), jos ei, klikkaa linkkiä ja valitse Quarantine popup-valikosta.
    • Sinulta kysytään mitä tehdä jos infektioita löytyi, valitse silloin "Apply all actions"
      [​IMG]
    • Sitten klikkaa "Reports" kuvaketta ohjelma yläosasta.
    • Klikkaa "Save report as" painiketta ikkunan vasemmassa alalaidassa ja tallenna raportti työpöydälle.
    • Sulje ohjelma, käynnistä kone normaalisti ja lähetä AVG:n raportti viestikejuusi.


    Lähetä uusi Hjt-loki ja AVG-loki
     
    tapiiri, Jan 8, 2007
    #12
  13. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 19:25:29 9.1.2007

    + Scan result:



    C:\Documents and Settings\Inna&Kari\Local Settings\Temporary Internet Files\Content.IE5\C9GTYZC1\installdrivecleanerstart[1].exe -> Adware.DriveCleaner : Cleaned with backup (quarantined).
    C:\Documents and Settings\Catarina\Cookies\catarina@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@stats1.reliablestats[3].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@stats1.reliablestats[4].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\Catarina\Cookies\catarina@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Inna&Kari\Cookies\inna&kari@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Program Files\Power Manager\WinIo.dll -> Trojan.Agent.f : Cleaned with backup (quarantined).
    C:\Addon\proginst.exe -> Trojan.Small.gv : Cleaned with backup (quarantined).


    ::Report end

     
    mheikki5, Jan 9, 2007
    #13
  14. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 19:42:38, on 9.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ViewMate Wireless Mouse MW407\MOUSE32A.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Virusaseita\hijakki\skanneri.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\ViewMate Wireless Mouse MW407\MOffice.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA2A762-2445-42AB-B483-CE6BBE970B72}: NameServer = 212.50.211.242 212.50.192.226
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE


     
    mheikki5, Jan 9, 2007
    #14
  15. mheikki5

    mheikki5 Member

    Joined:
    Sep 13, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    16
    Tällainen ilmoitus aukesi windowsin käynnistyksessä tällä kertaa: PM.exe. Sovelluksen käynnistäminen ei onnistu, koska WINIO.dll ei löytynyt. Sovelluksen uudelleenasentaminen saattaa korjata ongelman. Lisäksi windosin palomuuri ongelma on edelleen olemassa.
     
    mheikki5, Jan 9, 2007
    #15
  16. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Noi herjat viittaavat mahdolliseen apropos rootkittiin :(


    Lataa ja tallenna Blacklight työpöydällesi;

    Tupla-klikkaa blbeta.exe, hyväksy sopimus, klikkaa > Scan, sitten > Next

    Näet listan kaikesta mitä löytyi. Työpöydällesi myös ilmestyy loki jonka nimi on fsbl.xxxxxxx.log (xxxxxxx;n tilalla on luultavimmin numeroita).

    Kopioi ja liitä tämä loki seuraavaan vastaukseesi. Älä valitse "Rename" optiota vielä! Haluamme nähdä login ensin, koska hyviä tiedostoja saattaa olla mukana, kuten "wbemtest.exe".
     
    tapiiri, Jan 9, 2007
    #16
  17. tapiiri

    tapiiri Regular member

    Joined:
    Jun 11, 2005
    Messages:
    1,142
    Likes Received:
    0
    Trophy Points:
    46
    Lataa tuolta uusi winio.dll :

    http://www.internals.com./

    Tai palauta alkupeäinen avg karanteenista. Se on ns väärä tunnistus AVG:lta :D

    Tuolla sen pitäisi olla :

    C:\Program Files\Power Manager\WinIo.dll -> Trojan.Agent.f : Cleaned with backup (quarantined).
     
    tapiiri, Jan 9, 2007
    #17

Share This Page