Virus mesestä ja W32/Tiny.KA

Veli onnistui nerokkaasti imaisemaan koneelle viruksia. Mukana oli Troijalaisia ja mainostrakkereita jne. Norman 5.82 puhdisti osan ja ad-awarellakin löytyi kaikkea, loput poistin manuaalisesti. Virukset kuitenkin uusiutuivat kun nettiyhteyden muodosti. Lopulta käynnistys tiedostoista löysin jotain mikä ei kuulunut olla siellä. Regcleanerillä lähti.
Koko aikana windowsin omaa palomuuria ei ole saanut enkä vieläkään saa päälle. Kun yrittää aktivoida tulee teksti "tuntemattoma vian takia palomuurin asetuksia ei voi näyttää".
Myös C-aseman juuressa ja temppikansioissa oli virukseen liittyviä tiedostoja.
Koneen sammuttaessa tuli viesti :"msasvc.exe dll alustusvirhe".
Yritin poistaa kyseistä tiedostoa C:\windows\system32\msasvc.exe, mutta ei onnistu. Myöskin norman ilmoittaa kyseisen tiedoston C:\windows\system32\msasvc.exe (W32/Tiny.KA) mutta ei onnistu poistamaan.
Tällä hetkelle kone vaikuttaisi olevan muuten puhdas lukuunottamatta ed. man. tiedostoa. Toivottavasti ymmärsitte soperruksista. Apuja että saan windowsin huiman palomuurin jälleen käyttöön ja Tiny.Ka:n poistettua!
Kiitos.

 

Tuossa olisi loki,taitaa olla jotai siihen liittyvää että postaa mesessä onlinessa oleville linkin itsestään.Tuon msasvc.exen onnistuin poistamaan. Luulin myös, että sain koneen puhtaaksi muilta osin kunnes lähetti messengerissä viestejä itsestään noin puolen tunnin session jälkeen. System volume Information kansiostakin löytyi viruksia jotka onnistuin poistaa. Vieläkään en saa windowsin omaa palomuuria päälle. Kuinka etenen tästä.

Logfile of HijackThis v1.99.1
Scan saved at 0:28:36, on 9.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Norman\bin\ZLH.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Koti\Omat tiedostot\Sami FAmi\suljua\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19DB789F-BA25-4C21-A4D9-906297ACC3F1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [PhilipsRemote] "C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

 

Oho löysinkin tämmösen http://keskustelu.afterdawn.com/thread_view.cfm/417547! Ja taisin sitten postata tämän väärälle puolelle. Sory.

 

@famittaja:

Moro, no niin tässä ohjeet:

Putsaa järjestelmänpalautus:
# 1. Klikkaa oikealla käynnistävalikon My Computer- tai oma tietokone-kuvaketta
# 2. Valitse Properties/ominaisuudet
# 3. Valitse System Restore/järjestelmän palauttaminen välilehti
# 4. Valitse "Turn off System Restore"/poista järjestelmän palauttaminen kaikissa asemissa
# 5. Paina Apply/käytä
# 6. Paina OK
# 7. Käynnistä kone uudelleen
# 8. Palauta asetukset takaisin

Päivitä java: (uusin java on: Java Runtime Environment (JRE) 5.0 Update 9)

[*]Klikkaa Käynnistä -> Ohjauspaneeli ja tupla-klikkaa Lisää tai poista sovellus Ohjauspaneelissa.
[*]Etsi listasta kaikki entiset Java versiosi. (J2SE Runtime Environment.... )
Niissä pitäisi olla seuraava kuva vieressä:
[*]Valitse kaikki entiset Java versiosi ja valitse Poista.
[*]Asenna uusin Java päivitys seuraavasta linkistä..
[*]Käynnistä kone uudelleen asennuksen jälkeen:

http://java.sun.com/javase/downloads/index.jsp

[*]Käynnistyksen jälkeen, mene takaisin Ohjauspaneeliin ja avaa Java asetuksesi (Muita Ohjauspaneelin asetuksia -> Java kahvikuppi).
[*]Temporary Internet Files -osion alla, klikkaa Delete Files nappia.
[*]Varmista että kaikki kolme valintaa ovat rastitettuja:

Downloaded Applets
Downloaded Applications
Other Files

[*]Klikkaa OK "Delete Temporary Internet Files" -ikkunassasi.
Huomaa: Tämä poistaa kaikki ladatut sovellukset ja appletit VÄLIMUISTISTA.
[*]Klikkaa OK jättääksesi Java asetusikkunasi.


Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:

• Käynnistä tietokone
• Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
• Seuraavaksi pitäisi ilmestyä valikko
• Valitse valikosta vikasietotila.

• Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
• Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
• Paina Y käynnistääksesi skriptin.
• Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
• Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
• Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
• Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
• Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
• Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis lokin kera.
  
  
  
  Fixaa HjT:llä (Do a system scan only, merkkaa ja paina fix Checked)
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
  O2 - BHO: (no name) - {19DB789F-BA25-4C21-A4D9-906297ACC3F1} - (no file)
  O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
  
  
  1. Lataa combofix.exe tiedosto työpöydällesi.
  2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
  3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
  Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
  
  
  Hae AVG anti-spyware -> http://aaxxeell.googlepages.com/ewido4
  Päivitä, Scannaa, Poista löydöt ja tallenna raportti.
  
  
  Lähetä uusi HjT-loki, Report.txt, C:\Combofix.txt ja AVG:n raportti.

 

Kiitos näistä ohjeista. Valitettavasti en pääse käsiksi koneeseen jossa ongelmat piilevät, mutta ilmoittelen tuloksista tänne heti kun pääsen toimiin!

 

Terve!

Mulla on ilmeisesti sama virus. Noudatin ohjeita, ja tässä lokit ym.

Logfile of HijackThis v1.99.1
Scan saved at 1:27:02, on 14.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sibelius Software\Sibelius 4\Sibelius.exe
C:\Documents and Settings\Esko Grundström\Omat tiedostot\Softaa\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20D58B96-91E8-4A21-B19D-8A8AA81D48F4} - C:\Program Files\Outlook Express\horec.dll (file missing)
O2 - BHO: (no name) - {3887D970-6B24-435D-ADE0-2E830163C395} - C:\Program Files\Outlook Express\horec.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e56.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: icmufecl.dll e1.dll
O20 - Winlogon Notify: trafkbdy - C:\WINDOWS\system32\trafkbdy.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE



Esko Grundstr”m - 06-11-14 0:34:29,46 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Esko Grundstr”m\Ty”p”yt„"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_e56.exe
C:\drsmartload.exe
C:\deskbar_e55.exe
C:\kybrdff_e56.exe
C:\nwnmff_e56.exe
C:\ac3_0010.exe
C:\RDFX4.exe
C:\Program Files\Common Files\{BC1FE797-07C5-1035-1118-050509020166}


((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 ))))))))))))))))))))))))))))))))))


2006-11-14 00:06 19,456 --a------ C:\DXC9.exe
2006-11-13 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-13 21:10 3,584 --a------ C:\1539156.exe
2006-11-13 21:09 5,146 --a------ C:\swpu.exe
2006-11-13 21:08 438,272 --a------ C:\windows_e56.exe
2006-11-13 21:08 32,768 --a------ C:\mc44a56.exe
2006-11-13 21:07 74,240 --a------ C:\keyxk.exe
2006-11-13 21:07 32,768 --a------ C:\Documents and Settings\Esko Grundstr”m\vv1135.exe
2006-11-13 21:07 113,252 --a------ C:\Documents and Settings\Esko Grundstr”m\mc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-14 00:35 -------- d-------- C:\Program Files\Common Files
2006-11-14 00:20 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-14 00:16 -------- d-------- C:\Program Files\Java
2006-11-14 00:12 -------- d-------- C:\Program Files\Common Files\Java
2006-11-13 22:08 -------- d-------- C:\Program Files\MSN Messenger
2006-11-13 21:45 -------- d-------- C:\Program Files\Grisoft
2006-11-13 21:42 -------- d-------- C:\Program Files\Outlook Express
2006-11-09 14:24 -------- d-------- C:\Program Files\DCPlusPlus
2006-11-08 00:24 -------- d-------- C:\Documents and Settings\Esko Grundstr”m\Application Data\uTorrent
2006-11-04 01:06 73 --a------ C:\WINDOWS\system32\ssprs.dll
2006-11-04 01:06 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2006-10-08 14:42 -------- d-------- C:\Program Files\Image-Line
2006-10-02 19:33 -------- d-------- C:\Program Files\Syncrosoft
2006-10-02 19:29 -------- d-------- C:\Documents and Settings\Esko Grundstr”m\Application Data\Steinberg
2006-10-02 19:24 -------- d-------- C:\Program Files\Steinberg
2006-09-14 19:54 -------- d-------- C:\Program Files\NoteWorthy Composer
2006-09-13 07:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 16:56 604 --ah----- C:\Program Files\STLL Notifier
2006-08-25 17:49 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 13:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"High Definition Audio -ominaisuussivun pikakuvake"="HDAShCut.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"UMonit"="C:\\WINDOWS\\system32\\UMonit.exe"
"SMSERIAL"="sm56hlpr.exe"
"PowerManager"="C:\\Program Files\\Power Manager\\PM.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"Norman ZANDA"="C:\\Norman\\bin\\ZLH.EXE /LOAD /SPLASH"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"H2O"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"windows"="C:\\\\windows_e56.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,55,00,00,00,00,00,00,00,ab,04,00,00,02,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,55,00,00,00,00,00,00,00,ab,04,00,00,02,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trafkbdy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-14 0:36:00.81
C:\ComboFix.txt ... 06-11-14 00:36




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:24:05 14.11.2006

+ Scan result:



C:\Program Files\NavExcel\NavHelper\v2.0.2\v2.0.2.cab/NHUninstaller.exe -> Adware.NavExcel : Cleaned.
C:\Program Files\NavExcel\NavHelper\v2.0.2\v2.0.2.cab/NHUpdater.exe -> Adware.NavExcel : Cleaned.
C:\Program Files\NavExcel\NavHelper\v2.0.2\v2.0.2.cab/NHelper.dll -> Adware.NavExcel : Cleaned.
C:\DXC9.exe -> Adware.SurfSide : Cleaned.
C:\Documents and Settings\Esko Grundström\Local Settings\Temporary Internet Files\Content.IE5\8RUNYGKA\DXC9[1].exe -> Adware.SurfSide : Cleaned.
:mozilla.22:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.101:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.78:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.79:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.18:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.19:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.21:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.20:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.89:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.90:C:\Documents and Settings\Esko Grundström\Application Data\Mozilla\Firefox\Profiles\wuyotue4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end

Olen todella kiitollinen, jos voit auttaa!

 

@Sarmanto: Ohjeita sinulle:

Lataa RustBFix by ejvindh ja tallenna se työpöydällesi.

Tuplaklikkaa tiedostoa rustbfix.exe. Jos löytyy Rustock.b-infektio, sinua pyydetään pian käynnistämään kone uudelleen. Uudelleenkäynnistyminen saattaa kestää hetken ja joudut ehkä käynnistämään koneen vielä toisenkin kerran. Kaikki tämä tapahtuu automaattisesti. Uudelleenkäynnistyksen jälkeen kaksi lokitiedostoa avautuu (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Kopioi ja liitä nämä kaksi lokitiedostoa seuraavaan vastaukseesi uuden HijackThis lokin kera.

Lataa Atribunen ATF Cleaner

Ohjeet;

Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasiKlikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasiKlikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Teknistä tukea tulee jos tupla-klikkaat sähköpostiosoitetta joka sijaitsee jokaisen menun alapuolella kyseisessä työkalussa. (Huomatkaa että se tuki on sitten englanniksi)


Fixaa HjT:llä (Do a system scan only, merkkaa ja paina fix checked)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [windows] C:\\windows_e56.exe
O20 - AppInit_DLLs: icmufecl.dll e1.dll
O20 - Winlogon Notify: trafkbdy - C:\WINDOWS\system32\trafkbdy.dll (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Laita piilotiedostot näkyviin -> Ohje!
Käynnistä kone vikasietotilaan -> Ohje!

Poista:
C:\windows_e56.exe
C:\WINDOWS\system32\trafkbdy.dll
C:\WINDOWS\system32\msasvc.exe

Lataa CCleaner -> http://www.download.fi/tyopoytaohjelmat/haittaohjelmien_poisto/ccleaner.cfm
Aja näiden ohjeiden mukaan CCleaner. (Poista turhat tiedostot ja korjaa rekisteri virheet.)

Hae eScan -> http://koti.mbnet.fi/pattaya1/escanmwav.htm
Tee sivuston ohjeiden mukaan ja aja se. Jos escan löytää jotain (alempi-laatikko) lähetä sen tulokset tänne. (Ohje tuolla sivulla, alinkuva ja sen yläpuolella oleva teksti)


Lähetä uusi HjT-loki, (%root%\avenger.txt & %root%\rustbfix\pelog.txt) ja escannin-loki.

 

Tervehdys!

Toimin taas parhaani mukaan ohjeiden mukaan, ja alla pyytämäsi lokit:

Logfile of HijackThis v1.99.1
Scan saved at 2:05:20, on 15.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Esko Grundström\Omat tiedostot\Softaa\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20D58B96-91E8-4A21-B19D-8A8AA81D48F4} - (no file)
O2 - BHO: (no name) - {3887D970-6B24-435D-ADE0-2E830163C395} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE


eScan-löydökset:

File C:\WINDOWS\system32\lzx32.sys infected by "Trojan-Clicker.Win32.Costrat.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll infected by "Trojan-PSW.Win32.Sinowal.bl" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000125.exe infected by "Trojan-Downloader.Win32.Adload.di" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000126.exe tagged as not-a-virus:AdWare.Win32.Softomate.r. No Action Taken.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000148.exe tagged as not-a-virus:AdWare.Win32.SurfSide.ax. No Action Taken.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000152.exe infected by "Trojan-Downloader.Win32.VB.aqc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000153.exe tagged as not-a-virus:RiskTool.Win32.PsKill.q. No Action Taken.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP3\A0000154.exe infected by "Trojan-Downloader.Win32.VB.aqc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP4\A0000471.sys infected by "Trojan-Clicker.Win32.Costrat.q" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0DC1ECEB-D8C0-46F4-93EC-C49B097E3565}\RP4\A0000476.dll infected by "Trojan-PSW.Win32.Sinowal.bl" Virus. Action Taken: File Deleted.

ja RustBfix:n:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lktlldmc

*******************

Script file located at: \??\C:\Documents and Settings\ndihjfko.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

sekä

************************* Rustock.b-fix -- By ejvindh *************************
ti 14.11.2006 18:08:42,54


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 68412
Total size: 68412 bytes.
Attempting to remove ADS...
system32: deleted 68412 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************


Terv. Esko G.

Ps. On upeaa, että joku jaksaa nähdä tällä tavalla vaivaa. Ilman apua olisin aivan hukassa...

 

@Sarmanto: Sori että kesti
Ohjeita...

Fixaa nämä:
O2 - BHO: (no name) - {20D58B96-91E8-4A21-B19D-8A8AA81D48F4} - (no file)
O2 - BHO: (no name) - {3887D970-6B24-435D-ADE0-2E830163C395} - (no file)

Tyhjennä järjestelmä palautus:
# 1. Klikkaa oikealla käynnistävalikon My Computer- tai oma tietokone-kuvaketta
# 2. Valitse Properties/ominaisuudet
# 3. Valitse System Restore/järjestelmän palauttaminen välilehti
# 4. Valitse "Turn off System Restore"/poista järjestelmän palauttaminen kaikissa asemissa
# 5. Paina Apply/käytä
# 6. Paina OK
# 7. Käynnistä kone uudelleen
# 8. Palauta asetukset takaisin


Lähetä uusi uusi HjT-loki.

 

Terve!

Ja tässä uusi loki:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:34, on 17.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Esko Grundström\Omat tiedostot\Softaa\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

 

@Sarmanto: Lisää ohjeita

Lataa Killbox Option^Explicitiltä.

Tallenna työpöydällesi.
[*] Pura killbox.zip ja sen jälkeen Tupla-klikkaa Killbox.exe ajaaksesi ohjelman.
[*] Valitse: Delete on Reboot sitten klikkaa All Files valintaa.[/list]
[*]Kopioi ja liitä alapuolella olevat tiedostopolut leikepöydälle mustaamalla KAIKKI ne ja painamalla CTRL + C (tai, mustaamisen jälkeen, oikea klikki hiirellä ja valitse kopioi):

Palaa Killboxiin, mene File valikkoon, ja valitse Paste from Clipboard.

[*]Klikkaa puna-valkoista Delete File valintaa. Klikkaa Yes "Delete on Reboot" pyyntöön. Klikkaa OK mihin vain PendingFileRenameOperations pyyntöön (ja anna fixaajan tietää jos jokin tälläinen tulee!).

Käynnistä koneesi itse jos se ei sitä automaattisesti tee.

Jos saat tälläisen viestin: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." Kun yrität ajaa KillBoxia, klikkaa tätä ladataksesi ja ajaaksesi Missingfilessetup.exe;n. Sitten koita KillBoxia uudestaan.


Koneellasi oli virus joka varastaa salasanoja, joten vaihda kaikki online salasanat (pankki, verkkokaupat) ja jos mahdollista tee se joltain toiselta koneelta, joka on puhdas.


Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan ja valitse tavallinen käyttäjätilisi:

• Käynnistä tietokone
• Kun kuulet koneen piippaavan, paina F8, kuitenkin ennen Windowsin logon esiintuloa
• Seuraavaksi pitäisi ilmestyä valikko
• Valitse valikosta vikasietotila.

• Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
• Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
• Paina Y käynnistääksesi skriptin.
• Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
• Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
• Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
• Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
• Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
• Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis lokin kera.

Lähetä uusi HjT-loki ja Report.txt.

 

Terve!

En onnistunut Killboxilla ensinnäkään kopioimaan kaikkia tiedostopolkuja kerralla, ja kun yritin tehdä sitä yksi kerrallaan, jokaisen kohdalla tuli seuraava sanoma poistettaessa:

PendingFileRenameOperations Registry Data has been Removed by External Process!

Ajoin SDFix:n ja tässä sen tiedot:


SDFix: Version 1.40
-------------------

Scan run on:
su 19.11.2006

Time:
21:40

Microsoft Windows XP [versio 5.1.2600]

Running from: C:\DOCUME~1\ESKOGR~1\TYPYT~1\SDFix

Stage One...

Checking Services...

Name:
-----
MsaSvc

Path:
----
C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Backups folder is located here - C:\DOCUME~1\ESKOGR~1\TYPYT~1\SDFix\backups\backups.zip

FINISHED

ja HjT-loki:

Logfile of HijackThis v1.99.1
Scan saved at 21:50:54, on 19.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Esko Grundström\Omat tiedostot\Softaa\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

 

@Sarmanto: Tehään sitten näin:

1. Lataa The Avenger (c) työpöydällesi.

• Klikkaa Avenger.zip filua avataksesi sen.
• Pura Avenger.exe työpöydällesi.

2. Kopioi kaikki teksti mustalla lainausboksissa alapuolella tyhjälle muistiolle:

Huomaa: yläpuolella oleva skripti on luotu erityisesti tälle käyttäjälle. Jos et ole tämä henkilö, ÄLÄ seuraa näitä ohjeita koska ne voisivat pilata koneesi toimintoja.

3. Nyt, aukaise The Avenger tupla-klikkaamalla sen kuvaketta pöydälläsi.

• "Script file to execute" alapuolelta valitse "Input Script Manually".
• Nyt klikkaa suurennuslasin kuvaa joka avaa uuden ikkunan nimeltä "View/edit script".
• Liitä se teksti jonka kopioit muistioon, tähän ikkunaan.
• Klikkaa Done.
• Nyt klikkaa vihreää valoa aloittaaksesi skriptin.
• Klikkaa "Yes" kun tulee kaksi varoitusboksia.

Avenger tekee automaattisesti seuraavat:

• Käynnistää koneesi. (Tapauksissa joissa skripti sisältää "Drivers to Unload" -komennon, Avenger käynnistää koneesi kaksi kertaa.)
• Käynnistyksen yhteydessä, se lyhyesti avaa mustan komentoikkunan työpöydällesi, tämä on normaalia.
• Käynnistyksen jälkeen, se luo lokitiedoston jonka pitäisi aueta Avengerin tekojen tuloksena. Tämän lokin tiedostopolku on C:\avenger.txt
• Avenger on myös tehnyt varmuuskopion kaikista tiedostoista jne.. jotka pyysit sen poistaa, ja on pakannut ja siirtänyt ne zip filuihin polussa C:\avenger\backup.zip.

5. Kopioi ja liitä kaikki sisältö tiedostosta avenger.txt vastaukseesi tuoreen HJT lokin mukana.


Lähetä uusi HjT-loki ja C:\avenger.txt.

 

Terve!

Tässä lokit:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qfmfpscr

*******************

Script file located at: \??\C:\WINDOWS\system32\anqyqtwq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\DXC9.exe not found!
Deletion of file C:\DXC9.exe failed!

Could not process line:
C:\DXC9.exe
Status: 0xc0000034



File C:\1539156.exe not found!
Deletion of file C:\1539156.exe failed!

Could not process line:
C:\1539156.exe
Status: 0xc0000034



File C:\swpu.exe not found!
Deletion of file C:\swpu.exe failed!

Could not process line:
C:\swpu.exe
Status: 0xc0000034



File C:\windows_e56.exe not found!
Deletion of file C:\windows_e56.exe failed!

Could not process line:
C:\windows_e56.exe
Status: 0xc0000034



File C:\mc44a56.exe not found!
Deletion of file C:\mc44a56.exe failed!

Could not process line:
C:\mc44a56.exe
Status: 0xc0000034



File C:\keyxk.exe not found!
Deletion of file C:\keyxk.exe failed!

Could not process line:
C:\keyxk.exe
Status: 0xc0000034



Could not open file C:\Documents and Settings\Esko Grundstr”m\vv1135.exe for deletion
Deletion of file C:\Documents and Settings\Esko Grundstr”m\vv1135.exe failed!

Could not process line:
C:\Documents and Settings\Esko Grundstr”m\vv1135.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Esko Grundstr”m\mc.exe for deletion
Deletion of file C:\Documents and Settings\Esko Grundstr”m\mc.exe failed!

Could not process line:
C:\Documents and Settings\Esko Grundstr”m\mc.exe
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 16:19:49, on 21.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Documents and Settings\Esko Grundström\Omat tiedostot\Softaa\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Sonera Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE

 

@Sarmanto: Sinun loki on puhdas Sitten vielä hoidetaan famittajan loki kuntoon

 

Hieno homma, tuhannet kiitokset avusta!

En kuitenkaan saa edelleenkään windowsin palomuuria käyttöön. Tulee teksti: "Tunnistamattoman ongelman vuoksi Windows ei voi näyttää Windowsin palomuurin asetuksia", kun yritän laittaa sitä päälle.

 

Hyvä homma että sarmantolla asiat kunnossa. Itse pääsen aivan piakkoin häärimään ongelmakoneen ääreen. Toivottavasti Marku2 sulle ei oo vaivaa kun vähän etenee hitaasti .

Tälläsen ohjeen löysin toiselta forumilta tuohon palomuurin käyttöön ottoon:

"(HUOM! tämä tekniikka alustaa palomuurin asetukset, joten joudut painelemaan siis taas niitä "pura esto" painikkeita... jos hyväksyt tämän, siirry seuraavaan vaiheeseen ->) lataappas tämä http://windowsxp.mvps.org/reg/sharedaccess.reg (paina tota linkkiä oikeella näppäimellä ja tallenna kohde levylle.

sitten aja se ja kun tulee ikkuna et haluatko lisätä ton rekisteriin, paina kyllä. sen jälkeen
käynnistä -> suorita, laita siihen rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf ja ok. sen jälkeen taas sinne suorita ja sitten laita sinne NETSH FIREWALL RESET. "

Luulisin että ei olisi haittaa kokeillakkaan tuota. Sarmanto asensitko messengerin uudestaan?

 

Jep, tuo auttoi palomuuriin! Kiitokset!

Asensin messengerin (saman tien uudemman version) uudestaan, ja on toiminut ongelmitta.

 

@Farmittaja: Ei tässä mitään hätää ole, vastaa sitten kun kerkeät.

 

No niin. Lopultakin edistystä. Ainakin backdoor pakes löytyi avg:llä ja muutkin suoritin. Sitten vielä escannia vai?

Logfile of HijackThis v1.99.1
Scan saved at 0:18:32, on 26.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\powerstrip\pstrip.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Documents and Settings\Koti\Omat tiedostot\Sami FAmi\suljua\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [PhilipsRemote] "C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5BDBD95C-1E7F-4FB1-8497-20AF879F8B68} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fi/filesharingctrl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

ja


SDFix: Version 1.43
-------------------

Scan run on:
Date:la 25.11.2006 Time:23:17:45,39


Microsoft Windows XP [versio 5.1.2600]

Running from C:\SDFix

Stage One - Safe Mode

Checking Services...

Name:
-----
MsaSvc

Path:
----
C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\uniq

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------


Backups folder: - C:\SDFix\backups\backups.zip

AuthorizedApplication Key Export:

Checking For Hidden Files:


FINISHED
ja

Koti - 06-11-25 23:27:08,29 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Koti\Ty”p”yt„"

((((((((((((((((((((((((((((((( Files Created from 2006-10-25 to 2006-11-25 ))))))))))))))))))))))))))))))))))


2006-11-25 23:15 <KANSIO> d-------- C:\SDFix
2006-11-25 22:55 <KANSIO> d-------- C:\Program Files\Java
2006-11-25 22:55 <KANSIO> d-------- C:\Program Files\Common Files\Java
2006-11-19 18:45 <KANSIO> d-------- C:\Program Files\MSXML 4.0
2006-11-19 18:45 <KANSIO> d-------- C:\fa7b8a7b7eea1805be7e8f
2006-11-09 22:00 <KANSIO> d-------- C:\WINDOWS\BDOSCAN8
2006-11-09 21:51 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-09 21:41 <KANSIO> d-------- C:\Documents and Settings\Koti\.housecall6.6
2006-11-09 16:03 69,070 --a------ C:\WINDOWS\system32\lzx32.sys
2006-11-08 21:36 <KANSIO> d-------- C:\Program Files\Unlocker
2006-11-08 21:32 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-08 21:08 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-08 21:08 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-25 22:55 -------- d-------- C:\Program Files\Common Files
2006-11-25 21:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-25 21:53 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-19 18:45 -------- d-------- C:\Program Files\Internet Explorer
2006-11-10 22:37 -------- d-------- C:\Program Files\ICQLite
2006-11-09 21:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-04 21:09 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-13 14:37 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-29 18:06 -------- d-------- C:\Program Files\Empire Interactive
2006-09-13 07:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 17:49 617472 --a------ C:\WINDOWS\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Norman ZANDA"="C:\\Norman\\bin\\ZLH.EXE /LOAD /SPLASH"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"mmtask"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"PhilipsRemote"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\PhilipsRemote.exe\""
"PowerStrip"="c:\\program files\\powerstrip\\pstrip.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7200#CN3792B2NTE0.job
C:\WINDOWS\tasks\HP Usg Daily.job

Completion time: 06-11-25 23:27:49.60
C:\ComboFix.txt ... 06-11-25 23:27

sekä

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 0:23:47 26.11.2006

+ Scan result:



C:\WINDOWS\system32\lzx32.sys -> Backdoor.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Koti\Omat tiedostot\Sami FAmi\Sami Fami\audiolabel\stcd311.zip/Crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
C:\Documents and Settings\Koti\Omat tiedostot\Sami FAmi\Sami Fami\stcd311.zip/Crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
:mozilla.18:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.669:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Koti\Cookies\koti@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.799:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.71i : Cleaned.
:mozilla.397:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.398:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.399:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.471:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.734:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.852:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.853:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.124:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.286:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.287:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.242:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.243:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.244:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.401:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.402:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.191:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.186:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.187:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.190:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.181:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.182:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.184:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.185:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.522:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.523:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.781:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.57:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.407:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.408:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.409:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.410:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.78:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.79:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.80:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.81:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.82:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.396:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.416:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.914:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.270:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.447:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.597:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.859:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.860:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.861:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.862:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.819:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.117:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.938:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.865:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.866:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.867:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.868:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.869:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.664:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.665:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.666:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.682:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.692:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.693:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.695:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.696:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.141:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.142:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.143:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.144:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.145:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.146:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.147:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.148:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.392:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.393:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.521:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.716:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.717:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.718:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.719:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.720:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.730:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.572:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.573:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.874:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.957:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.89:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.188:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.189:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.42:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.45:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.47:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Koti\Cookies\koti@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.744:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.73:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.776:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.106:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.107:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.108:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.109:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.110:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.111:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.112:C:\Documents and Settings\Koti\Application Data\Mozilla\Firefox\Profiles\kzfz6eaz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end