WinSys2.exe

onko kyseinen prosessi virus? Aattelin kysästä koska tollainen prosessi on ilmaantunut yht'äkkiä tässä lähipäivinä...

 

Google kertoo että onpi örkki!!1

 

ja aika paha sellanen , Trojan/Backdoor
http://greatis.com/appdata/d/w/winsys2.exe.htm

 

formatoisin koneen ja asensin sunbletin palomurin ja avastin taustasuojauksen, mutta kun aloin lataamaan windowsin automaattisia päivityksiä ja aloin asentamaan niitä nii sunblet alkoi varoittamaan kyseisestä "WinSys2" tiedostosta ja esti pääsyn kunnes vähän ajan päästä katsoin prosesseja niin siellä pyörikin WinSys2.exe!?! eli oiskos jotai konstia millä ton sais koneelta pois kokonaan ja alkää antako mitään englannin kielistä urlia vaa antakaa vaikka suomeksi jotai neuvoja.

 

Lataa Hijacthis TÄSTÄ käynnistä se ja klikkaa Do a System Scan only

Etsi se prosessi sieltä listalta, merkkaa se raksilla ja paina Fix Checked ja nyt sen pitäis olla poissa.

 

Mulla löytyy koneelta 2kpl Winsys2.exe tiedostoa.
toinen on c:\windows\system32 kansiossa ja toinen c:\windows\system32\ReinstallBackups\0015\DriverFiles

HJT ei niitä löydä mut se johtunee siitä, että oon joskus ton winsys2.exe:n disablennu msconfig:lla. Kysymys oliskin kannattaako poistaa ja lähteekö iha pelkällä deletellä?

 

laita hjt-loki niin katotaan jos se on kutsunu kavereita kylään

 

logia:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:13:40, on 3.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5766 bytes

 

ei ainakaa jotilla virukseksi tunnista =/

screeni

vaan en edes muista sitä suurta viisautta miksi joskus olen ton startupista poistan =) Kone ainaki suht vakaasti hyrräilee et ei se hurjan ilkeä liene.

 

kyllä se kuule ilkeä on jos ei nyt, niin tässä kohta.
suna kyllä hankkiutusin tosta eroon ja ääkkiä.

 

1. Lataa combofix.exe työpöydällesi mistä tahansa alla olevasta linkistä:
Linkki 1
Linkki 2
Linkki 3

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

ComboFix 08-02.03.1 - infs 2008-02-03 13:49:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1244 [GMT 2:00]
Running from: C:\Documents and Settings\infs\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\install.exe
C:\WINDOWS\system32\winsys.exe

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 23:53 . 2008-02-02 23:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-02 23:22 . 2008-02-02 23:22 <DIR> d-------- C:\Program Files\Uniblue
2008-02-02 23:22 . 2008-02-02 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-02-01 23:30 . 2008-02-01 23:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 21:20 . 2008-02-01 21:20 <DIR> d-------- C:\Documents and Settings\infs\Application Data\Grisoft
2008-02-01 21:18 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-30 19:45 . 2008-01-30 19:45 <DIR> d-------- C:\Documents and Settings\infs\Application Data\Command & Conquer 3 Tiberium Wars
2008-01-12 20:09 . 1996-03-21 09:54 1,078 --a------ C:\WINDOWS\PLMTUNST.ICO
2008-01-12 20:09 . 1996-03-21 09:49 1,078 --a------ C:\WINDOWS\PLAYMATE.ICO
2008-01-12 19:53 . 2008-01-12 19:56 117 --a------ C:\WINDOWS\PLAYMATE.INI
2008-01-12 02:25 . 2008-01-18 20:39 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-01-07 18:30 . 2008-01-07 18:30 <DIR> d---s---- C:\Documents and Settings\infs\UserData
2008-01-07 04:15 . 1996-12-11 12:22 69,632 --a------ C:\WINDOWS\UNINSTCC.EXE
2008-01-07 04:14 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-01-07 04:00 . 2008-01-07 04:00 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 04:00 . 2008-01-07 04:00 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-06 00:20 . 2008-01-06 00:21 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-01-06 00:20 . 2008-01-06 10:38 <DIR> d-------- C:\Documents and Settings\infs\Application Data\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 11:51 --------- d-----w C:\Program Files\mIRC
2008-02-03 11:49 --------- d-----w C:\Documents and Settings\infs\Application Data\uTorrent
2008-02-03 07:12 --------- d-----w C:\Documents and Settings\infs\Application Data\AVG7
2008-02-02 21:41 --------- d-----w C:\Program Files\Steam
2008-02-02 21:41 --------- d-----w C:\Documents and Settings\infs\Application Data\OpenOffice.org2
2008-02-02 21:22 --------- d-----w C:\Documents and Settings\infs\Application Data\Uniblue
2008-02-01 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 20:03 --------- d-----w C:\Program Files\Winamp
2008-01-20 20:50 --------- d-----w C:\Program Files\DivX
2008-01-05 22:16 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-20 15:58 --------- d-----w C:\Documents and Settings\infs\Application Data\Skype
2007-12-17 20:51 --------- d-----w C:\Program Files\WinSCP
2007-12-15 17:30 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-15 17:08 --------- d-----w C:\Program Files\Microsoft Games
2007-12-12 11:41 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-12 11:41 --------- d--h--r C:\Documents and Settings\infs\Application Data\SecuROM
2007-12-12 11:36 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-12 11:36 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-12 11:36 --------- d-----w C:\Program Files\OpenAL
2007-12-08 18:02 4,000 ----a-w C:\ao.dat
2007-12-08 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-05 03:34 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-11-05 03:34 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-05 03:34 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-12-06 13:16 1266936]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-03 15:54 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 08:00 16050176 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-10-28 16:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-15 09:58 208896]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-12-15 09:58 69632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-30 23:52 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-28 16:52 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-11-05 05:32 61440]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 14:00 158208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-28 16:52 8531968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 09:00 219136]

C:\Documents and Settings\infs\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 14:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-28 16:52 8531968 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 11:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
--a------ 2006-04-29 10:36 208896 C:\WINDOWS\system32\winsys2.exe

S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2006-04-18 14:53]

*Newly Created Service* - AVGASCLN
.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 12:44:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-16 21:20:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:51:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
.
Completion time: 2008-02-03 13:51:43
ComboFix-quarantined-files.txt 2008-02-03 11:51:41
.
2008-01-20 00:59:48 --- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:47, on 3.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5726 bytes

 

moi

Varmistu ensin, että piilotiedostot on näkyvillä.

Piilotiedostot näkyviin

Mene --> tänne

Kun sivu on latautunut, klikkaa Selaa-nappulaa ja etsi seuraava tiedosto ja paina Submit.

C:\WINDOWS\PLAYMATE.INI

Lähetä skannin tulokset seuraavassa viestissäsi.

Jos Jotti on ruuhkainen, yritä samaa Virustotalissa: http://www.virustotal.com/flash/index_en.html



Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa CFScript ComboFix.exeen kuten alla.



Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne + virustotalin tulos ja uusi hjt-loki.

 

ComboFix 08-02.03.1 - infs 2008-02-03 21:14:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1110 [GMT 2:00]
Running from: C:\Documents and Settings\infs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\infs\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 23:53 . 2008-02-02 23:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-02 23:22 . 2008-02-02 23:22 <DIR> d-------- C:\Program Files\Uniblue
2008-02-02 23:22 . 2008-02-02 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-02-01 23:30 . 2008-02-01 23:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 21:20 . 2008-02-01 21:20 <DIR> d-------- C:\Documents and Settings\infs\Application Data\Grisoft
2008-02-01 21:18 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-30 19:45 . 2008-01-30 19:45 <DIR> d-------- C:\Documents and Settings\infs\Application Data\Command & Conquer 3 Tiberium Wars
2008-01-12 20:09 . 1996-03-21 09:54 1,078 --a------ C:\WINDOWS\PLMTUNST.ICO
2008-01-12 20:09 . 1996-03-21 09:49 1,078 --a------ C:\WINDOWS\PLAYMATE.ICO
2008-01-12 19:53 . 2008-01-12 19:56 117 --a------ C:\WINDOWS\PLAYMATE.INI
2008-01-12 02:25 . 2008-01-18 20:39 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-01-07 18:30 . 2008-01-07 18:30 <DIR> d---s---- C:\Documents and Settings\infs\UserData
2008-01-07 04:15 . 1996-12-11 12:22 69,632 --a------ C:\WINDOWS\UNINSTCC.EXE
2008-01-07 04:14 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-01-07 04:00 . 2008-01-07 04:00 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-07 04:00 . 2008-01-07 04:00 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-06 00:20 . 2008-01-06 00:21 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-01-06 00:20 . 2008-01-06 10:38 <DIR> d-------- C:\Documents and Settings\infs\Application Data\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 19:14 --------- d-----w C:\Documents and Settings\infs\Application Data\uTorrent
2008-02-03 11:51 --------- d-----w C:\Program Files\mIRC
2008-02-03 07:12 --------- d-----w C:\Documents and Settings\infs\Application Data\AVG7
2008-02-02 21:41 --------- d-----w C:\Program Files\Steam
2008-02-02 21:41 --------- d-----w C:\Documents and Settings\infs\Application Data\OpenOffice.org2
2008-02-02 21:22 --------- d-----w C:\Documents and Settings\infs\Application Data\Uniblue
2008-02-01 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 20:03 --------- d-----w C:\Program Files\Winamp
2008-01-20 20:50 --------- d-----w C:\Program Files\DivX
2008-01-05 22:16 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-20 15:58 --------- d-----w C:\Documents and Settings\infs\Application Data\Skype
2007-12-17 20:51 --------- d-----w C:\Program Files\WinSCP
2007-12-15 17:30 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-15 17:08 --------- d-----w C:\Program Files\Microsoft Games
2007-12-12 11:41 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-12 11:41 --------- d--h--r C:\Documents and Settings\infs\Application Data\SecuROM
2007-12-12 11:36 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-12 11:36 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-12 11:36 --------- d-----w C:\Program Files\OpenAL
2007-12-08 18:02 4,000 ----a-w C:\ao.dat
2007-12-08 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-05 03:34 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-11-05 03:34 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-05 03:34 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-12-06 13:16 1266936]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-03 15:54 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 08:00 16050176 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-10-28 16:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-15 09:58 208896]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-12-15 09:58 69632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-30 23:52 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-28 16:52 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-11-05 05:32 61440]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 14:00 158208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-28 16:52 8531968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 09:00 219136]

C:\Documents and Settings\infs\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 14:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-28 16:52 8531968 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 11:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 14:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe

S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2006-04-18 14:53]

*Newly Created Service* - AVGASCLN
.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 12:44:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-16 21:20:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 21:16:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
.
Completion time: 2008-02-03 21:16:43
ComboFix-quarantined-files.txt 2008-02-03 19:16:41
ComboFix2.txt 2008-02-03 11:51:44
.
2008-01-20 00:59:48 --- E O F ---

 

Scan taken on 03 Feb 2008 19:07:33 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Edit. toi playmate.ini tod näkösesti tullu tommosen Jenny McCarthy DVD:n asentaman ohjelman mukana. poistin sen kyl välittömästi mut selkeesti jääny ainaki playmate.exe ja ini sinne =)

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:56, on 3.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5696 bytes

 

moi
näyttää hyvältä,varmistetaan vielä...

Skannaa koneesi Kaspersky Online Skannerilla
Käytä Internet Explorer
Sinulta kysytään sallitko ActiveX -komponentin asentamisen Kasperskyltä, klikkaa Kyllä.

• Ohjelma käynnistyy ja aloittaa viimeisimpien tunnistetiedostojen lataamisen.
• Kun skanneri on asennettu ja tunnistetiedot ladattu, klikkaa Next.
• Klikkaa nyt asetuksia, Scan Settings
• Tarkista asetuksista, että seuraavat ovat valittuina:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (Jos valittavissa, muuten valitse Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Klikkaa OK
• Nyt valitse "select a target to scan" otsikon alta Oma Tietokone, My Computer
• Skannaus vie aikaa, joten ole kärsivällinen. Kun skannaus on valmis saat ilmoituksen, jos koneesi on saastunut.
• Klikkaa nyt Save as Text-painiketta.
• Tallenna tiedosto työpöydällesi.
• Kopioi ja Liitä tiedoston sisältö seuraavaan vastaukseesi

 

joo meen kattelee superbowlit kaverille sil aikaa ku toi skannaa =P

Edit. Mahtava SupaBowl takana mut kapersky ei ollu kauheen positiivine

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 04, 2008 6:36:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546420
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\

Scan Statistics:
Total number of scanned objects: 151690
Number of viruses found: 10
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 03:40:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\infs\Application Data\OpenOffice.org2\user\uno_packages\cache\log.txt Object is locked skipped
C:\Documents and Settings\infs\Application Data\OpenOffice.org2\user\uno_packages\cache\registry\com.sun.star.comp.deployment.component.PackageRegistryBackend\common.rdb Object is locked skipped
C:\Documents and Settings\infs\Application Data\OpenOffice.org2\user\uno_packages\cache\registry\com.sun.star.comp.deployment.component.PackageRegistryBackend\Windows_x86.rdb Object is locked skipped
C:\Documents and Settings\infs\Application Data\OpenOffice.org2\user\uno_packages\cache\registry\com.sun.star.comp.deployment.configuration.PackageRegistryBackend\registered_packages.db Object is locked skipped
C:\Documents and Settings\infs\Application Data\OpenOffice.org2\user\uno_packages\cache\uno_packages.db Object is locked skipped
C:\Documents and Settings\infs\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\infs\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\infs\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\infs\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\infs\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\infs\Local Settings\History\History.IE5\MSHist012008020320080204\index.dat Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Temp\jar_cache9334.tmp Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Temp\Perflib_Perfdata_dc.dat Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Temp\~DF4F07.tmp Object is locked skipped
C:\Documents and Settings\infs\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\infs\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\infs\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\Steam\Steam.log Object is locked skipped
C:\Program Files\Steam\SteamApps\winui.gcf Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP164\A0020408.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9E7AC6AA-1D98-4FCB-A32E-95E919777522}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_250.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_1_ep_25_-_conspiracy.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_1_ep_26_-_the_neutral_zone.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_03_-_elementary_dear_data.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_07_-_unnatural_selection.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_12_-_the_royale.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_17_-_samaritan_snare.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_18_-_up_the_long_ladder.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_2_ep_21_-_peak_performance.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_3_ep_13_-_deja_q.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_4_ep_06_-_legacy.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_6_ep_07_rascals.avi Object is locked skipped
E:\star_trek_-_the_next_generation\star_trek_tng_-_season_7_ep_05_gambit_part_ii.avi Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
J:\Asennetut\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
J:\Asennetut\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
J:\Asennetut\mirc621.exe NSIS: infected - 2 skipped
J:\Rojut\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\Nero-7.8.5.0_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
J:\Rojut\Nero 7.8.5.0 Ultra Edition Enhanced + Keymaker\Nero-7.8.5.0_eng.exe RAR: infected - 1 skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe/data.rar/patch.exe Infected: Trojan.Win32.Agent.qt skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.br skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe/data.rar Infected: Trojan-Downloader.Win32.Agent.brf skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP45\A0003656.exe RarSFX: infected - 5 skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP81\A0011290.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.vd skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP81\A0011290.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP81\A0011290.exe/data.rar/crack.exe Infected: Trojan-Dropper.Win32.Small.ayg skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP81\A0011290.exe/data.rar Infected: Trojan-Dropper.Win32.Small.ayg skipped
J:\System Volume Information\_restore{388EA4B0-05F3-490F-B538-1EC5D2D6E1EB}\RP81\A0011290.exe RarSFX: infected - 4 skipped
J:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\_restore{FAFA7E73-0D79-4890-A32C-2B431FB8F559}\RP195\change.log Object is locked skipped

Scan process completed.


Tiivistettynä:
Number of viruses found: 10
Number of infected objects: 18

 

pieni uppaus, että tomsku huomaa tän =)

Edit. Deletoin noi parit installaatio exet mitkä kaperskyn mukaan sisäls viruksia ja ku ne muutenki oli turhia. Lisäks otin ton system restoren pois päältä ja reboottasin koneen notta noi restore pointteihin jääneet pöpöt sain pois. Uusi kapersky on käynnissä näyttää puolesssa välissä paljo paremmalta. Laitan logit kun saan valmiiksi. Javatki säädin uusiks.