rootkit

Yksityisviestit

Luo uusi yksityisviesti

Kaikki uudet viestit

Ilman vastauksia olevat viestiketjut

Hae viestejä

keskiviikko 12.11.2025 / 11:21

Hae keskustelualueilta:

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > rootkit

Aiheet

Keskustelualueet

Vastaa

Aloita uusi viestiketju

rootkit

Siirry:

Kirjoittaja

Viesti

jssi

Newbie

17. helmikuuta 2008 @ 20:01

Linkki tähän viestiin

AVG Anti-Rootkit skanneri tekee .sys päätteisen "löydöksen", joka aina poistamisen jälkeen löytyy taas uudelleen,
nimi on vaan muuttunut esim. näin:

C:\WINDOWS\System32\Drivers\ajyjcffo.SYS, Hidden driver file

Esim.Lavasoftin ja Pandan Rootkit skannerit ei löydä mitään.
Combofix ja HJT logit ohessa. onkohan pöpöjä koneella ?

ComboFix 08-02-17.2 - Juho 2008-02-17 19:18:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.195 [GMT 2:00]
Running from: C:\Documents and Settings\Juho\Työpöytä\Siivous ja viritystyökalut\Troijalaisten poisto\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\eecbafddc2_r.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.cõj
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-17 to 2008-02-17 )))))))))))))))))
.

2008-02-17 15:27 . 2008-02-17 15:27 7,680 --a------ C:\WINDOWS\system32\drivers\RKL1528.tmp.sys
2008-02-17 14:37 . 2008-02-17 14:37 0 --a------ C:\23990098.$$$
2008-02-17 12:28 . 2008-02-17 12:59 <KANSIO> d-------- C:\Downloads
2008-02-16 10:48 . 2008-02-16 10:48 7,680 --a------ C:\WINDOWS\system32\drivers\RKL54.tmp.sys
2008-02-15 11:55 . 2008-02-17 15:27 250 --a------ C:\WINDOWS\gmer.ini
2008-02-09 18:37 . 2008-02-09 18:37 23 --a------ C:\WINDOWS\system32\cde8_r.ocx
2008-02-07 12:59 . 2008-02-07 12:59 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Grisoft
2008-02-07 12:58 . 2008-02-07 12:58 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 12:58 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-06 17:07 . 2008-02-06 17:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-06 17:07 . 2008-02-06 17:07 3,451 --a------ C:\WINDOWS\unins000.dat
2008-02-04 14:20 . 2008-02-04 15:50 <KANSIO> d-------- C:\RegSeeker
2008-02-01 19:55 . 2008-02-01 19:55 <KANSIO> d-------- C:\WINDOWS\InCD
2008-02-01 19:55 . 2006-03-07 16:27 3,067,904 --------- C:\WINDOWS\NuNinst.exe
2008-02-01 19:55 . 2006-03-23 17:15 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-02-01 19:55 . 2006-03-24 11:12 59,278 --------- C:\WINDOWS\NuNinst.cfg
2008-02-01 19:55 . 2006-03-23 17:15 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-02-01 19:55 . 2006-03-23 17:15 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-02-01 19:55 . 2006-03-23 17:00 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-02-01 19:42 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-02-01 19:41 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-02-01 19:41 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-02-01 19:41 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-02-01 19:41 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-02-01 19:31 . 2008-02-01 19:31 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Ahead
2008-02-01 19:23 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-02-01 19:23 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-02-01 19:23 . 2004-01-14 18:57 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-02-01 19:23 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-26 15:12 . 2008-01-26 15:12 <KANSIO> d-------- C:\Documents and Settings\Juho\Application Data\Photodex
2008-01-25 22:21 . 2008-01-25 22:21 <KANSIO> d-------- C:\Program Files\MSBuild
2008-01-25 22:11 . 2008-01-25 23:00 <KANSIO> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-25 22:09 . 2008-01-25 22:09 <KANSIO> d-------- C:\Program Files\Reference Assemblies
2008-01-23 16:40 . 2008-01-23 16:49 442 --a------ C:\WINDOWS\CDPLAYER.UNI

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 16:53 5,685,760 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-17 16:53 141,824 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-17 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 16:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-16 12:23 63,488 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-16 12:23 5,673,984 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-15 20:49 98,816 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-15 09:27 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-15 09:27 5,664,256 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-13 13:28 5,654,528 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-13 13:28 173,056 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-11 14:40 90,624 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-11 14:40 5,631,488 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-09 17:03 5,629,952 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-09 17:03 131,072 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-09 14:19 --------- d-----w C:\Program Files\Creative
2008-02-01 17:23 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-28 10:37 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-15 12:45 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-01-11 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 14:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-07 18:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 18:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-07 16:48 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 12:31 --------- d-----w C:\Documents and Settings\Juho\Application Data\Nero
2008-01-03 11:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 11:47 185,824 ----a-w C:\WINDOWS\system32\05f16.sys
2007-12-29 10:17 --------- d-----w C:\Program Files\Ontrack
2007-12-18 14:58 --------- d-----w C:\Documents and Settings\Juho\Application Data\Notepad++
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 08:41 --------- d-----w C:\Documents and Settings\Juho\Application Data\Ashampoo
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-07-28 14:08 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\oodishi]
@={14A94384-BBED-47ed-86C0-6BF63FD892D0}

[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2007-08-15 14:49 111872 --a------ D:\Ohjelmatiedostot\OO Software\Diskimage\oodishi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE" [2000-03-09 01:15 89088]
"UIWatcher"="D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe" [2007-07-09 13:13 1741168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="D:\OHJELM~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 14:42 176128]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"ZoneAlarm Client"="D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe" [2007-03-08 23:02 919280]
"DefragTaskBar"="D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 15:31 169312]
"InCD"="D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"!AVG Anti-Spyware"="D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 11:25 6731312 D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-03-02 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrvR"=2 (0x2)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 15:47]
R0 oodisr;O&O DiskImage Snapshot/Restore Driver;C:\WINDOWS\system32\DRIVERS\oodisr.sys [2007-08-15 14:52]
R0 oodisrh;oodisrh;C:\WINDOWS\system32\DRIVERS\oodisrh.sys [2007-08-15 14:52]
R0 oodivd;O&O DiskImage Virtual Disk Driver;C:\WINDOWS\system32\DRIVERS\oodivd.sys [2007-08-15 14:52]
R0 oodivdh;oodivdh;C:\WINDOWS\system32\DRIVERS\oodivdh.sys [2007-08-15 14:52]
R0 OODrvled;OODrvled;C:\WINDOWS\system32\DRIVERS\OODrvled.sys [2004-09-22 13:57]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe [2007-06-16 08:30]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 07:22]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20:11]
R3 BENDER;Pinnacle DV/AV Capture;C:\WINDOWS\system32\drivers\bender.sys [2003-07-09 13:35]
R3 KMWDFilter;KMWDFilter;C:\WINDOWS\System32\Drivers\KMWDFilter.SYS [2007-06-13 10:09]
S3 05f16;05f16;C:\WINDOWS\system32\05f16.sys [2007-12-30 13:47]
S3 Amps2prt;Trust Ami PS/2 Port Mouse Driver (6);C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2001-10-19 14:57]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\41.tmp []
S3 SFC4;SFC4;C:\WINDOWS\system32\drivers\SFC4.sys [1998-09-16 09:07]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 19:22:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 19:23:13
ComboFix-quarantined-files.txt 2008-02-17 17:23:05
ComboFix2.txt 2008-01-21 12:25:39
.
2008-02-13 11:02:24 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
D:\Ohjelmatiedostot\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.exe
D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\oodag.exe
D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
D:\OHJELM~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe
D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
D:\Ohjelmatiedostot\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HJT\Skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.luukku.com/luukku
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Star Downloader Toolbar Helper - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\OHJELM~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\OHJELM~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [InCD] D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TClockEx] D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [UIWatcher] D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - D:\Ohjelmatiedostot\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...lscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1174492377000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.microsoft.com/microsoftupd...b?1172738028281
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
O23 - Service: AshampooDefragService - - D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7515 bytes

[ + lainaa]

Hujo

Suspended permanently

18. helmikuuta 2008 @ 12:19

Linkki tähän viestiin

Lataa GMER http://www.gmer.net/gmer.zip ja tallenna se työpöydällesi:

? Pura se työpöydälle ja tuplaklikkaa tiedostoa GMER.exe
? Klikkaa rootkit-välilehteä ja sitten klikkaa scan.
? Älä rastita "Show All" boksia skannauksen aikana!
? Kun skannaus on valmis, klikkaa Copy.
? Tämä kopioi lokin leikepöydälle (voit tallentaa lokin varmuuden vuoksi tekstitiedostoon).
? Liitä loki sitten viestiketjuusi.

===========

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

============

Tarkista koneesi F-Securen online skannerilla

Huom, skanneri toimii vain [color=blue]Internet Explorer selaimella[/color]

* Lue sivun ohjeet huolella läpi
* Klikkaa Start scanning
* Mikäli saat [color=blue]Internet Explorer[/color] -suojausvaroituksen, klikkaa Asenna
* Klikkaa Accept
* Klikkaa Custom Scan
* Säädä asetukset seuraavasti

o "Virus Scan Option" kohdasta valitse Scan whole system
o "Other Scan Option" kohdasta valitse Scan All Files
o Valitse Scan whole system for rootkits
o Valitse Scan whole system for spyware
o Laita ruksi kohtaan Scan inside archives
o Varmista että Use advanced heuristics on valittuna

* Klikkaa Start
* Skannaus käynnistyy kun tarvittavat tiedostot/päivitykset on ladattu
* Odota kärsivällisesti
* Kun sakannaus on suoritettu, klikkaa Automatic cleaning
* Klikkaa Show Report
* Raportti aukeaa selaimessa, kopioi teksti kokonaan
* Liitä kopioitu teksti esim. muistioon tai Wordiin ja tallenna työpöydälle
* Voit sulkea skannerin
* Lähetä raportti viestiketjuusi

Älä tee muuta sillä voi aiheuttaa koneen jumiutumisen

[ + lainaa]

Voiko tietsikka koskaan toimia?

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 18. helmikuuta 2008 @ 12:21

jssi

Newbie

18. helmikuuta 2008 @ 18:43

Linkki tähän viestiin

Kiitos Hujo,
Sorry, että ehdin vastata vasta nyt. Teen nuo mainitsemasi putsaukset todennäköisesti huomenissa, ja sopiihan että palaan senjälkeen asiaan uusin logein.

[ + lainaa]

Hujo

Suspended permanently

18. helmikuuta 2008 @ 18:53

Linkki tähän viestiin

juu kerkee sen

[ + lainaa]

Voiko tietsikka koskaan toimia?

jssi

Newbie

19. helmikuuta 2008 @ 17:18

Linkki tähän viestiin

No nyt on tehty nämäkin putsaukset, mutta se AVG Anti-Rootkit "löytää" edelleen sieltä (C:\WINDOWS\System32\Drivers\)jonkun .sys päätteisen jota ei näy resurssienhallinnassa.
Tässä nämä logit:

SDFix: Version 1.143

Run by Juho on 2008-02-19 at 11:25

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\DOCUME~1\Juho\TYPYT~1\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:35:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:50,1a,86,71,5c,48,ee,1c,16,c4,10,f6,d6,6d,14,93,03,67,34,7f,62,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="D:\Ohjelmatiedostot\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:7d,7c,3f,16,5b,60,ec,69,d8,8e,c6,9b,2f,b3,57,65,04,9d,5a,a1,75,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:d9bb4918
"s2"=dword:39d00c63
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:76,cb,c9,7a,92,86,73,92,2b,7e,cc,3b,5d,6a,fd,ad,aa,2f,94,6b,99,..
"p0"="D:\Ohjelmatiedostot\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:76,cb,c9,7a,92,86,73,92,2b,7e,cc,3b,5d,6a,fd,ad,aa,2f,94,6b,99,..
"p0"="D:\Ohjelmatiedostot\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd3w\2]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\Program Files\Common Files\Microsoft Shared\Web Folders\PUBPLACE.HTT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="59168F7D2512AB576185E749E7FC795BD4C6D5C50FDC50901F675609B9C1B3E41285C3DF647A72AEDE75EA8F4082E9E6DB6FF71462FA197B95D5A979C1B2FA2A3406DE427D453EEEB1BB6B5F03C3BF865E8242B370ED5EFAB03AED2B597D99BD7025D7E64D81045D2890E2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6171C11EC38DE3DFEBC9E127BECC74CA6171C11EC38DE3DE856AF18BF3524E729D40ADB7AEA653F1DA0C8DC5298614BD65639CED035F98D5549CC9051501D71B418EE183102E9E35C7FF4398F32E0394D0E932F98ABA6E6F01FEC036704D88C85A32ABAF0CAEE4C8F44A55886912AF3664AA228E0409DF1465C1EE63FB93DA4F58AA4AE194B806A812F3CB9D77B9411FC17626FA893208B60FA9344D90C157A63D467F3C9BD940480F5BBF365645DFCF2F4EC4D347853E2CFE9213CFC4D102330FC239CEA8E0232DE3E4E2D577725F4285985A18D75C1FB2B8B42FE3082BD08C0F02ACFA6DE8263F326BCA29713EE8C862E105BFDC656AE88B49353C1E2166400957249E90538599ABBF9A4574AA4AAF9509501985D642587305893C2DA74C95BBF17D8E60B25A9B08417178764120AF00FC22B2EDAA161C63C74AD098B159EC33D5861942E30BD1A774EF160596738DF316787DA17A5B56A0A74252CC99C19AE4A185A2DDFA555BB027AC1DDD9B91ABEEEFAD6779EEF4B9C40848E8A1D0F46971C5DCDAE45347F81821BA7BDC780E4887616EEA530601D0AF7779545C25909F958535CDAB7EFA3594ED35704391A243C66733A493F3DF9E1C041F741ABC814591B483938C450FAB62D6E1977F9C3365FD6F4B20BF3AF865A9B7E07A67A8EF03AF1B0AB902FAF139059D5492307244D784E9F6CD528C43B2B006BABE30B43FCA561210F736B4E4FDF861957569442F1134B9C8C5B6E6E6311D56A5D2A66DFE7AA60D551B0A250E22555ED4824070DFC3F3E39CA8E87809ECDFB82AB6D4F43B75B582EF75F343BD961DFAAB4637AD19E118B65F5A86CB6DFA4C4DA396839AFC34BAAAB185AAFFB909CB0CA48B0BD47D89E0EB66E25C72EF0DD7643BB17CD4BBA9528765EBFDAE03A60486F44E9D105038491652AC37AE6EBC84A2DFC3B67211B57985809F1B09E5A3C9B5D7B326E864762564F320995C64132EDAFDC5A991FBA33B7C1EC945DCBCDC112F9D6717DAD24DC93F4A23D6317B3718582CBBC269842CCB4C46F95C2E2BF090752D2D19E3EED1A70F92FEC5E065D5F2585D0EE8742AFCFB0170D207645B22CCB97004323E04A468A291B67B5A4A7D757B8074369B7D1E9C49555A74235FC49A31C82791221341172EE40C14DE7543B9A449ACFAB774ECAFA3EEAE123DA470446D712E92670FA2E2E5B0BD2BB2A756D6070D06B"
"OODI01.00.00.01PRO"="6896969673EE079B8842CE102C3C031A697EB664E084935765666AF6477F897C33DCC048D07D7938F936CCF2B2DBE2CA47F0AD39B506A71AC183B3265C8A55593E33C9395B3B3FBB17813A27565D63C159A440A77C74A60B449464D1E40ADBBB91A3308E4C1A1CF514262D138FFEEDE024B537730AF3C03BDB701BBD31AD3306A75C86AA90742C3918CD4C5A885FC3889863EFA4650FF93E6B0F89F3C505C29D6EB1F53BC904DBDB3F44546B9D83F42223955B87C93228AEC79077425908C6EC4B1A38ACCE68FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933D43B53A6A336DB94E181860570907FA7E871CD0781A89EC049A22CC8A2C0804FDA2350295A34B7B52C9E242EE1A396E9229128E3DB356F275E1522DEED5D2EB3792F15C09B47BBAF07BD91D8F93BAF79726DD2CAAB9FD81F253AA54938890E64020FAEE0A5D4D5CEA8636A546D5D584E93F614833B32266B7B974E697EEA490C96781FA44A062D4798133C928352D3C39125A979667455AD15342443D26FB9B7AFA25D49EEC6192EB4D68BAA16AA951AD0F2433D1CB8196F771BA381D8C76FD899CB53B00F4A27FE2DBCCF5817B7C8F2055F0502E110581EFDDC3EEE4C662D4473B25E61B883169685D6717A870F4856396B06A050D1AC08580D58FC78846CB3B01E51848EADDBB8993A52927F8BA8314A205315131AE4E308424CC13F1F57C49A56F06946C39F8B9380C4C92AC9AED1EA076D7DEAC705C7E498E57416744EF84BA6797F2B09BF98F4470E68472F526A9F2D471FAA7D4132183066F305096335B361965E1901CB4F92B06B5FA8DEC2944428C8E2BB238582232D04BFABA65F4395596BC084F5888216E18B4138C360CA048CCD521CE2707DD5B5E6FBB957BC510C680E8273F46DE67A848F446E0D426C62F5289FD7AC54C9D8762B73746C2C6E00EA08277F4E2897914711C25C2CB03C34021A9C1733B676A59EE292B5F99013B2C15754D6981A9481DA193DA4D62961A4D4DBC211EDD2F28C621369EAD88195B752EE523D2B55BD40F328D5FD07DCE9AF931AAD909818132F78B4AD14244B36768335118724245B9BCE30D3357C33C2A96AF41C77312811849D35B7C83BEB932B4281A120E48317362698212837C33FB58680F3B97BD986D7917584AFC318B5E401A43A0612A17E02BE3CCECA00DD184E9B43BBDFFDB6F4C79649358726370508325F34CA166585C9DBEA0D245F80E741603B9F84057F41C6F57A10A18D634E4D50680E941C66022947E63450A2642FB18E576FDA9E24B49BF9C6FA626A6F423D57E8E81E96712E12CFE63EFC5DEF4F93E47B1F241FCC79E0735E84C4705B783BC67F8B363A86A849C6"
"OODEFRAG10.00.00.01WORKSTATION"="395677F14C74DB2F5BD56E3DA2ED0DA06B9D1F3D05D30D762A62914F7F1FA63081A38F598D42CA23E98AE40B6559FC438FEBF12B85EB89F9D7D289F59D42FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DA9C6AECB7A5D14076CF78DACDDE4EEDA6E1417B31C5F416964C84228F56DFECFCA51573CA376B425B56DA073FAE0801489B9632C4B70FA2F0516AEBD9034E7531C18751F7407BB971999FB221D1CF1551CC415404D1A2FB4E1C62CF3D6D3385259792720DAFA34718E368C12577641BFE4A004818C3FD9A21B1821B4284B0CA0A8A400A54B127550E00434BF5415A2D7713E80250883AC88A6CB688FF7632EF504CA88364ED489322F47C64C51E0FE092792CB06D0500B58CB2850B64E25226E38A2BCFD7F8FAFFC6A478E7C9F04EF9F3C959CA00F530DE828F59E0345DD1C07E8E78BCC9050D978DBCEC63924EF45CC3DC49B987B7D80F3AC83076C8CA185250A59D99644E9ADD29C2F22905758822609216732E404E4171EA2B69368C5FD10E6380074F37387991C3AC53147B5E02555AD12582E606FD614A8CB3C2E63D4F11C4C499F0CC875C39CC8C8F116C3C9A62873A298CC4E87997CEED8CACA5A105C1CE0F6790B09382836B63A4AF703DEEC5E0191264AD0CB27185366CCBC4BE9C0ABC13B850817480351E29A5837B7711D27E34D5447AC8A307B386EEF179DCF76E6453F6DA81A4F76AE31DDDC2FE90A408634B89FF36A49C51081DF0681F962BAB8BF9F7AAAFC2D8561096E3BD2E5E3C4538729A317564160119A9D873850F62BE48C6A1FDD6FF2194DD6287E27BA6F7ABBFC68A48B045ED711F0008F0952194C7F0AA56C26E3E6FC3109DD52453E4F973DB33506BE4641EB7375D0DBD6F48405741B491D7D9205619915D2085A07DAB62C5041D334383D3FF11E50CF9BF32CA07F263F0CED76F9DCE8704014A8721FD331FB323B01345C57986430725F4CB4CEB4166938994DAA65D69853108321D9CF46E3238DCFDEDB9F4846976E44C0F6A2F7599BC6B31C2B58ED8C2EB755757F713DB721405F9B29E5B5C422927BD6019383E29D7D05A8C7F50DCF646D9B98B7E1B8AC2E6F0192EBDC6B66DE524D59957E64A9AB4BE97E7E62676A80B567765D2DB0FA40571CB27A99C3B350C393D5A8207E27753E51EC01A702677E385D3F004671DF425A2AAC6318EFBCEEA3409FE39D055A9E8BC00737AFB9D64FC2B8E663821A1C917F39F466B67610A24E544CA57E83C74089D0253B4D3C4C574744267F1A9D7301EDECC5F6372F45CDC8E7357F2DD774E5342DDFDAB20D5F71D862787FABC5AED4757A1BBD404575423826F9B5F9336A10AC969799F982AB6932099E4338AD1B4807AB3719DCBB3E"
"OODLED02.00.00.02WSSV"="5BB785864BD65EDA33E66AC6756F4BF69481C408CCFEAD3DAF5492326B3A48AE9B4CF5924F885F979F18664A07E09504CDCC2F4BBC3F8BC9F2A540688626609BD14ACF778F3274AFB0AB48F787BB0779B2ED0E56E8879BEA87E2893A8E8F31CF67130CE61ACCCDB25D5D7E2220A057D36718E3BDB8C4B72C5F57A51C484B590AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555FEBC9E127BECC74CFEBC9E127BECC74C1A730CD4074A4D9AAF245D9E47218E261B3727A43560AA80D24A97E0D41A6EAD879AFC3AF3E1B5D20FC9979577CD6553A0A0B970850932EEE1EB3796F378B47E446B26579068DC3831C4705CB5D42006841332022EB6856C5A01EB4968EA00812E7085D67BA194F141B9187EFE6254985E6E94E3A89DA3A4613F3128C85051D113DA2AA887B584AB5B6F554E00087065B734FB692058DB440C021525DCECFE0DB8FCB900BAB0279491D5805D1FBC324F8F8A98277567D3FB65473A75A467B2D656D06AD250034BE067FB080673D7AD3AD6B92A75BDAA04036D33DA934F4BE85498718BDB368113C8D697EAE24698CB8E733209F2C1EA3912170C3F3FC30874B11F9D7A1C8EE47507CB01C0D31A9EC6B8C0041E007CD093E6C83E49F81B717B9C7DB9ACD63048BDDA2935B17EA1F0B0A90BE5E640206A8943DED5E986A23E77C8BCCEA91126AD0B88C256FB4A42F76A569531F79F902C626D2787A9F2DC0AB66C57088F18AEF74ED86227EF631A02ADB615E376C9E5EA3BAD64A9A20CFDD55941BF358C79BCF1D0954391733A773F0648B5A01C306D6105D24EB706E471825787574A668975C42B109822FE02DEC5538A932C3887262E05AE10D09553D159788078DFF45FB483CD1A078B2034070FC7834271ACC9C7535216483629EFF2045B736DB0A4D409A07A8CA620F88CDAF7EDBB467D6F3337375BE20A512C1BD91471AA761D750AB376C8C384DA3E0B7A421FBE9A838A45132560F2DC2A9D75407A8175C8A9FA63AC40229D22D739723A930C1E2CD79C45AB4A76283B7290E5939024A58BFCDF051D9D467FF3D6464D21F4B76DDEF5D9BD84BA86E6937BAD95749148135A635DDC6515C84F64BED8E6EA54FB4707F98578D76ACB9ACABC2EF3B91CAE97C64EC519960D0E79CF9774CE050382C56FA77A8990B5D9B0B54F62336CB3ED125350FB2C7753D3EE868EB2D916B54C0CD6E2A845CFDA9299A1F42E484940EFE47820F9CD839727214E7340207407ACBD6CB79044EAFA30CB4B0F076E428CF076231C4AF9E6ED6A095F3C607DAA724B03DAD2CA64691EBFC067A47AA2FDC883B232438EEE86CF552268816691795BA408B786FE46872DA0F59CE026A8D4078E8779B87AAE7898726C08803C4153868780"

scanning hidden files ...

C:\Documents and Settings\Juho\My Private Folder\prvflder.dat 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Puhelin TeleFinland.txt 215 bytes
C:\Documents and Settings\Juho\My Private Folder\Puhelin TeleFinland.txt.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\salasanat.xls 20992 bytes
C:\Documents and Settings\Juho\My Private Folder\salasanat.xls.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\A-L Saaren perunkirjaliite.rtf 5917 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\A-L Saaren perunkirjaliite.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\As lainan maksusitoumus.tif 3951590 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\As lainan maksusitoumus.tif.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ilmoitus.txt 153 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ilmoitus.txt.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.doc 20992 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.doc.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.rtf 5114 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kauppakirja.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\KESKINÄINEN TESTAMENTTI.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kuitti.rtf 3752 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Kuitti.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA1.rtf 4921 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA1.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA2.rtf 4890 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA2.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA3.rtf 4955 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA3.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA4.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA5.rtf 5010 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA5.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA6.rtf 4976 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA6.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA7.rtf 5044 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA7.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA8.rtf 5109 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA8.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LULUN MÖKILLE AJO.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ohjelmistoa.rtf 6635 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\ohjelmistoa.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Piia&Mika.rtf 7025 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Piia&Mika.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Reijalle.rtf 1019 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Reijalle.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Siljan tiliote051028034011.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\testamentin tiedoksisaanti malli.rtf 2427 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\testamentin tiedoksisaanti malli.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tilioteSILJA.pdf 11632 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tilioteSILJA.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tiliote_lukuohje_hopea_fi.pdf 252548 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\tiliote_lukuohje_hopea_fi.pdf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\VELKAKIRJA.rtf 6397 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\VELKAKIRJA.rtf.$e_ 1024 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\vhamylly.doc 247808 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\vhamylly.doc.$e_ 512 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\KESKINÄINEN TESTAMENTTI.rtf 5708 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LAHJAKIRJA4.rtf 4987 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\LULUN MÖKILLE AJO.rtf 15158 bytes
C:\Documents and Settings\Juho\My Private Folder\Testamentti ym\Siljan tiliote051028034011.pdf 11632 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 56

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

Files with Hidden Attributes:

Sat 28 Jul 2007 12,208 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Finished!

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-18 21:15:35
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spab.sys ZwEnumerateKey [0xF84F5CA2]
SSDT spab.sys ZwEnumerateValueKey [0xF84F6030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82F6E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs OODrvled.sys (O&O DriveLED Pro Filter Driver/O&O Software GmbH)
AttachedDevice \FileSystem\Ntfs \Ntfs oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat 82CEB500

AttachedDevice \FileSystem\Fastfat \Fat OODrvled.sys (O&O DriveLED Pro Filter Driver/O&O Software GmbH)
AttachedDevice \FileSystem\Fastfat \Fat oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

F-secure / Scanning Report
Tuesday, February 19, 2008 14:39:57 - 16:49:34

Computer name: KOTIKONE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\

Result: 4 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
W32/Tibs.BHFK (virus)
D:\Ohjelmatiedostot\UltraISO\crk\UltraISO_Premium_Edition_8.6.5.2140.zip\run.exe
D:\Ohjelmatiedostot\UltraISO\crk\UltraISO_Premium_Edition_8.6.5.2140A.zip\run.exe
Statistics

Scanned:
Files: 161920
System: 3997
Not scanned: 64
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
x�

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2008-02-18
F-Secure AVP: 7.0.171, 2008-02-19
F-Secure Orion: 1.2.37, 2008-02-19
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2008-02-13
F-Secure Pegasus: 1.20.0, 2008-01-18
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
D:\Ohjelmatiedostot\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
C:\WINDOWS\system32\oodag.exe
D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
D:\OHJELM~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe
D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Skanneri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.luukku.com/luukku
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Star Downloader Toolbar Helper - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\OHJELM~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O4 - HKLM\..\Run: [avast!] D:\OHJELM~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Ohjelmatiedostot\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [InCD] D:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TClockEx] D:\Ohjelmatiedostot\Tclockex\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [UIWatcher] D:\Ohjelmatiedostot\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - D:\Ohjelmatiedostot\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Ohjelmatiedostot\SpyBot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...lscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1174492377000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.microsoft.com/microsoftupd...b?1172738028281
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ohjelmatiedostot\AD-Aware 2007\aawservice.exe
O23 - Service: AshampooDefragService - - D:\Ohjelmatiedostot\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Ohjelmatiedostot\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Ohjelmatiedostot\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Ohjelmatiedostot\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Ohjelmatiedostot\Ahead\InCD\InCDsrv.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - D:\Ohjelmatiedostot\Silvercrest MTS2118 driver\KMWDSrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Ohjelmatiedostot\MyPrivate Folder\PrfldSvc.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Ohjelmatiedostot\ProShowGold\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7384 bytes

Miltä nämä näyttää ?

[ + lainaa]

Hujo

Suspended permanently

20. helmikuuta 2008 @ 06:06

Linkki tähän viestiin

ei ainakaan mainittua näy

[ + lainaa]

Voiko tietsikka koskaan toimia?

Mainos