|
|
|
Keskustelualueet
Keskustelualueet
|
|
|
Ehtiskö joku "guru" kattomaan tän Hjt-login?
|
|
Newbie
|
2. kesäkuuta 2008 @ 12:17 |
Linkki tähän viestiin
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:31, on 2.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\service.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\mlJAspQk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1192744158773
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/j...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O20 - Winlogon Notify: mlJAspQk - C:\WINDOWS\SYSTEM32\mlJAspQk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg
--
End of file - 8067 bytes
|
Newbie
|
2. kesäkuuta 2008 @ 13:41 |
Linkki tähän viestiin
|
|
Eli miten tästä nyt edetään, voisiko joku jelppiä?
|
Senior Member
4 tuotearviota
|
2. kesäkuuta 2008 @ 14:09 |
Linkki tähän viestiin
|
Lataa Malwarebytes' Anti-Malware työpöydällesi.
* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
|
Newbie
|
2. kesäkuuta 2008 @ 20:01 |
Linkki tähän viestiin
|
|
Malwarebytes' Anti-Malware 1.14
Tietokantaversio: 814
19:38:41 2.6.2008
mbam-log-6-2-2008 (19-38-41).txt
Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|)
Tarkistetut kohteet: 99227
Kulunut aika: 1 hour(s), 47 minute(s), 3 second(s)
Saastuneita muistiprosesseja: 1
Saastuneita muistimoduuleja: 1
Saastuneita rekisteriavaimia: 4
Saastuneita rekisteriarvoja: 2
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 9
Saastuneita muistiprosesseja:
C:\WINDOWS\service.exe (Backdoor.Bot) -> Unloaded process successfully.
Saastuneita muistimoduuleja:
C:\WINDOWS\system32\mlJAspQk.dll (Trojan.Vundo) -> Unloaded module successfully.
Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaspqk (Trojan.Vundo) -> Quarantined and deleted successfully.
Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.
Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)
Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)
Saastuneita tiedostoja:
C:\dci.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\setup.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\setup1.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP178\A0040992.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP179\A0041042.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP179\A0041043.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\bot.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJAspQk.dll (Trojan.Vundo) -> Delete on reboot.
jk
|
Senior Member
4 tuotearviota
|
2. kesäkuuta 2008 @ 20:04 |
Linkki tähän viestiin
|
|
uuden hijacthis login kun viellä saisi niin olisi mukavaa :D
|
Newbie
|
2. kesäkuuta 2008 @ 20:14 |
Linkki tähän viestiin
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:24, on 2.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg
--
End of file - 7403 bytes
|
Newbie
|
2. kesäkuuta 2008 @ 20:35 |
Linkki tähän viestiin
|
|
menikö oikein?:D en oo mikään hirvee virtuoosi näissä hommissa!
jk
|
Senior Member
4 tuotearviota
|
2. kesäkuuta 2008 @ 20:48 |
Linkki tähän viestiin
|
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe
seuraa näyttön tulevia ohjeita
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
Tyhjennä roskakori ja käynnistä koneesi uudelleen.
Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*
|
Newbie
|
2. kesäkuuta 2008 @ 21:11 |
Linkki tähän viestiin
|
|
Siis en ymmärrä. Eihän tossa combofix.exe oo mitään sisältöä, 0 kt?? Miten siis voin lähettää sen sisällön tänne?:D
|
|
Hujo
Suspended permanently
|
2. kesäkuuta 2008 @ 22:19 |
Linkki tähän viestiin
|
scannaa hjt:llä merkkaa paina Fix checked
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg
===============
1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2
2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Voiko tietsikka koskaan toimia?
|
Newbie
|
4. kesäkuuta 2008 @ 11:15 |
Linkki tähän viestiin
|
ComboFix 08-06-03.1 - Kärki 2008-06-04 11:01:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.180 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\setup.exe
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe
*Newly Created Service* - CATCHME
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-04 07:07:43 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 11:06:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-04 11:08:14
ComboFix-quarantined-files.txt 2008-06-04 08:08:05
Pre-Run: 16,029,470,720 tavua vapaana
Post-Run: 22,099,120,128 tavua vapaana
115
|
Newbie
|
4. kesäkuuta 2008 @ 11:35 |
Linkki tähän viestiin
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:53, on 4.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
--
End of file - 7163 bytes
|
Newbie
|
4. kesäkuuta 2008 @ 11:41 |
Linkki tähän viestiin
|
|
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - tätä ei löytyny.
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll - Tämmönen kyllä löyty, olisko se pitäny poistaa? en siis poistanut tätä vielä.
|
|
Hujo
Suspended permanently
|
4. kesäkuuta 2008 @ 19:33 |
Linkki tähän viestiin
|
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:
Lainaus:
File::
C:\WINDOWS\mservice.exe
C:\bot1.exe
C:\sexy.com
C:\is154890.0xe
C:\WINDOWS\SYSTEM32\ddcCRKef.dll
Tallenna se nimellä CFScript.txt
Sitten raahaa CFScript ComboFix.exeen kuten alla.
Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
Voiko tietsikka koskaan toimia?
|
Newbie
|
5. kesäkuuta 2008 @ 20:05 |
Linkki tähän viestiin
|
ComboFix 08-06-03.1 - Kärki 2008-06-05 19:49:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.105 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-05 to 2008-06-05 )))))))))))))))))
.
2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( snapshot@2008-06-04_11.07.22,03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 07:06:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 16:36:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2003-10-22 12:43:32 229,376 ----a-r C:\WINDOWS\IP4000,3000\uninstall.exe
+ 2004-06-15 05:10:00 68,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP61.DLL
+ 2004-06-15 05:00:00 153,600 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD561.DLL
+ 2004-06-15 05:00:00 397,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP61.DLL
+ 2004-06-15 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP061.DAT
+ 2004-06-15 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP161.DAT
+ 2004-06-15 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP261.DAT
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI61.DLL
+ 2004-06-15 05:00:00 80,896 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV61.EXE
+ 2004-06-15 05:00:00 837,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB61.DLL
+ 2004-06-15 05:00:00 8,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD61.EXE
+ 2004-06-15 05:00:00 130,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM61.EXE
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ61.EXE
+ 2004-06-15 05:00:00 111,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR61.DLL
+ 2004-06-15 05:00:00 322,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB61.DLL
+ 2004-06-15 05:00:00 1,571,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI61.DLL
+ 2004-06-15 05:00:00 219,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR61.DLL
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW361.DLL
+ 2004-06-15 05:10:00 68,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMCP61.DLL
+ 2004-06-15 05:00:00 153,600 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMD561.DLL
+ 2004-06-15 05:00:00 397,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMDR61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMFU61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMOP61.DLL
+ 2004-06-15 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP061.DAT
+ 2004-06-15 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP161.DAT
+ 2004-06-15 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP261.DAT
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMPI61.DLL
+ 2004-06-15 05:00:00 80,896 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMPV61.EXE
+ 2004-06-15 05:00:00 837,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSB61.DLL
+ 2004-06-15 05:00:00 8,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSD61.EXE
+ 2004-06-15 05:00:00 130,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSM61.EXE
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSQ61.EXE
+ 2004-06-15 05:00:00 111,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSR61.DLL
+ 2004-06-15 05:00:00 322,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUB61.DLL
+ 2004-06-15 05:00:00 1,571,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUI61.DLL
+ 2004-06-15 05:00:00 219,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUR61.DLL
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMW361.DLL
+ 2004-06-15 05:00:00 17,920 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD61.DLL
+ 2004-06-15 05:00:00 54,272 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP61.DLL
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-05 16:10:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 19:52:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-05 19:54:15
ComboFix-quarantined-files.txt 2008-06-05 16:53:58
ComboFix2.txt 2008-06-04 08:08:16
Pre-Run: 22,113,275,904 tavua vapaana
Post-Run: 22,153,404,416 tavua vapaana
172
|
|
Hujo
Suspended permanently
|
5. kesäkuuta 2008 @ 20:22 |
Linkki tähän viestiin
|
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:
Lainaus:
File::
C:\WINDOWS\mservice.exe
C:\bot1.exe
C:\sexy.com
C:\is154890.0xe
C:\WINDOWS\SYSTEM32\ddcCRKef.dll
Tallenna se nimellä CFScript.txt
Sitten raahaa CFScript ComboFix.exeen kuten alla.
Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
Voiko tietsikka koskaan toimia?
|
Newbie
|
5. kesäkuuta 2008 @ 22:04 |
Linkki tähän viestiin
|
ComboFix 08-06-03.1 - Kärki 2008-06-05 21:56:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.103 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-05 to 2008-06-05 )))))))))))))))))
.
2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-05 16:10:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 21:58:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-05 22:00:40
ComboFix-quarantined-files.txt 2008-06-05 19:00:30
ComboFix2.txt 2008-06-05 16:54:17
ComboFix3.txt 2008-06-04 08:08:16
Pre-Run: 22,122,463,232 tavua vapaana
Post-Run: 22,126,665,728 tavua vapaana
125
|
|
Hujo
Suspended permanently
|
5. kesäkuuta 2008 @ 22:18 |
Linkki tähän viestiin
|
1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK
=============
Lataa: RegSeeker.zip työpöydälle:
Pura zip C:\RegSeeker\ kansioon. Sieltä käynnistät RegSeeker.exe ohjelman.
Oikeasa yläkulmassa on Languages.... linkki, josta valitset Suomenkielen.
Vasemmasta alakulmasta ruksit Luo vrmuuskopio ja sitten linkki Puhdista rekisteri
Ruksit kaikkiin muihin kohtiin paitsi "Käyttökelvottomat.." sitten "OK" (odotat hetken).
Ruutuun ilmestyy lista epäkelvoista rekisterimerkinnöistä, jotka alapalkista Valitse kohdasta
klikkaat Valitse kaikki jolloin valitut saavat keltaisen pohjavärin.
Alapalkin Toiminnot linkistä klikkaat Poista valitut kohteet
Ponnahdusikkunaan "Kaikki valitut kohteet poistetaan ? vastaat "OK".
Seuraavaan Ponnahdusikkunaan "Varmuuskopiot" vastaat "OK".
Klikaa vasemmalta Lopeta RegSeeker ja käynnistä koneesi uudelleen.
Voiko tietsikka koskaan toimia?
|
Newbie
|
6. kesäkuuta 2008 @ 10:02 |
Linkki tähän viestiin
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:06, on 6.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
--
End of file - 7857 bytes
|
|
Hujo
Suspended permanently
|
6. kesäkuuta 2008 @ 17:36 |
Linkki tähän viestiin
|
scannaa hjt:llä merkkaa paina Fix checked
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:
Lainaus:
File::
C:\WINDOWS\SYSTEM32\ddcCRKef.dll
C:\WINDOWS\system32\ddcCRKef.dll
Tallenna se nimellä CFScript.txt
Sitten raahaa CFScript ComboFix.exeen kuten alla.
Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
================
Lataa TÄSTÄ VundoFix.exe työpöydällesi.
Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Fix Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.
Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.
Voiko tietsikka koskaan toimia?
|
Newbie
|
6. kesäkuuta 2008 @ 19:15 |
Linkki tähän viestiin
|
ComboFix 08-06-03.1 - Kärki 2008-06-06 19:02:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.89 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\SYSTEM32\ddcCRKef.dll
C:\WINDOWS\system32\ddcCRKef.dll
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ddcCRKef.dll
.
((((( Tiedostot, jotka on luotu seuraavalla aikav?lill?: 2008-05-06 to 2008-06-06 )))))))))))))))))
.
2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 10:01 --------- d-----w C:\Program Files\Java
2008-05-05 17:24 --------- d-----w C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((( Rekisterin k?ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji? arvoja ja laillisia oletusarvoja ei n?ytet?
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe
.
'Ajoitetut teht?v?t'-kansion sis?lt?
"2008-06-06 06:54:13 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 19:08:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\F-SECU~1\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-06-06 19:11:07 - machine was rebooted [K?rki]
ComboFix-quarantined-files.txt 2008-06-06 16:10:56
ComboFix2.txt 2008-06-05 19:00:44
ComboFix3.txt 2008-06-05 16:54:17
ComboFix4.txt 2008-06-04 08:08:16
Pre-Run: 23,253,381,120 tavua vapaana
Post-Run: 23,332,323,328 tavua vapaana
146
|
|
Hujo
Suspended permanently
|
6. kesäkuuta 2008 @ 19:27 |
Linkki tähän viestiin
|
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:
Lainaus:
File::
C:\setz.exe
C:\WINDOWS\mservice.exe
C:\bot1.exe
C:\sexy.com
C:\is154890.0xe
Tallenna se nimellä CFScript.txt
Sitten raahaa CFScript ComboFix.exeen kuten alla.
Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
================
aja tuo Malwarebytes' Anti-Malware uudelleen
===============
scannaa viimisenä uusi hjt:n loki
Voiko tietsikka koskaan toimia?
|
Newbie
|
6. kesäkuuta 2008 @ 20:10 |
Linkki tähän viestiin
|
|
Toi fundofix ei löytäny mitään. Tässä combofix txt tiedosto.
|
Newbie
|
6. kesäkuuta 2008 @ 20:15 |
Linkki tähän viestiin
|
siis tässä :D
ComboFix 08-06-03.1 - Kärki 2008-06-06 19:57:17.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.117 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\bot1.exe
C:\is154890.0xe
C:\setz.exe
C:\sexy.com
C:\WINDOWS\mservice.exe
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bot1.exe
C:\is154890.0xe
C:\setz.exe
C:\sexy.com
C:\WINDOWS\mservice.exe
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-06 to 2008-06-06 )))))))))))))))))
.
2008-06-06 19:18 . 2008-06-06 19:18 <KANSIO> d-------- C:\VundoFix Backups
2008-06-06 19:11 . 2008-06-06 19:11 <KANSIO> d-------- C:\Documents and Settings\Kõrki
2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 10:01 --------- d-----w C:\Program Files\Java
2008-05-05 17:24 --------- d-----w C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-06 06:54:13 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 19:59:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-06-06 20:00:51
ComboFix-quarantined-files.txt 2008-06-06 17:00:46
ComboFix2.txt 2008-06-06 16:11:10
ComboFix3.txt 2008-06-05 19:00:44
ComboFix4.txt 2008-06-05 16:54:17
ComboFix5.txt 2008-06-04 08:08:16
Pre-Run: 23,303,348,224 tavua vapaana
Post-Run: 23,307,509,760 tavua vapaana
126
|
|
Mainos
|
|
|
|
Hujo
Suspended permanently
|
6. kesäkuuta 2008 @ 21:06 |
Linkki tähän viestiin
|
Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:
Lainaus:
File::
C:\WINDOWS\is154890.exe
C:\mgoilhuqomfmnhs.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
Tallenna se nimellä CFScript.txt
Sitten raahaa CFScript ComboFix.exeen kuten alla.
Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
Voiko tietsikka koskaan toimia?
|
|
