|
|
|
Keskustelualueet
Keskustelualueet
|
|
|
Mese virus HJT Logi!
|
|
|
Toppu
Suspended due to non-functional email address
|
3. kesäkuuta 2008 @ 17:20 |
Linkki tähän viestiin
|
Tässä ois logi! mitähä fixaamist ois?! =)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:17:02, on 3.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Windows\mservice.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] D:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKLM\..\Run: [MSN] C:\Windows\mservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\pelit\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7365 bytes
|
Senior Member
4 tuotearviota
|
3. kesäkuuta 2008 @ 17:40 |
Linkki tähän viestiin
|
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe
Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:
Lainaus:
File::
C:\WINDOWS\service.exe
C:\WINDOWS\winudspm.exe
C:\Windows\mservice.exe
Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).
Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKLM\..\Run: [MSN] C:\Windows\mservice.exe
Tyhjennä roskakori ja käynnistä koneesi uudelleen.
Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*
|
|
Toppu
Suspended due to non-functional email address
|
4. kesäkuuta 2008 @ 13:03 |
Linkki tähän viestiin
|
Tuoreet logit:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01, on 2008-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] D:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSN] C:\Windows\mservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\pelit\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7091 bytes
Combofix
ComboFix 08-06-03.1 - Mika 2008-06-04 12:23:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.40 [GMT 3:00]
Running from: C:\Documents and Settings\Mika\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mika\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Windows\mservice.exe
C:\WINDOWS\service.exe
C:\WINDOWS\winudspm.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bot.exe
C:\d.exe
C:\Documents and Settings\Mika\new.txt
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\Program Files\Seekmo Programs
C:\Program Files\seekmo
C:\setup.exe
C:\Windows\mservice.exe
C:\WINDOWS\service.exe
C:\WINDOWS\system32\ssqNHXRL.dll
C:\WINDOWS\system32\t.txt
C:\WINDOWS\system32\yaywuuro.dll
C:\WINDOWS\winudspm.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.
2008-06-03 23:39 . 2008-06-03 23:40 202,210 --a------ C:\sxy.exe
2008-06-03 21:13 . 2008-06-03 21:13 4,217 --a------ C:\WINDOWS\is154890.exe
2008-06-03 18:36 . 2008-06-03 23:24 86,548 --a------ C:\Documents and Settings\Mika\setupa.exe
2008-06-03 18:32 . 2008-06-03 18:32 86,548 --a------ C:\setz.exe
2008-06-03 18:09 . 2008-06-03 23:05 86,548 --a------ C:\ssetup.exe
2008-06-03 17:16 . 2008-06-03 17:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 01:01 . 2008-06-03 01:01 104,078 --a------ C:\WINDOWS\sb.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:28 . 2008-06-02 21:28 96,950 --a------ C:\stupx.exe
2008-06-02 21:23 . 2008-06-02 21:23 96,950 --a------ C:\stup.exe
2008-06-02 18:58 . 2008-06-02 20:01 29,696 --a------ C:\hldtlwe.exe
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:35 . 2008-06-03 18:18 60,114 --a------ C:\bot1.exe
2008-06-01 19:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-06-01 16:46 . 2008-06-01 16:46 86,512 --a------ C:\irc.com
2008-05-31 18:51 . 2008-05-31 20:38 86,512 --a------ C:\Documents and Settings\Mika\setup1.exe
2008-05-31 14:10 . 2008-05-31 15:11 86,512 --a------ C:\setup1.exe
2008-05-30 19:21 . 2008-05-30 22:10 60,132 --a------ C:\dcsi.exe
2008-05-30 16:53 . 2008-06-03 18:18 96,950 --a------ C:\Documents and Settings\Mika\setup.exe
2008-05-30 05:30 . 2008-05-30 05:32 86,498 --a------ C:\com.com
2008-05-29 23:06 . 2008-05-29 23:06 86,340 --a------ C:\profile.com
2008-05-29 20:16 . 2008-05-29 20:16 86,340 --a------ C:\img.com
2008-05-29 19:36 . 2008-05-29 19:36 40,960 --a------ C:\dsdc.exe
2008-05-29 15:33 . 2008-05-30 02:00 60,132 --a------ C:\ddc.exe
2008-05-29 15:12 . 2008-05-29 18:10 56,832 --a------ C:\fa.com
2008-05-28 23:44 . 2008-05-28 23:44 369 --a------ C:\vundoFIX.exe
2008-05-28 21:55 . 2008-05-30 22:45 60,132 --a------ C:\dci.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-30 21:52 --------- d-----w C:\Program Files\mIRC
2008-05-28 20:44 369 ----a-w C:\vundoFIX.exe
2008-04-12 12:38 --------- d-----w C:\Documents and Settings\Mika\Application Data\Apple Computer
2008-04-11 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-11 10:31 --------- d-----w C:\Program Files\QuickTime
2008-04-11 10:31 --------- d-----w C:\Program Files\Bonjour
2008-04-11 10:29 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-11 10:29 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-11 09:57 --------- d-----w C:\Program Files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2005-08-25 23:00 17679400]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"Steam"="d:\pelit\steam.exe" [2008-03-31 18:58 1271032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 21:41 33792]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"InCD"="C:\Documents and Settings\Mika\My Documents\InCD.exe" [2002-09-12 20:13 1101824]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 05:33 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SmcService"="D:\PALOMU~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"avast!"="D:\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 16:00 79224]
"Windows UDP Control"="winudspm.exe" []
"Windows svchost"="service.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Mika\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"VIDC.VP40"= vp4vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Pelit\\counter-stike 1.6\\hl.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"D:\\Pelit\\SteamApps\\mixuli\\team fortress classic\\hl.exe"=
"D:\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 02:07]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 15:35]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 05:17]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 15:59:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-04 09:10:04 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 12:26:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-04 12:28:25
ComboFix-quarantined-files.txt 2008-06-04 09:28:13
Pre-Run: 791,388,160 bytes free
Post-Run: 908,550,144 bytes free
159 --- E O F --- 2008-05-17 00:03:41
|
Senior Member
4 tuotearviota
|
4. kesäkuuta 2008 @ 13:25 |
Linkki tähän viestiin
|
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe
Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:
Lainaus:
File::
C:\Windows\mservice.exe
C:\sxy.exe
C:\WINDOWS\is154890.exe
C:\WINDOWS\DC5177176.zip
C:\setz.exe
C:\ssetup.exe
C:\stupx.exe
C:\stup.exe
C:\hldtlwe.exe
C:\mgoilhuqomfmnhs.exe
C:\bot1.exe
C:\sexy.com
C:\irc.com
C:\Documents and Settings\Mika\setup1.exe
C:\setup1.exe
C:\dcsi.exe
C:\Documents and Settings\Mika\setup.exe
C:\com.com
C:\profile.com
C:\img.com
C:\dsdc.exe
C:\ddc.exe
C:\fa.com
C:\dci.exe
Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).
Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)
O4 - HKLM\..\Run: [MSN] C:\Windows\mservice.exe
Tyhjennä roskakori ja käynnistä koneesi uudelleen.
Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*
|
|
Toppu
Suspended due to non-functional email address
|
6. kesäkuuta 2008 @ 13:43 |
Linkki tähän viestiin
|
Tuoretta logia!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41, on 2008-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] D:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\pelit\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7088 bytes
Combofix
ComboFix 08-06-03.1 - Mika 2008-06-06 13:22:12.2 - NTFSx86
Running from: C:\Documents and Settings\Mika\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mika\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\bot1.exe
C:\com.com
C:\dci.exe
C:\dcsi.exe
C:\ddc.exe
C:\Documents and Settings\Mika\setup.exe
C:\Documents and Settings\Mika\setup1.exe
C:\dsdc.exe
C:\fa.com
C:\hldtlwe.exe
C:\img.com
C:\irc.com
C:\mgoilhuqomfmnhs.exe
C:\profile.com
C:\setup1.exe
C:\setz.exe
C:\sexy.com
C:\ssetup.exe
C:\stup.exe
C:\stupx.exe
C:\sxy.exe
C:\WINDOWS\DC5177176.zip
C:\WINDOWS\is154890.exe
C:\Windows\mservice.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bot1.exe
C:\com.com
C:\dci.exe
C:\dcsi.exe
C:\ddc.exe
C:\Documents and Settings\Mika\setup.exe
C:\Documents and Settings\Mika\setup1.exe
C:\dsdc.exe
C:\fa.com
C:\hldtlwe.exe
C:\img.com
C:\irc.com
C:\mgoilhuqomfmnhs.exe
C:\profile.com
C:\setup1.exe
C:\setz.exe
C:\sexy.com
C:\ssetup.exe
C:\stup.exe
C:\stupx.exe
C:\sxy.exe
C:\WINDOWS\DC5177176.zip
C:\WINDOWS\is154890.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.
2008-06-03 18:36 . 2008-06-03 23:24 86,548 --a------ C:\Documents and Settings\Mika\setupa.exe
2008-06-03 17:16 . 2008-06-03 17:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 01:01 . 2008-06-03 01:01 104,078 --a------ C:\WINDOWS\sb.exe
2008-05-28 23:44 . 2008-05-28 23:44 369 --a------ C:\vundoFIX.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-30 21:52 --------- d-----w C:\Program Files\mIRC
2008-05-28 20:44 369 ----a-w C:\vundoFIX.exe
2008-04-12 12:38 --------- d-----w C:\Documents and Settings\Mika\Application Data\Apple Computer
2008-04-11 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-11 10:31 --------- d-----w C:\Program Files\QuickTime
2008-04-11 10:31 --------- d-----w C:\Program Files\Bonjour
2008-04-11 10:29 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-11 10:29 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-11 09:57 --------- d-----w C:\Program Files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2005-08-25 23:00 17679400]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"Steam"="d:\pelit\steam.exe" [2008-03-31 18:58 1271032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 21:41 33792]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"InCD"="C:\Documents and Settings\Mika\My Documents\InCD.exe" [2002-09-12 20:13 1101824]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 05:33 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SmcService"="D:\PALOMU~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"avast!"="D:\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Mika\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"VIDC.VP40"= vp4vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Pelit\\counter-stike 1.6\\hl.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"D:\\Pelit\\SteamApps\\mixuli\\team fortress classic\\hl.exe"=
"D:\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 02:07]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 15:35]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 05:17]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 15:59:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 10:10:05 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 13:24:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-06 13:26:22
ComboFix-quarantined-files.txt 2008-06-06 10:26:12
Pre-Run: 1,002,762,240 bytes free
Post-Run: 1,022,558,208 bytes free
165 --- E O F --- 2008-06-04 09:46:37
|
|
Hujo
Suspended permanently
|
7. kesäkuuta 2008 @ 06:25 |
Linkki tähän viestiin
|
Lataa Malwarebytes' Anti-Malware työpöydällesi.
1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.
Voiko tietsikka koskaan toimia?
|
|
Toppu
Suspended due to non-functional email address
|
7. kesäkuuta 2008 @ 21:09 |
Linkki tähän viestiin
|
|
Tässäpä malware logi!
Malwarebytes' Anti-Malware 1.15
Tietokantaversio: 838
21:08:05 2008-06-07
mbam-log-6-7-2008 (21-08-05).txt
Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|I:\|)
Tarkistetut kohteet: 91981
Kulunut aika: 1 hour(s), 12 minute(s), 0 second(s)
Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 5
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 53
Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)
Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmotoolbar.seekmotoolband.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)
Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)
Saastuneita tiedostoja:
C:\QooBox\Quarantine\C\bot1.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\com.com.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\d.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\dci.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\dcsi.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\ddc.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\dsdc.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\fa.com.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\hldtlwe.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\img.com.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\irc.com.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\profile.com.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\setup.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\setup1.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\stup.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\stupx.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Mika\setup.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Mika\setup1.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\mservice.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\winudspm.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1029\A0102366.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1030\A0102375.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1030\A0102392.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1031\A0102410.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1031\A0102411.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1033\A0102475.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1034\A0103410.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1034\A0103411.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1035\A0103419.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1035\A0103420.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1035\A0103421.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1035\A0103427.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1036\A0103473.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1036\A0103477.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1036\A0103478.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1036\A0103479.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1036\A0103490.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104571.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104572.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104573.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104574.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104575.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104576.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104577.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104578.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104579.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104580.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104581.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104582.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104584.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104585.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104589.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP1039\A0104590.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
|
|
Hujo
Suspended permanently
|
7. kesäkuuta 2008 @ 21:25 |
Linkki tähän viestiin
|
|
1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK
Voiko tietsikka koskaan toimia?
|
|
Toppu
Suspended due to non-functional email address
|
8. kesäkuuta 2008 @ 13:58 |
Linkki tähän viestiin
|
|
Tämäkin tehty =) Seuraavaksi? ;)
|
|
Hujo
Suspended permanently
|
8. kesäkuuta 2008 @ 14:33 |
Linkki tähän viestiin
|
|
scannaa vielä uusi combofix loki
Voiko tietsikka koskaan toimia?
|
|
Toppu
Suspended due to non-functional email address
|
9. kesäkuuta 2008 @ 20:44 |
Linkki tähän viestiin
|
|
sehän näkyy tuolla aikasemmi...?
|
|
Hujo
Suspended permanently
|
9. kesäkuuta 2008 @ 20:48 |
Linkki tähän viestiin
|
|
sammutuksen ja käynnistyksen jälkeen uusi
Voiko tietsikka koskaan toimia?
|
|
Toppu
Suspended due to non-functional email address
|
10. kesäkuuta 2008 @ 22:19 |
Linkki tähän viestiin
|
Tässäpä ois
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:48, on 10.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\winudmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\BitLord\BitLord.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svho.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] D:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Controls Center] winudmr.exe
O4 - HKLM\..\Run: [System Service Manager Device] svho.exe
O4 - HKLM\..\RunServices: [System Service Manager Device] svho.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7403 bytes
ComboFix 08-06-03.1 - Mika 2008-06-10 21:51:22.3 - NTFSx86
Running from: C:\Documents and Settings\Mika\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.
2008-06-09 15:11 . 2008-06-09 15:11 268 --ah----- C:\sqmdata03.sqm
2008-06-09 15:11 . 2008-06-09 15:11 244 --ah----- C:\sqmnoopt03.sqm
2008-06-09 15:09 . 2008-06-09 15:09 29,342 -r-hs---- C:\WINDOWS\winudmr.exe
2008-06-09 15:09 . 2008-06-09 15:09 29,342 --a------ C:\ps.exe
2008-06-08 12:47 . 2008-06-08 16:13 2,231 --a------ C:\is154890.exe
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\Mika\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 19:52 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 18:36 . 2008-06-03 23:24 86,548 --a------ C:\Documents and Settings\Mika\setupa.exe
2008-06-03 17:16 . 2008-06-03 17:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 01:01 . 2008-06-03 01:01 104,078 --a------ C:\WINDOWS\sb.exe
2008-05-28 23:44 . 2008-05-28 23:44 369 --a------ C:\vundoFIX.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 11:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-06 21:27 --------- d-----w C:\Program Files\mIRC
2008-05-28 20:44 369 ----a-w C:\vundoFIX.exe
2008-04-12 12:38 --------- d-----w C:\Documents and Settings\Mika\Application Data\Apple Computer
2008-04-11 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-11 10:31 --------- d-----w C:\Program Files\QuickTime
2008-04-11 10:31 --------- d-----w C:\Program Files\Bonjour
2008-04-11 10:29 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-11 10:29 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-11 09:57 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 21:41 33792]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"InCD"="C:\Documents and Settings\Mika\My Documents\InCD.exe" [2002-09-12 20:13 1101824]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 05:33 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SmcService"="D:\PALOMU~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"avast!"="D:\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224]
"Windows Controls Center"="winudmr.exe" [2008-06-09 15:09 29342 C:\WINDOWS\winudmr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Mika\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"VIDC.VP40"= vp4vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Pelit\\counter-stike 1.6\\hl.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"D:\\Pelit\\SteamApps\\mixuli\\team fortress classic\\hl.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 02:07]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 15:35]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 05:17]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 15:59:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-10 18:10:04 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 21:55:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\mika.w@hotmail.com\SharingMetadata\Working\database_480C_DF84_CDF_6C06\$db_clean$ 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-10 21:59:43
ComboFix-quarantined-files.txt 2008-06-10 18:59:32
Pre-Run: 1,590,497,280 bytes free
Post-Run: 1,582,419,968 bytes free
126 --- E O F --- 2008-06-08 10:55:57
|
|
Toppu
Suspended due to non-functional email address
|
12. kesäkuuta 2008 @ 11:28 |
Linkki tähän viestiin
|
|
hei pliiiis kattokaa! kone on ihan sekasi! =/
|
Senior Member
4 tuotearviota
|
12. kesäkuuta 2008 @ 11:35 |
Linkki tähän viestiin
|
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe
Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:
Lainaus:
File::
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\winudmr.exe
C:\ps.exe
C:\is154890.exe
C:\Documents and Settings\Mika\setupa.exe
C:\WINDOWS\sb.exe
C:\WINDOWS\system32\svho.exe
Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).
Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Controls Center] winudmr.exe
O4 - HKLM\..\Run: [System Service Manager Device] svho.exe
O4 - HKLM\..\RunServices: [System Service Manager Device] svho.exe
Tyhjennä roskakori ja käynnistä koneesi uudelleen.
Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*
|
|
Toppu
Suspended due to non-functional email address
|
12. kesäkuuta 2008 @ 13:42 |
Linkki tähän viestiin
|
Uudet logit!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2008-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [0cdf6ca9] rundll32.exe "C:\WINDOWS\system32\hqgverye.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6911 bytes
Combofix
ComboFix 08-06-03.1 - Mika 2008-06-12 13:19:59.4 - NTFSx86
Running from: C:\Documents and Settings\Mika\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mika\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Mika\setupa.exe
C:\is154890.exe
C:\ps.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\sb.exe
C:\WINDOWS\system32\svho.exe
C:\WINDOWS\winudmr.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mika\setupa.exe
C:\is154890.exe
C:\ps.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\sb.exe
C:\WINDOWS\system32\cbXRIaXq.dll
C:\WINDOWS\system32\eyrevgqh.ini
C:\WINDOWS\system32\hgGxxvUm.dll
C:\WINDOWS\system32\qXaIRXbc.ini
C:\WINDOWS\system32\qXaIRXbc.ini2
C:\WINDOWS\system32\svho.exe
C:\WINDOWS\system32\tuvSjkkh.dll
C:\WINDOWS\system32\urqRLBSl.dll
C:\WINDOWS\system32\xxyyxvWp.dll
C:\WINDOWS\winudmr.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.
2008-06-12 12:29 . 2008-06-12 12:29 81,408 --a------ C:\WINDOWS\system32\hqgverye.dll
2008-06-12 02:03 . 2008-06-12 09:31 2,232 --a------ C:\is15932.exe
2008-06-11 23:35 . 2008-06-11 23:35 30,164 --a------ C:\Program Files\ffdsvsetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 18,156 --a------ C:\Program Files\mpc6.reg
2008-06-11 23:35 . 2008-06-11 23:35 16,146 --a------ C:\Program Files\mpc5.reg
2008-06-11 23:35 . 2008-06-11 23:35 3,476 --a------ C:\Program Files\mpc7.reg
2008-06-11 23:35 . 2008-06-11 23:35 3,026 --a------ C:\Program Files\mpc3.reg
2008-06-11 23:35 . 2008-06-11 23:35 2,740 --a------ C:\Program Files\mpc4.reg
2008-06-11 23:35 . 2008-06-11 23:35 1,176 --a------ C:\Program Files\ffdssetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 1,172 --a------ C:\Program Files\ffdsasetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 680 --a------ C:\Program Files\mpc2.reg
2008-06-11 23:35 . 2008-06-11 23:35 596 --a------ C:\Program Files\mpc1.reg
2008-06-11 21:43 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 21:43 . 2008-04-14 14:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 12:41 . 2008-06-11 15:58 2,232 --a------ C:\is155815.exe
2008-06-10 22:09 . 2008-06-10 22:09 115,215 --a------ C:\sexy.exe
2008-06-07 19:52 . 2008-06-11 14:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\Mika\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 19:52 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 17:16 . 2008-06-03 17:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 23:44 . 2008-05-28 23:44 369 --a------ C:\vundoFIX.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 20:35 4,482 ----a-w C:\Program Files\satsukidecodersettings.ini
2008-06-08 11:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-06 21:27 --------- d-----w C:\Program Files\mIRC
2008-05-28 20:44 369 ----a-w C:\vundoFIX.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-12 12:38 --------- d-----w C:\Documents and Settings\Mika\Application Data\Apple Computer
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-10_21.59.01.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-21 06:56:54 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\browseui.dll
+ 2008-04-21 06:56:54 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\cdfview.dll
+ 2008-04-21 06:56:55 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\danim.dll
+ 2008-04-21 06:56:55 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtmsft.dll
+ 2008-04-21 06:56:55 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtrans.dll
+ 2008-04-21 06:56:55 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\extmgr.dll
+ 2008-04-17 10:46:59 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iedw.exe
+ 2008-04-21 06:56:56 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iepeers.dll
+ 2008-04-21 06:56:56 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\inseng.dll
+ 2008-04-21 06:56:56 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\jsproxy.dll
+ 2008-04-21 06:56:57 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtml.dll
+ 2008-04-21 06:56:57 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtmled.dll
+ 2008-04-21 06:56:57 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\msrating.dll
+ 2008-04-21 06:56:58 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mstime.dll
+ 2008-04-21 06:56:58 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\pngfilt.dll
+ 2008-04-21 06:56:58 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shdocvw.dll
+ 2008-04-21 06:56:58 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shlwapi.dll
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\urlmon.dll
+ 2008-04-21 06:56:59 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\wininet.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\xpsp3res.dll
+ 2008-04-21 06:44:29 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\mshtml.dll
+ 2008-04-21 06:44:29 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\wininet.dll
+ 2008-04-21 06:24:01 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\mshtml.dll
+ 2008-04-21 06:24:02 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\updspapi.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-09 12:08:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 10:26:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 07:03:56 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 07:03:57 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 07:03:57 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:52:54 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 07:03:58 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 07:03:58 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 07:03:59 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 07:03:59 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 07:04:00 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 07:04:00 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
- 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-06-12 10:27:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_680.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 21:41 33792]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"InCD"="C:\Documents and Settings\Mika\My Documents\InCD.exe" [2002-09-12 20:13 1101824]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 05:33 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SmcService"="D:\PALOMU~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"Windows Controls Center"="winudmr.exe" []
"0cdf6ca9"="C:\WINDOWS\system32\hqgverye.dll" [2008-06-12 12:29 81408]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Mika\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{34DF45D1-6319-4A7F-84CA-7498BD0DAEFC}"= C:\WINDOWS\system32\xxyyxvWp.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"VIDC.VP40"= vp4vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Pelit\\counter-stike 1.6\\hl.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"D:\\Pelit\\SteamApps\\mixuli\\team fortress classic\\hl.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 02:07]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 15:35]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 05:17]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 15:59:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-12 10:10:02 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
|
Senior Member
4 tuotearviota
|
12. kesäkuuta 2008 @ 13:46 |
Linkki tähän viestiin
|
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe
Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:
Lainaus:
File::
C:\is15932.exe
C:\is155815.exe
C:\sexy.exe
C:\WINDOWS\system32\hqgverye.dll
Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).
Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)
O4 - HKLM\..\Run: [0cdf6ca9] rundll32.exe "C:\WINDOWS\system32\hqgverye.dll",b
Tyhjennä roskakori ja käynnistä koneesi uudelleen.
Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*
|
|
Toppu
Suspended due to non-functional email address
|
12. kesäkuuta 2008 @ 16:56 |
Linkki tähän viestiin
|
UUTTA!!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53, on 2008-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Palomuuri\Sygate\SPF\smc.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Documents and Settings\Mika\My Documents\InCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InCD] C:\Documents and Settings\Mika\My Documents\InCD.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] D:\PALOMU~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?398c8d7dcf04424f9a12696c00b38fa1
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Palomuuri\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6876 bytes
Combofix
ComboFix 08-06-03.1 - Mika 2008-06-12 16:40:39.5 - NTFSx86
Running from: C:\Documents and Settings\Mika\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mika\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\is155815.exe
C:\is15932.exe
C:\sexy.exe
C:\WINDOWS\system32\hqgverye.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\is155815.exe
C:\is15932.exe
C:\sexy.exe
C:\WINDOWS\system32\hqgverye.dll
C:\WINDOWS\system32\mcrh.tmp
.
---- Previous Run -------
.
C:\Documents and Settings\Mika\setupa.exe
C:\is154890.exe
C:\ps.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\sb.exe
C:\WINDOWS\system32\cbXRIaXq.dll
C:\WINDOWS\system32\eyrevgqh.ini
C:\WINDOWS\system32\hgGxxvUm.dll
C:\WINDOWS\system32\qXaIRXbc.ini
C:\WINDOWS\system32\qXaIRXbc.ini2
C:\WINDOWS\system32\svho.exe
C:\WINDOWS\system32\tuvSjkkh.dll
C:\WINDOWS\system32\urqRLBSl.dll
C:\WINDOWS\system32\xxyyxvWp.dll
C:\WINDOWS\winudmr.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.
2008-06-12 14:41 . 2008-06-12 14:41 <DIR> d---s---- C:\Documents and Settings\Mika\UserData
2008-06-12 13:30 . 2008-06-12 14:57 354 ---hs---- C:\WINDOWS\system32\eyrevgqh.ini
2008-06-11 23:35 . 2008-06-11 23:35 30,164 --a------ C:\Program Files\ffdsvsetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 18,156 --a------ C:\Program Files\mpc6.reg
2008-06-11 23:35 . 2008-06-11 23:35 16,146 --a------ C:\Program Files\mpc5.reg
2008-06-11 23:35 . 2008-06-11 23:35 3,476 --a------ C:\Program Files\mpc7.reg
2008-06-11 23:35 . 2008-06-11 23:35 3,026 --a------ C:\Program Files\mpc3.reg
2008-06-11 23:35 . 2008-06-11 23:35 2,740 --a------ C:\Program Files\mpc4.reg
2008-06-11 23:35 . 2008-06-11 23:35 1,176 --a------ C:\Program Files\ffdssetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 1,172 --a------ C:\Program Files\ffdsasetts.reg
2008-06-11 23:35 . 2008-06-11 23:35 680 --a------ C:\Program Files\mpc2.reg
2008-06-11 23:35 . 2008-06-11 23:35 596 --a------ C:\Program Files\mpc1.reg
2008-06-11 21:43 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 21:43 . 2008-04-14 14:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 19:52 . 2008-06-11 14:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\Mika\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-07 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 19:52 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 19:52 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 17:16 . 2008-06-03 17:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 23:44 . 2008-05-28 23:44 369 --a------ C:\vundoFIX.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 20:35 4,482 ----a-w C:\Program Files\satsukidecodersettings.ini
2008-06-08 11:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-06 21:27 --------- d-----w C:\Program Files\mIRC
2008-05-28 20:44 369 ----a-w C:\vundoFIX.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-12 12:38 --------- d-----w C:\Documents and Settings\Mika\Application Data\Apple Computer
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-12_13.34.09.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 10:26:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 13:44:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 13:44:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 21:41 33792]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"InCD"="C:\Documents and Settings\Mika\My Documents\InCD.exe" [2002-09-12 20:13 1101824]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 05:33 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SmcService"="D:\PALOMU~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"0cdf6ca9"="C:\WINDOWS\system32\hqgverye.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Mika\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{34DF45D1-6319-4A7F-84CA-7498BD0DAEFC}"= C:\WINDOWS\system32\xxyyxvWp.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"VIDC.VP40"= vp4vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Pelit\\counter-stike 1.6\\hl.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"D:\\Pelit\\SteamApps\\mixuli\\team fortress classic\\hl.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 02:07]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 15:35]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 05:17]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 15:59:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-12 13:10:04 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
|
Senior Member
4 tuotearviota
|
12. kesäkuuta 2008 @ 17:06 |
Linkki tähän viestiin
|
No niin hyvältä alkaa näyttään.
Lataa Atribunen ATF Cleaner
Ohjeet:
Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.
Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi
Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasi
Klikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Kun olet koneen putsannun tuolla ohjelmalla skannaa viellä malwarebytesillä ja postaa sen logi tänne jos löytyi jotain.
|
|
Toppu
Suspended due to non-functional email address
|
12. kesäkuuta 2008 @ 18:52 |
Linkki tähän viestiin
|
|
tässäpä malware logi
Kyll sielt pari löyty
Malwarebytes' Anti-Malware 1.17
Tietokantaversio: 846
18:49:50 2008-06-12
mbam-log-6-12-2008 (18-49-50).txt
Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|)
Tarkistetut kohteet: 94070
Kulunut aika: 24 minute(s), 58 second(s)
Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 3
Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)
Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)
Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)
Saastuneita tiedostoja:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9480216E-AB83-4529-A16C-A64634807B01}\RP4\A0001274.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Ja nyt äskösten juttujen jälkee selaimessa kaikki tekstit o sairaan isolla? mist johtuu???
|
Senior Member
4 tuotearviota
|
12. kesäkuuta 2008 @ 18:54 |
Linkki tähän viestiin
|
|
Mitäs selainta käytät?
|
|
Toppu
Suspended due to non-functional email address
|
12. kesäkuuta 2008 @ 19:31 |
Linkki tähän viestiin
|
|
|
|
Toppu
Suspended due to non-functional email address
|
14. kesäkuuta 2008 @ 13:34 |
Linkki tähän viestiin
|
|
Mitäs sitte? =D
|
Senior Member
4 tuotearviota
|
14. kesäkuuta 2008 @ 13:41 |
Linkki tähän viestiin
|
|
Elikkäs tehdään vaikka näin.
Järjestelmän palauttamisen poistaminen käytöstä
Voit poistaa järjestelmän palauttamisen käytöstä seuraavasti:
1.Napsauta Käynnistä-painiketta, napsauta Oma tietokone -kuvaketta hiiren kakkospainikkeella ja valitse sitten Ominaisuudet.
2.Valitse Järjestelmän palauttaminen -välilehti.
3.Valitse Poista järjestelmän palauttaminen käytöstä -valintaruutu (tai Poista järjestelmän palauttaminen käytöstä kaikissa asemissa -valintaruutu) ja valitse sitten OK.
4.Valitse Kyllä, kun näyttöön tulee kehote järjestelmän palauttamisen poistamisesta käytöstä.
Tuon jälkeen käynnistä kone uudestaan ja skannaa viellä kerran malwarebytesillä muista myös päivittää malwarebytesi ennen skannausta.
|
|
Mainos
|
|
|
|
Toppu
Suspended due to non-functional email address
|
14. kesäkuuta 2008 @ 14:27 |
Linkki tähän viestiin
|
|
Malwarebytes' Anti-Malware 1.17
Tietokantaversio: 846
14:25:15 2008-06-14
mbam-log-6-14-2008 (14-25-15).txt
Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|)
Tarkistetut kohteet: 93966
Kulunut aika: 23 minute(s), 50 second(s)
Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0
Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)
Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)
Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)
Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)
Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)
|
|
