|
Jonkinlaista Virusta HJT-logi
|
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 15:31 |
Linkki tähän viestiin
|
Mulle aukeilee jotain ihmeellisiä ikkunoita vaikka en tekisi mitään koneella...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28:02, on 16.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Siemens\Gigaset USB Stick 54\Gcc.exe
C:\Program Files\Siemens\Gigaset USB Stick 54\OdHost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [f0f3f234] rundll32.exe "C:\WINDOWS\system32\smffeobn.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Janne\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Program Files\Siemens\Gigaset USB Stick 54\Gcc.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O20 - AppInit_DLLs: rwgrec.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\UGVra2EgVGlpbW8\command.exe (file missing)
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
--
End of file - 4486 bytes
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 15:37 |
Linkki tähän viestiin
|
Lataa Malwarebytes' Anti-Malware työpöydällesi.
1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi
=============
1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2
2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
===============
Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.
Käynnistä koneesi vikasietotilaan:
sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä
Jossakin koneissa hakataan F8:sin sijasta F5:tä
" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.
=================
Lataa Atribunen ATF Cleaner
Ohjeet;
Tupla-klikkaa ATF-Cleaner.exe käynnistääksesi ohjelman.Main:n alla valitse: Select All
Klikkaa Empty Selected valintaa.
Jos käytät FireFoxia selaimenasi Klikkaa Firefox yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Jos käytät Operaa selaimenasiKlikkaa Opera yläpuolelta ja valitse: Select All
Klikkaa Empty Selected valintaa taas.
HUOMIO: Jos haluaisit pitää tallennetut salasanasi, klikkaa No kun se sitä kysyy.
Klikkaa Exit päävalikosta sulkeaksesi ohjelman.
Teknistä tukea tulee jos tupla-klikkaat sähköpostiosoitetta joka sijaitsee jokaisen menun alapuolella kyseisessä työkalussa. (Huomatkaa että se tuki on sitten englanniksi)
Voiko tietsikka koskaan toimia?
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 16:58 |
Linkki tähän viestiin
|
|
Malwarebytes' Anti-Malware 1.31
Tietokantaversio: 1506
Windows 5.1.2600 Service Pack 3
16.12.2008 16:52:10
mbam-log-2008-12-16 (16-52-10).txt
Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 78319
Kulunut aika: 25 minute(s), 40 second(s)
Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 3
Saastuneita rekisteriavaimia: 30
Saastuneita rekisteriarvoja: 4
Saastuneita rekisterikohteita: 2
Saastuneita hakemistoja: 4
Saastuneita tiedostoja: 38
Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)
Saastuneita muistimoduuleja:
C:\WINDOWS\system32\ddcCvwvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\smffeobn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rwgrec.dll (Trojan.Vundo) -> Delete on reboot.
Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnooijb (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7cb154a-9a6b-462b-9980-bc5f0f72108c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7cb154a-9a6b-462b-9980-bc5f0f72108c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec06803a-c8c9-4f46-8bdb-8ce174db9188} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec06803a-c8c9-4f46-8bdb-8ce174db9188} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\orb.ta (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\orb.ta.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ec06803a-c8c9-4f46-8bdb-8ce174db9188} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7cb154a-9a6b-462b-9980-bc5f0f72108c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1b7f9329-aaf9-4e34-8ecf-c363fd3c60cf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21eeb010-57f3-11dd-b116-dad055d89593} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0f3f234 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.
Saastuneita rekisterikohteita:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccvwvs -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddccvwvs -> Delete on reboot.
Saastuneita hakemistoja:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\' (Trojan.Agent) -> Files: 2600 -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Saastuneita tiedostoja:
C:\WINDOWS\system32\nnnoOiJb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwgrec.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcCvwvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\svwvCcdd.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\svwvCcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smffeobn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nboeffms.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Janne\Local Settings\Temp\7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\TDSS6aa7.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\TDSSfd27.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\1ZUPK48H\aasuper2[1].htm (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\1ZUPK48H\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\GVODY4PF\aasuper0[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\OYB34KLJ\fymmwnb[1].txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\OYB34KLJ\CAVU6HBB (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\Temporary Internet Files\Content.IE5\QWARO7F5\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temporary Internet Files\Content.IE5\6VQ3A5I7\aasuper2[1].htm (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temporary Internet Files\Content.IE5\K9YHI1WF\aasuper0[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temporary Internet Files\Content.IE5\K9YHI1WF\jsphhaxcauoojdi[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6D036AA4-DFD3-49B1-BFA7-5979F89AD586}\RP39\A0009977.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\xbtxcvfx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\30969f35.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\4e33666b.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\a96ea2d.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\TDSSc445.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spria.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS46a9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janne\Local Settings\Temp\TDSS6bc0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Pistän tähän muut logit kuhan kerkiää.
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 17:12 |
Linkki tähän viestiin
|
|
juu .. jatkoo vain :) pikkasen pari ripoausta mömmöö koneella :)
Voiko tietsikka koskaan toimia?
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 17:14 |
Linkki tähän viestiin
|
Joo no tässä tää combofix logi :D
ComboFix 08-12-15.05 - Janne 2008-12-16 17:02:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1035.18.1023.638 [GMT 2:00]
Sijainti: c:\documents and settings\Janne\Työpöytä\ComboFix.exe
* Uusi palautuspiste luotu
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Janne\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\Fonts\a.zip
c:\windows\system32\AutoRun.inf
c:\windows\system32\TDSSosvd.dat
c:\windows\Tasks\omefsmja.job
----- BITS: Mahdollisesti saastuneet sivut -----
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Ajurit/Palvelut )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_icf
-------\Legacy_tdssserv.sys
-------\Service_tdssserv.sys
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-16 to 2008-12-16 )))))))))))))))))
.
2008-12-16 16:23 . 2008-12-16 16:23 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 16:23 . 2008-12-16 16:23 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\Malwarebytes
2008-12-16 16:23 . 2008-12-16 16:23 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 16:23 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 16:23 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 15:27 . 2008-12-16 15:27 <KANSIO> d-------- c:\program files\Trend Micro
2008-12-15 22:02 . 2008-12-15 22:02 <KANSIO> d-------- c:\program files\Alwil Software
2008-12-15 21:43 . 2008-12-15 21:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 21:43 . 2008-12-15 21:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-15 21:42 . 2008-12-15 21:42 147,456 --a------ c:\windows\system32\vbzip10.dll
2008-12-15 21:38 . 2008-12-15 22:24 <KANSIO> d--hs---- c:\windows\UGVra2EgVGlpbW8
2008-12-15 21:38 . 2008-12-15 21:38 <KANSIO> d-------- c:\windows\system32\whSLD02
2008-12-15 21:38 . 2008-12-15 22:24 <KANSIO> d-------- c:\windows\system32\sln
2008-12-15 21:38 . 2008-12-15 21:39 <KANSIO> d-------- c:\windows\system32\IW2
2008-12-15 21:38 . 2008-12-15 21:38 <KANSIO> d-------- c:\temp\REX81
2008-12-15 21:38 . 2008-12-16 17:03 <KANSIO> d-------- C:\Temp
2008-12-15 21:38 . 2008-12-15 21:38 70,144 --a------ c:\windows\system32\ddcBRklm.dll
2008-12-15 19:08 . 2008-12-15 19:08 0 -rahs---- C:\ctf
2008-12-14 20:33 . 2008-12-14 20:33 <KANSIO> d-------- c:\program files\TeamViewer
2008-12-14 20:33 . 2008-12-14 20:33 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\TeamViewer
2008-12-14 20:32 . 2008-12-14 20:32 <KANSIO> d-------- c:\documents and settings\Janne\temp
2008-12-13 20:05 . 2008-12-13 20:05 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-13 18:08 . 2001-10-05 15:59 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-13 18:08 . 2001-10-05 15:59 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-13 18:08 . 2008-04-13 20:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-13 18:08 . 2008-04-13 20:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-13 12:44 . 2003-07-19 08:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-12-13 12:44 . 2005-01-02 23:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-12-13 12:43 . 2008-12-13 12:43 <KANSIO> d-------- c:\program files\Common Files\INCA Shared
2008-12-12 23:18 . 2008-12-12 23:18 <KANSIO> d-------- C:\ijji
2008-12-12 23:18 . 2008-12-13 00:15 <KANSIO> d--h----- c:\documents and settings\Janne\Application Data\ijjigame
2008-12-11 22:37 . 2008-12-11 22:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-11 15:36 . 2008-12-15 20:21 <KANSIO> d-------- c:\program files\Common Files\Blizzard Entertainment
2008-12-05 14:59 . 2008-12-11 16:21 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\foobar2000
2008-12-05 14:49 . 2008-12-15 21:57 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\LimeWire
2008-11-29 21:13 . 2008-12-15 20:24 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\skypePM
2008-11-29 21:13 . 2008-11-29 21:13 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-29 21:11 . 2008-12-15 21:42 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-29 19:21 . 2008-11-29 19:21 13,646 --a------ c:\windows\system32\wpa.bak
2008-11-29 19:21 . 2008-11-29 19:21 5,208 --a------ c:\windows\system32\pid.PNF
2008-11-29 19:05 . 2008-11-29 19:05 <KANSIO> d-------- c:\windows\Logs
2008-11-29 19:04 . 2008-11-29 19:04 682,280 --a------ c:\windows\system32\pbsvc.exe
2008-11-28 22:55 . 2008-11-28 22:55 <KANSIO> d-------- c:\program files\Ventrilo
2008-11-28 22:55 . 2008-11-29 14:21 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\Ventrilo
2008-11-28 22:55 . 2008-11-28 22:55 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-25 23:09 . 2008-11-25 23:09 <KANSIO> d-------- c:\windows\system32\fi-fi
2008-11-25 23:09 . 2008-11-25 23:09 <KANSIO> d-------- c:\windows\system32\fi
2008-11-25 23:09 . 2008-11-25 23:09 <KANSIO> d-------- c:\windows\system32\bits
2008-11-25 23:09 . 2008-11-25 23:09 <KANSIO> d-------- c:\windows\l2schemas
2008-11-25 23:08 . 2008-11-25 23:08 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-11-25 23:04 . 2008-11-25 23:04 <KANSIO> d-------- c:\windows\EHome
2008-11-25 16:50 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-25 16:50 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-25 16:50 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-24 22:15 . 2008-12-16 16:46 <KANSIO> d-------- c:\documents and settings\Janne\Application Data\Xfire
2008-11-24 22:10 . 2008-11-24 22:10 <KANSIO> d---s---- c:\documents and settings\Janne\UserData
2008-11-24 22:07 . 2008-11-24 22:07 <KANSIO> d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-11-24 22:03 . 2008-11-24 22:03 <KANSIO> d----c--- c:\windows\system32\DRVSTORE
2008-11-24 22:03 . 2008-11-25 17:53 <KANSIO> d-------- c:\documents and settings\Janne\Contacts
2008-11-24 21:59 . 2008-11-25 22:16 <KANSIO> d-------- c:\program files\Windows Live
2008-11-24 21:59 . 2008-11-24 22:00 <KANSIO> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-24 21:59 . 2008-11-24 21:59 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-24 21:56 . 2008-11-24 21:56 <KANSIO> d-------- c:\windows\system32\LogFiles
2008-11-24 21:56 . 2008-12-15 20:25 202,040 --a------ c:\windows\system32\PnkBstrB.exe
2008-11-24 21:56 . 2008-12-15 20:25 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-11-24 21:56 . 2008-11-24 23:08 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-11-24 21:56 . 2008-11-29 19:04 22,328 --a------ c:\documents and settings\Janne\Application Data\PnkBstrK.sys
2008-11-24 21:56 . 2008-11-24 21:56 319 --a------ c:\windows\game.ini
2008-11-24 21:46 . 2008-11-29 19:18 <KANSIO> d-------- c:\program files\Activision
2008-11-24 21:42 . 2008-11-24 21:42 <KANSIO> d--hs---- c:\windows\ftpcache
2008-11-24 21:34 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2008-11-24 21:33 . 2004-09-14 16:06 326,912 --------- c:\windows\system32\drivers\ati2mtaa.sys
2008-11-24 21:14 . 2008-09-15 17:27 1,846,656 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-24 21:14 . 2008-09-08 12:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-24 21:14 . 2008-06-14 19:34 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-24 21:14 . 2008-06-14 19:34 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-24 21:14 . 2008-08-14 12:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-24 21:12 . 2008-08-14 15:25 2,191,488 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-24 21:12 . 2008-08-14 15:25 2,147,840 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-24 21:12 . 2008-08-14 15:25 2,068,352 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-24 21:12 . 2008-08-14 15:24 2,026,496 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-24 21:11 . 2008-11-24 21:11 <KANSIO> d-------- c:\windows\Sun
2008-11-24 21:11 . 2008-04-11 21:05 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-24 21:11 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-24 21:11 . 2008-05-08 16:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-24 21:08 . 2008-10-15 18:37 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-24 20:59 . 2008-11-28 22:55 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 20:58 . 2008-11-24 20:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 20:52 . 2008-11-24 20:52 <KANSIO> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2008-11-24 20:51 . 2008-12-16 16:46 <KANSIO> d-------- c:\program files\Xfire
2008-11-24 20:51 . 2008-11-24 20:52 <KANSIO> d-------- c:\documents and settings\Omistaja\Application Data\Xfire
2008-11-24 17:33 . 2008-11-24 17:33 <KANSIO> d-------- c:\program files\Realtek AC97
2008-11-24 16:12 . 2008-11-24 16:12 0 --a------ c:\windows\ativpsrm.bin
2008-11-24 16:11 . 2008-10-28 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2008-11-24 16:10 . 2008-11-24 16:10 <KANSIO> d-------- C:\ATI
2008-11-24 16:07 . 2008-07-10 04:07 7,143 --a------ c:\windows\system32\nvide.nvu
2008-11-24 16:06 . 2008-11-24 16:06 <KANSIO> d-------- C:\NVIDIA
2008-11-24 16:06 . 2008-08-27 13:58 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-24 16:06 . 2008-07-29 13:33 446,464 --a------ c:\windows\system32\nvunrm.exe
2008-11-24 16:06 . 2008-07-29 13:30 6,045 --a------ c:\windows\system32\nvnrm.nvu
2008-11-24 16:06 . 2008-07-08 01:45 4,984 --a------ c:\windows\system32\drivers\nvphy.bin
2008-11-19 16:46 . 2008-12-05 18:28 <KANSIO> d-------- c:\windows\system32\Adobe
2008-11-19 16:46 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2008-11-19 16:26 . 2008-11-19 16:26 <KANSIO> d-------- c:\windows\Downloaded Installations
2008-11-19 16:26 . 2008-11-19 16:26 <KANSIO> d-------- c:\program files\Siemens
2008-11-19 16:26 . 2008-12-15 21:41 <KANSIO> d--h----- c:\program files\InstallShield Installation Information
2008-11-19 16:26 . 2008-11-19 16:26 <KANSIO> d-------- c:\program files\Funk Software
2008-11-19 16:26 . 2008-11-19 16:26 <KANSIO> d-------- c:\program files\Common Files\Funk Software
2008-11-19 16:26 . 2003-07-16 22:43 94,208 --a------ c:\windows\system32\W32N50CT.dll
2008-11-19 16:26 . 2003-05-14 16:01 62,673 -ra------ c:\windows\system32\drivers\odysseyIM3.sys
2008-11-19 16:26 . 2003-07-16 22:28 17,142 --a------ c:\windows\system32\CBTNDIS5.sys
2008-11-19 16:26 . 1998-05-13 00:00 4,716 --a------ c:\windows\system32\VERSION.LIB
2008-11-19 16:25 . 2008-11-24 17:32 <KANSIO> d-------- c:\program files\Common Files\InstallShield
2008-11-19 16:19 . 2008-11-14 17:49 <KANSIO> d--h----- c:\documents and settings\Maritta\Verkkoympäristö
2008-11-19 16:19 . 2008-11-14 15:54 <KANSIO> d-------- c:\documents and settings\Maritta\Työpöytä
2008-11-19 16:19 . 2008-11-14 17:49 <KANSIO> d--h----- c:\documents and settings\Maritta\Tulostinympäristö
2008-11-19 16:19 . 2008-11-19 16:19 <KANSIO> dr------- c:\documents and settings\Maritta\Suosikit
2008-11-19 16:19 . 2008-11-19 16:19 <KANSIO> dr------- c:\documents and settings\Maritta\Omat tiedostot
2008-11-19 16:19 . 2008-11-14 15:52 <KANSIO> d--h----- c:\documents and settings\Maritta\Mallit
2008-11-19 16:19 . 2008-11-14 17:49 <KANSIO> dr------- c:\documents and settings\Maritta\Käynnistä-valikko
2008-11-19 16:19 . 2008-11-19 16:19 <KANSIO> d-------- c:\documents and settings\Maritta
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 19:43 --------- d-----w c:\program files\Java
2008-11-14 15:25 --------- d-----w c:\documents and settings\Omistaja\Application Data\InterTrust
2008-11-14 14:50 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 13:54 --------- d-----w c:\program files\microsoft frontpage
2008-11-14 13:54 --------- d-----w c:\program files\Common Files\Java
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-12-15 17:17 66,576 ----a-w c:\program files\mozilla firefox\components\dcedfaedd.dll
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Omistaja\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 2990416]
c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Gigaset WLAN Adapter Monitor.lnk - c:\program files\Siemens\Gigaset USB Stick 54\Gcc.exe [2008-11-19 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rwgrec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswsp.sys [2008-12-15 111184]
R2 aswfsblk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-15 20560]
S1 30969f35;30969f35;c:\windows\system32\drivers\30969f35.sys []
S1 4e33666b;4e33666b;c:\windows\system32\drivers\4e33666b.sys []
S1 a96ea2d;a96ea2d;c:\windows\system32\drivers\a96ea2d.sys []
.
.
------- Täydentävä tarkistus -------
.
FF - ProfilePath - c:\documents and settings\Janne\Application Data\Mozilla\Firefox\Profiles\e8yeqwp6.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 17:10:06
Windows 5.1.2600 Service Pack 3 NTFS
tarkistaa piilotettuja prosesseja ...
tarkistaa piilotettuja käynnistysarvoja ...
tarkistaa piilotettuja tiedostoja ...
tarkistus on valmis
piilotetut tiedostot: 0
**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Siemens\Gigaset USB Stick 54\OdHost.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-12-16 17:11:56 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2008-12-16 15:11:50
Ennen ajoa: 181 960 667 136 tavua vapaana
Ajon jälkeen: 182,045,409,280 tavua vapaana
WindowsXP-KB310994-SP2-Home-BootDisk-FIN.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
247 --- E O F --- 2008-12-11 05:33:54
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 17:22 |
Linkki tähän viestiin
|
|
joo hienoo tulee pikku hiljaa :D
Voiko tietsikka koskaan toimia?
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 17:40 |
Linkki tähän viestiin
|
No tässä tämä SDFix
SDFix: Version 1.240
Run by Janne on ti 16.12.2008 at 17:29
Microsoft Windows XP [versio 5.1.2600]
Running From: C:\Documents and Settings\Janne\Ty?p?yt?\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 17:34:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"="C:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe:*:Enabled:PurpleBean.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
Files with Hidden Attributes :
Tue 16 Dec 2008 13,806,828 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5fff50ef3e26a5952aef7b3e0b751b8d\BITF.tmp"
Fri 5 Dec 2008 25,754,696 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78f0cd71f90d172e09db9b83b456d26c\BIT2B.tmp"
Finished!
__________________________________________________________________
Ja tässä uusi Hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:47, on 16.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Siemens\Gigaset USB Stick 54\Gcc.exe
C:\Program Files\Siemens\Gigaset USB Stick 54\OdHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Program Files\Siemens\Gigaset USB Stick 54\Gcc.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O20 - AppInit_DLLs: rwgrec.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
--
End of file - 4869 bytes
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 17:41 |
Linkki tähän viestiin
|
|
Taino toivottavasti nämä ovat niitä okeita :D
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 17:44 |
Linkki tähän viestiin
|
|
Joo no nyt on kaikki kohdat suoritettu :D eli vieläkö pitää tehdä jotain? :)
Edit:
tiedän muokkausta ois voinu painaa.. kaveri sähläs ^^
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 16. joulukuuta 2008 @ 17:57
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 17:57 |
Linkki tähän viestiin
|
on siinä muutama oikeekin :D
================
scannaa hjt:llä merkkaa paina Fix checked
O20 - AppInit_DLLs: rwgrec.dll
================
tyhjennä Malwarebytes' Anti-Malware karanteeni poista roskat
===============
Kirjoita suorita luukkuu
ComboFix /u
paina ok
===============
Lataa OTMoveIt
OTMoveIt ja tallenna se työpöydällesi.
Tuplaklikkaa OTMoveIt.exe.
Klikkaa CleanUp!.
Valitse Yes kun kysytään "Begin cleanup Process?".
Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.
HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.
Voiko tietsikka koskaan toimia?
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 18:14 |
Linkki tähän viestiin
|
|
Noniin toikin on nytten tehty. pitäisi olla puhdasta? pitääkö vielä pistää jotain logia?
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 18:16 |
Linkki tähän viestiin
|
|
mites se kone toimii.
Voiko tietsikka koskaan toimia?
|
|
J3pp3
Suspended due to non-functional email address
|
16. joulukuuta 2008 @ 18:18 |
Linkki tähän viestiin
|
|
Juu nyt näyttää kyllä toimivan hyvin.. ja linkkejäkin voi jo painaa xD eikä tule enää ikkunoita itestään
Ati Radeon 4870 512mb|E8500 @ 3.8GHz|Noctua U9B cooleri|Asus P5Q Pro|
4GB 800MHz DDR 2|1 TiB kiintolevy|Polttava DVD-asema|Coolermaster CM690
Näppis: G11. Hiiri: MX518. Näyttö: 22" WIDE TFT
Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 16. joulukuuta 2008 @ 18:19
|
|
Mainos
|
|
|
|
Hujo
Suspended permanently
|
16. joulukuuta 2008 @ 19:27 |
Linkki tähän viestiin
|
|
pyyhkäse vielä pölyt ATF Cleanerillä
se on sinä se on siinä ..
Voiko tietsikka koskaan toimia?
|
