HjT-loki tarkastettavaksi

Yksityisviestit

Luo uusi yksityisviesti

Kaikki uudet viestit

Ilman vastauksia olevat viestiketjut

Hae viestejä

perjantai 22.8.2008 / 08:01

Haku:

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > hjt-loki tarkastettavaksi

Aiheet

Keskustelualueet

Vastaa

Aloita uusi viestiketju

HjT-loki tarkastettavaksi

Siirry:

Kirjoittaja

Viesti

anttih_

Junior Member

21. kesäkuuta 2008 @ 08:52

Linkki tähän viestiin

Ensi alkuun ongelmani on seuraavanlainen:

En pääse joillekin nettisivuille (esim. Facebook) omalla koneella lainkaan, sama koskee tätä Afterdawnin sivustoa. Googlen sivuston puolestaan saan auki, mutta mitään en saa haettua. Sivu ns. jämähtää siihen Googlen etusivulle. Joku mainosohjelma tai vastaava tässä vissiin kiusaa tekee, kun sivustoille näkyy ilmestyvän kaikennäköisiä bannereita. Olen ajanut virusohjelmat ja ad-aware/spyware-ohjelmat moneen otteeseen koneella läpi, mutta millään en tunnu pääsevän ongelmasta eroon. Pystyyköhän joku tuon kuvauksen perusteella kertomaan mitä pitäisi oikein tehdä?

----

Ja HjT-loki on tässä (Jos mahdollista, niin voisiko auttaja(t) laittaa vastauksensa/ongelman ratkaisuun liittyvät viestit sähköpostilla (antti.hokkanen@pp.netsor.fi) minulle, kun en siis omalla koneellani lainkaan tälle sivustolle pääse):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:04, on 21.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Contact Manager 2007\Alerts.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netsor.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {8174EDF1-EC3A-41E2-84E4-4C4F77A5E1FB} - C:\WINDOWS\system32\yayWqrSk.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\ljJATMET.dll
O2 - BHO: (no name) - {A2EFA98D-835E-48CD-9931-04D6FF40C85A} - C:\WINDOWS\system32\khfGwXqP.dll
O2 - BHO: {551a874b-6de6-610a-e404-313a9eb498af} - {fa894be9-a313-404e-a016-6ed6b478a155} - C:\WINDOWS\system32\ewdjbptc.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [acb145f4] rundll32.exe "C:\WINDOWS\system32\rdwronei.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BMaf827668] Rundll32.exe "C:\WINDOWS\system32\jxjdgfpw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Contact Manager Alerts] C:\Program Files\Contact Manager 2007\Alerts.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus SmartSuite 97 rekisteröiminen.lnk = C:\lotus\register\remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18BB8178-C223-4E64-8E91-AF45A6FB9098}: NameServer = 193.210.18.18,212.213.216.195
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljJATMET - C:\WINDOWS\SYSTEM32\ljJATMET.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8138 bytes

[ + lainaa]

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 21. kesäkuuta 2008 @ 08:55

Hujo

AfterDawn Addict

21. kesäkuuta 2008 @ 12:10

Linkki tähän viestiin

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

===============

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Lainaus:
File::
C:\WINDOWS\system32\yayWqrSk.dll
C:\WINDOWS\system32\ljJATMET.dll
C:\WINDOWS\system32\khfGwXqP.dll
C:\WINDOWS\system32\ewdjbptc.dll
C:\WINDOWS\system32\rdwronei.dll
C:\WINDOWS\system32\jxjdgfpw.dll

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

=============

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {8174EDF1-EC3A-41E2-84E4-4C4F77A5E1FB} - C:\WINDOWS\system32\yayWqrSk.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\ljJATMET.dll
O2 - BHO: (no name) - {A2EFA98D-835E-48CD-9931-04D6FF40C85A} - C:\WINDOWS\system32\khfGwXqP.dll
O2 - BHO: {551a874b-6de6-610a-e404-313a9eb498af} - {fa894be9-a313-404e-a016-6ed6b478a155} - C:\WINDOWS\system32\ewdjbptc.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [acb145f4] rundll32.exe "C:\WINDOWS\system32\rdwronei.dll",b
O4 - HKLM\..\Run: [BMaf827668] Rundll32.exe "C:\WINDOWS\system32\jxjdgfpw.dll",s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O20 - Winlogon Notify: ljJATMET - C:\WINDOWS\SYSTEM32\ljJATMET.dll

==================

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

[ + lainaa]

Eihä kone voi edes toimia?

anttih_

Junior Member

22. kesäkuuta 2008 @ 14:51

Linkki tähän viestiin

No niin, tässäpä olisi ensiksi tuo ComboFixin loki:

ComboFix 08-06-20.4 - DTK Computer 2008-06-22 12:01:08.2 - NTFSx86
Running from: C:\Documents and Settings\DTK Computer\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\DTK Computer\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ewdjbptc.dll
C:\WINDOWS\system32\jxjdgfpw.dll
C:\WINDOWS\system32\khfGwXqP.dll
C:\WINDOWS\system32\ljJATMET.dll
C:\WINDOWS\system32\rdwronei.dll
C:\WINDOWS\system32\yayWqrSk.dll
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMaf827668.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ewdjbptc.dll
C:\WINDOWS\system32\jxjdgfpw.dll

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-22 to 2008-06-22 )))))))))))))))))
.

2008-06-22 11:57 . 2008-06-22 11:57 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-22 08:16 . 2008-06-22 08:16 99,328 --a------ C:\WINDOWS\system32\svrmkrbk.dll
2008-06-22 08:14 . 2008-06-22 08:14 80,384 --a------ C:\WINDOWS\system32\eoygmobh.dll
2008-06-22 08:11 . 2008-06-22 08:11 90,624 --a------ C:\WINDOWS\system32\wfqiygps.dll
2008-06-21 11:16 . 2008-06-22 10:28 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 07:04 . 2008-06-22 12:08 364,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-21 07:04 . 2008-06-22 11:37 4,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-21 06:58 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-21 06:56 . 2008-06-21 06:56 <KANSIO> d-------- C:\Program Files\Zone Labs
2008-06-21 06:49 . 2008-06-21 06:49 322,560 --------- C:\WINDOWS\system32\khfGwXqP.dll_old
2008-06-20 06:32 . 2008-06-22 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 06:32 . 2008-06-20 06:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-17 22:55 . 2008-06-17 22:55 <KANSIO> d-------- C:\WINDOWS\system32\netrax01
2008-06-17 22:55 . 2008-06-17 22:56 <KANSIO> d-------- C:\TEMP\itmp4
2008-06-08 05:13 . 2008-06-08 05:13 32,768 --a------ C:\WINDOWS\system32\netrax01\netrax011065.exe
2008-05-30 21:02 . 2008-05-30 21:02 <KANSIO> d-------- C:\Documents and Settings\DTK Computer\Application Data\CANON INC
2008-05-30 21:02 . 2008-05-30 21:05 <KANSIO> d-------- C:\Documents and Settings\DTK Computer\Application Data\CameraWindowDC
2008-05-30 21:01 . 2004-09-15 02:11 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-30 21:01 . 2001-10-05 16:31 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-30 19:45 . 2008-05-30 19:45 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-30 19:42 . 2008-05-30 19:42 <KANSIO> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 09:00 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\DNA
2008-06-22 07:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 17:42 --------- d-----w C:\Program Files\WorldAntiSpy
2008-06-21 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinSoftware
2008-06-21 08:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 07:01 --------- d-----w C:\Program Files\Lavasoft
2008-06-21 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 08:10 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\Move Networks
2008-06-15 06:41 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\uTorrent
2008-06-15 04:38 --------- d-----w C:\Program Files\DC++
2008-06-14 17:59 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 16:49 --------- d-----w C:\Program Files\Canon
2008-05-25 11:26 --------- d-----w C:\Program Files\Last.fm
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 15:39 --------- d-----w C:\Program Files\Animated GIF Banner Maker
2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-02 18:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-24 19:07 3,532 ----a-w C:\drmHeader.bin
2005-07-14 13:15 1,212 -c--a-r C:\Program Files\OUsr600.dat
2003-10-14 15:05 1,623 -c--a-w C:\Program Files\INSTALL.LOG
2005-03-10 00:05 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13F80174-4491-4B88-9A24-9ECE508970F6}]
C:\WINDOWS\system32\khfGwXqP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8174EDF1-EC3A-41E2-84E4-4C4F77A5E1FB}]
C:\WINDOWS\system32\yayWqrSk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\tcpmyb]
@={22DF6344-7739-7570-3D02-0FB587B3F2D8}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 02:12 15360]
"Contact Manager Alerts"="C:\Program Files\Contact Manager 2007\Alerts.exe" [2006-12-17 19:58 6320128]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 05:35 289088]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 16:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24 286720]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 04:10 409600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"acb145f4"="C:\WINDOWS\system32\rdwronei.dll" [ ]
"BMaf827668"="C:\WINDOWS\system32\wfqiygps.dll" [2008-06-22 08:11 90624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-15 02:12 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 00:18 443968]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-11 14:27:45 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2003-10-24 15:27:53 372224]
ORiNOCO Client Manager.lnk - C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe [2003-10-13 14:48:42 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"C:\\Program Files\\Bersirc\\Bersirc.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-10-27 17:39]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 wlluc51;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\wlluc51.sys [2001-12-04 16:22]
S3 wlluc51b;ORINOCO USB Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc51b.sys [2002-10-14 08:53]

.
'Ajoitetut tehtävät'-kansion sisältö
"2008-05-24 15:23:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 12:07:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-22 12:14:20
ComboFix-quarantined-files.txt 2008-06-22 09:14:12
ComboFix2.txt 2008-06-22 08:57:06

Pre-Run: 917,323,776 tavua vapaana
Post-Run: 905,752,576 tavua vapaana

146 --- E O F --- 2008-06-20 03:56:16

----

Sitten seuraavaksi uusi HjT-loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:53, on 22.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Contact Manager 2007\Alerts.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netsor.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {13F80174-4491-4B88-9A24-9ECE508970F6} - C:\WINDOWS\system32\khfGwXqP.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BMaf827668] Rundll32.exe "C:\WINDOWS\system32\wfqiygps.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Contact Manager Alerts] C:\Program Files\Contact Manager 2007\Alerts.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus SmartSuite 97 rekisteröiminen.lnk = C:\lotus\register\remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18BB8178-C223-4E64-8E91-AF45A6FB9098}: NameServer = 193.210.18.18,212.213.216.195
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7581 bytes

---

Ja tässä olisi sitten tuo Malwarebytesin lokitiedosto:

Malwarebytes' Anti-Malware 1.18
Tietokantaversio: 876

14:34:07 22.6.2008
mbam-log-6-22-2008 (14-34-07).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 105998
Kulunut aika: 1 hour(s), 44 minute(s), 35 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 1
Saastuneita rekisteriarvoja: 1
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 1
Saastuneita tiedostoja: 3

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMaf827668 (Trojan.Agent) -> Delete on reboot.

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
C:\WINDOWS\system32\netrax01 (Trojan.Agent) -> Quarantined and deleted successfully.

Saastuneita tiedostoja:
C:\WINDOWS\system32\netrax01\netrax011065.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wfqiygps.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

---

Mainittakoon sellainen yksityiskohta, että aiemmin mainitut nettisivut joille en Firefoxilla ja Operalla päässyt, aukesivat Internet Explorerilla normaalisti (näin myös tämä sivusto). Sanotaan vielä se, että kun käynnistän koneen, ilmestyy taustakuvan päälle virhelaatikko jossa on seuraava teksti:

"Virhe ladattaessa C:\WINDOWS\System32\wfqiygps.dll"

"Määritettyä osaa ei löydy"

Tuon vissiin pystyy jotain kautta korjaamaan, vai miten on?

[ + lainaa]

Hujo

AfterDawn Addict

22. kesäkuuta 2008 @ 15:25

Linkki tähän viestiin

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Lainaus:

File::
C:\WINDOWS\System32\wfqiygps.dll

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

=========

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {13F80174-4491-4B88-9A24-9ECE508970F6} - C:\WINDOWS\system32\khfGwXqP.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

[ + lainaa]

Eihä kone voi edes toimia?

anttih_

Junior Member

22. kesäkuuta 2008 @ 18:48

Linkki tähän viestiin

ComboFixin uusi loki on tässä:

ComboFix 08-06-20.4 - DTK Computer 2008-06-22 17:03:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.49 [GMT 3:00]Running from: C:\Documents and Settings\DTK Computer\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\DTK Computer\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\wfqiygps.dll
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMaf827668.xml
C:\WINDOWS\pskt.ini

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-22 to 2008-06-22 )))))))))))))))))
.

2008-06-22 12:43 . 2008-06-22 12:43 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 12:43 . 2008-06-22 12:43 <KANSIO> d-------- C:\Documents and Settings\DTK Computer\Application Data\Malwarebytes
2008-06-22 12:43 . 2008-06-22 12:43 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 12:43 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-22 12:43 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 11:57 . 2008-06-22 11:57 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-22 08:16 . 2008-06-22 08:16 99,328 --a------ C:\WINDOWS\system32\svrmkrbk.dll
2008-06-22 08:14 . 2008-06-22 08:14 80,384 --a------ C:\WINDOWS\system32\eoygmobh.dll
2008-06-21 11:16 . 2008-06-22 10:28 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 07:04 . 2008-06-22 17:10 532,512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-21 07:04 . 2008-06-22 14:54 7,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-21 06:58 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-21 06:56 . 2008-06-21 06:56 <KANSIO> d-------- C:\Program Files\Zone Labs
2008-06-21 06:49 . 2008-06-21 06:49 322,560 --------- C:\WINDOWS\system32\khfGwXqP.dll_old
2008-06-20 06:32 . 2008-06-22 16:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 06:32 . 2008-06-20 06:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-17 22:55 . 2008-06-17 22:56 <KANSIO> d-------- C:\TEMP\itmp4
2008-05-30 21:02 . 2008-05-30 21:02 <KANSIO> d-------- C:\Documents and Settings\DTK Computer\Application Data\CANON INC
2008-05-30 21:02 . 2008-05-30 21:05 <KANSIO> d-------- C:\Documents and Settings\DTK Computer\Application Data\CameraWindowDC
2008-05-30 21:01 . 2004-09-15 02:11 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-30 21:01 . 2001-10-05 16:31 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-30 19:45 . 2008-05-30 19:45 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-30 19:42 . 2008-05-30 19:42 <KANSIO> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 14:05 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\DNA
2008-06-22 07:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 17:42 --------- d-----w C:\Program Files\WorldAntiSpy
2008-06-21 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinSoftware
2008-06-21 08:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 07:01 --------- d-----w C:\Program Files\Lavasoft
2008-06-21 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 08:10 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\Move Networks
2008-06-15 06:41 --------- d-----w C:\Documents and Settings\DTK Computer\Application Data\uTorrent
2008-06-15 04:38 --------- d-----w C:\Program Files\DC++
2008-06-14 17:59 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 16:49 --------- d-----w C:\Program Files\Canon
2008-05-25 11:26 --------- d-----w C:\Program Files\Last.fm
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 15:39 --------- d-----w C:\Program Files\Animated GIF Banner Maker
2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-02 18:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-24 19:07 3,532 ----a-w C:\drmHeader.bin
2005-07-14 13:15 1,212 -c--a-r C:\Program Files\OUsr600.dat
2003-10-14 15:05 1,623 -c--a-w C:\Program Files\INSTALL.LOG
2005-03-10 00:05 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_11.55.25.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 08:38:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 13:20:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 09:31:59 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_62c.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13F80174-4491-4B88-9A24-9ECE508970F6}]
C:\WINDOWS\system32\khfGwXqP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\tcpmyb]
@={22DF6344-7739-7570-3D02-0FB587B3F2D8}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 02:12 15360]
"Contact Manager Alerts"="C:\Program Files\Contact Manager 2007\Alerts.exe" [2006-12-17 19:58 6320128]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 05:35 289088]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 16:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 04:10 409600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-15 02:12 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 00:18 443968]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-11 14:27:45 110592]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2003-10-24 15:27:53 372224]
ORiNOCO Client Manager.lnk - C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe [2003-10-13 14:48:42 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"C:\\Program Files\\Bersirc\\Bersirc.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-10-27 17:39]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 wlluc51;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\wlluc51.sys [2001-12-04 16:22]
S3 wlluc51b;ORINOCO USB Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc51b.sys [2002-10-14 08:53]

*Newly Created Service* - CATCHME
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-05-24 15:23:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 17:09:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-22 17:16:17
ComboFix-quarantined-files.txt 2008-06-22 14:16:07
ComboFix2.txt 2008-06-22 09:14:21
ComboFix3.txt 2008-06-22 08:57:06

Pre-Run: 897,159,168 tavua vapaana
Post-Run: 887,369,728 tavua vapaana

145 --- E O F --- 2008-06-20 03:56:16

---

Ja tässä on uusi HjT-loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:17, on 22.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Contact Manager 2007\Alerts.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netsor.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Contact Manager Alerts] C:\Program Files\Contact Manager 2007\Alerts.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus SmartSuite 97 rekisteröiminen.lnk = C:\lotus\register\remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18BB8178-C223-4E64-8E91-AF45A6FB9098}: NameServer = 193.210.18.18,212.213.216.195
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7101 bytes

[ + lainaa]

Mainos

anttih_

Junior Member

5. heinäkuuta 2008 @ 14:43

Linkki tähän viestiin

Kiitokset paljon neuvoista ja suuresta avusta. Kone ja nettiyhteys toimii jälleen moitteetta.

[ + lainaa]

Vastaa

Aloita uusi viestiketju

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > hjt-loki tarkastettavaksi


		Käyttäjä	Salasana

		Puuttuuko tunnus? Liity jäseneksi nyt!. Salasana hukassa? Klikkaa tästä.