Olen ajanut superantispyware ohjelmaa ja jatkuvasti kone löytää 3kpl commonname toolbar/browser helper objekteja Kun ne on laitettu karanteeniin ja kone uudellen käynnistetty ja ohjelmalla scannattu niin olla töröttää nuo samat objektit koneella....tuleeko ne aina jostain uudestaan vai eikö ohjelma niitä kuitenkaan käsittele? Yritin googlata,mutta heittää pitkälti lontoonkielisille sivuille,eikä lontoo oikein käänny savoksi Onko nuo ylipäätään vaarallia lainkaan? Käyttis vista home premium Kiitos
Kokeiles ajaa Malwarebytes Anti-malware, josko se suostus poistaa ne. Tässä linkki josta voit lataa sen. Päivitä aina ennen scannia!
Malvwarebytesiä on ajettu urakalla (päivitetty) ,ei löydä mitään,mutta tässä raportti,ainoastaan eset nod 32 (virustutka) oli päällä tutkimisen aikana ComboFix 09-11-05.05 - heppu1000 07.11.2009 0:25.2.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.358.1035.18.3070.1993 [GMT 2:00] Sijainti: c:\users\heppu1000\Documents\Downloads\ComboFix.exe SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Virustorjunnan taustasuojaus on päällä . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-10-06 to 2009-11-06 ))))))))))))))))) . 2009-11-06 22:31 . 2009-11-06 22:31 -------- d-----w- c:\users\heppu1000\AppData\Local\temp 2009-11-06 22:31 . 2009-11-06 22:31 -------- d-----w- c:\users\Public\AppData\Local\temp 2009-11-06 22:31 . 2009-11-06 22:31 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-11-06 18:21 . 2009-11-06 18:21 -------- d-----w- c:\program files\ESET 2009-11-05 16:45 . 2009-11-05 16:46 -------- d-----w- c:\users\heppu1000\AppData\Local\Adobe 2009-10-27 19:09 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe 2009-10-27 19:09 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-10-16 09:06 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll 2009-10-16 09:06 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-10-16 09:06 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-10-16 09:05 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-10-16 09:05 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-10-16 09:05 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL 2009-10-12 03:16 . 2009-10-12 03:28 4096 d-----w- c:\program files\Audacity 2009-10-11 17:02 . 2009-10-12 03:18 4096 d-----w- c:\program files\Lame for Audacity 2009-10-10 20:18 . 2009-10-11 17:04 -------- d-----w- c:\users\heppu1000\AppData\Roaming\Audacity . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-06 21:49 . 2009-06-02 07:23 4096 d-----w- c:\users\heppu1000\AppData\Roaming\Skype 2009-11-06 21:44 . 2009-08-22 18:13 -------- d-----w- c:\users\heppu1000\AppData\Roaming\Spotify 2009-11-06 21:34 . 2007-10-03 00:44 80514 ----a-w- c:\windows\system32\perfc00B.dat 2009-11-06 21:34 . 2007-10-03 00:44 435388 ----a-w- c:\windows\system32\perfh00B.dat 2009-11-06 19:21 . 2009-07-29 19:34 117760 ----a-w- c:\users\heppu1000\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-11-06 19:18 . 2009-06-03 18:38 1698 ----a-w- c:\users\heppu1000\AppData\Roaming\wklnhst.dat 2009-11-06 19:11 . 2009-05-28 15:56 4096 d-----w- c:\users\heppu1000\AppData\Roaming\skypePM 2009-11-04 16:27 . 2009-09-04 16:17 -------- d-----w- c:\users\heppu1000\AppData\Roaming\IObit 2009-11-01 19:15 . 2009-08-15 07:24 8192 d-----w- c:\users\heppu1000\AppData\Roaming\uTorrent 2009-11-01 19:03 . 2009-07-14 22:03 8192 d-----w- c:\programdata\CanonIJPLM 2009-10-31 16:02 . 2009-10-04 10:39 4096 d-----w- c:\users\heppu1000\AppData\Roaming\vlc 2009-10-31 15:14 . 2009-05-24 21:30 72192 ----a-w- c:\users\heppu1000\AppData\Local\GDIPFONTCACHEV1.DAT 2009-10-30 23:10 . 2007-10-02 14:44 4096 d-----w- c:\program files\Roxio 2009-10-30 23:10 . 2007-10-02 14:44 4096 d-----w- c:\program files\Common Files\Roxio Shared 2009-10-30 22:54 . 2007-10-02 14:40 8192 d--h--w- c:\program files\InstallShield Installation Information 2009-10-30 22:52 . 2009-08-25 14:45 -------- d-----w- c:\program files\Unity 2009-10-28 19:17 . 2009-07-29 19:33 4096 d-----w- c:\program files\SUPERAntiSpyware 2009-10-25 15:14 . 2009-08-15 14:59 8192 d-----w- c:\users\heppu1000\AppData\Roaming\dvdcss 2009-10-24 21:34 . 2009-06-17 19:46 -------- d-----w- c:\programdata\WinZip 2009-10-24 14:38 . 2007-10-02 14:59 -------- d-----w- c:\program files\Google 2009-10-17 15:10 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail 2009-10-01 07:29 . 2009-10-02 16:47 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-09-29 05:54 . 2009-09-29 05:49 -------- d-----w- c:\programdata\Norton 2009-09-29 05:49 . 2009-09-29 05:49 -------- d-----w- c:\programdata\Symantec 2009-09-28 18:09 . 2009-07-17 20:05 -------- d-----w- c:\users\heppu1000\AppData\Roaming\gtk-2.0 2009-09-28 18:01 . 2009-07-14 22:21 -------- d-----w- c:\programdata\CanonIJ 2009-09-20 08:44 . 2009-09-20 08:44 -------- d-----w- c:\program files\LucasArts 2009-09-18 22:24 . 2009-09-18 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-18 22:24 . 2007-10-02 14:53 -------- d-----w- c:\program files\Java 2009-09-18 19:43 . 2009-06-09 19:47 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-18 19:43 . 2009-06-23 17:11 4045528 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-09-11 05:26 . 2009-09-11 05:26 95896 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys 2009-09-11 05:23 . 2009-09-11 05:23 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-09-11 05:17 . 2009-09-11 05:17 116008 ----a-w- c:\windows\system32\drivers\eamon.sys 2009-09-10 11:54 . 2009-06-09 19:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 11:53 . 2009-06-09 19:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-06 12:04 . 2009-09-06 12:04 722416 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-09-06 10:51 . 2009-05-25 08:01 48747 ----a-w- c:\programdata\nvModes.dat 2009-09-03 14:40 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-08-29 00:27 . 2009-09-03 11:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-29 00:14 . 2009-09-03 11:53 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-27 05:22 . 2009-10-22 19:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 05:17 . 2009-10-22 19:00 71680 ----a-w- c:\windows\system32\iesetup.dll 2009-08-27 05:17 . 2009-10-22 19:00 109056 ----a-w- c:\windows\system32\iesysprep.dll 2009-08-27 03:42 . 2009-10-22 19:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-25 14:45 . 2009-08-12 17:52 1356 ----a-w- c:\users\heppu1000\AppData\Local\d3d9caps.dat 2009-08-14 16:27 . 2009-09-10 15:37 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 15:53 . 2009-09-10 15:37 17920 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 13:49 . 2009-09-10 15:37 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 13:49 . 2009-09-10 15:37 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 13:49 . 2009-09-10 15:37 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 13:49 . 2009-09-10 15:37 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 13:49 . 2009-09-10 15:37 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 13:49 . 2009-09-10 15:37 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 13:49 . 2009-09-10 15:37 10240 ----a-w- c:\windows\system32\finger.exe 2009-08-14 13:48 . 2009-09-10 15:37 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys 2009-08-14 13:48 . 2009-09-10 15:37 105984 ----a-w- c:\windows\system32\netiohlp.dll 2009-08-12 17:55 . 2009-08-12 17:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2007-10-03 01:02 . 2007-10-03 00:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-11-06_21.22.49 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-06 21:27 . 2009-11-06 21:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2009-11-06 18:05 . 2009-11-06 18:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-11-06 21:27 . 2009-11-06 21:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2009-11-06 18:05 . 2009-11-06 18:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\heppu1000\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-25 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "V0230Mon.exe"="c:\windows\System32\V0230Mon.exe" [2006-07-19 36961] "NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360] "V0230Cfg.exe"="V0230Cfg.exe" - c:\windows\V0230Cfg.exe [2006-03-15 9216] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-10-28 19:17 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):92,da,02,6d,a5,2c,ca,01 R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [11.9.2009 7:23 108792] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.7.2009 9:53 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.7.2009 9:53 74480] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11.9.2009 7:24 735960] R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [11.9.2009 7:26 95896] R2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2.10.2007 16:53 198240] R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [2.10.2007 16:39 968064] R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\System32\drivers\netr73.sys [26.2.2008 8:17 493568] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.7.2009 9:53 7408] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [19.3.2009 12:48 136704] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [19.3.2009 12:48 8320] S3 V0230Vfx;V0230Vfx;c:\windows\System32\drivers\V0230Vfx.sys [2.6.2009 8:34 6272] S3 V0230VID;Live! Cam Video IM Pro;c:\windows\System32\drivers\V0230VID.sys [2.6.2009 8:34 498464] --- Muut muistissa olevat ajurit/palvelut --- *Deregistered* - mbr *Deregistered* - PROCEXP113 . 'Ajoitetut tehtävät'-kansion sisältö 2009-11-06 c:\windows\Tasks\AWC Startup.job - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-09-04 06:55] 2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4032475782-4161163969-468228600-1000Core.job - c:\users\heppu1000\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-25 06:51] 2009-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4032475782-4161163969-468228600-1000UA.job - c:\users\heppu1000\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-25 06:51] . . ------- Täydentävä tarkistus ------- . uStart Page = hxxp://www.iltalehti.fi/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FI_FI&c=74&bd=Pavilion&pf=desktop IE: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 00:31 Windows 6.0.6002 Service Pack 2 NTFS tarkistaa piilotettuja prosesseja ... tarkistaa piilotettuja käynnistysarvoja ... tarkistaa piilotettuja tiedostoja ... tarkistus on valmis piilotetut tiedostot: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x851221F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\atapi -> 0x851211f8 Warning: possible MBR rootkit infection ! user & kernel MBR OK Use "Recovery Console" command "fixmbr" to clear infection ! ************************************************************************** . --------------------- LUKITUT REKISTERIAVAIMET --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Valmistumisajankohta: 2009-11-06 0:33 ComboFix-quarantined-files.txt 2009-11-06 22:33 ComboFix2.txt 2009-11-06 21:24 Ennen ajoa: 173 235 482 624 tavua vapaana Ajon jälkeen: 173 206 605 824 tavua vapaana - - End Of File - - F3A3EBF9EFF51E848E157D10D48AB40D
Logi on aina kullanarvoinen löytö. Mahdollisia allekirjoittamattomia ajureita(?). Koneella useita virustorjuntoja samaan aikaan tai jämiä niistä(?). 1. Lataa HJTInstall.exe 2. Tallenna ja asenna Hijackthis. 3. Käynnistä HijackThis. 4. Aja "Do a system scan and save a logfile". ÄLÄ paina Analyse This-nappulaa, ÄLÄKÄ yritä itse korjata mitään. 5. Kopioi Muistioon avautuva logi. Lisää Hjt- ja mbam- logi, joko Afterdawnin Hjt-alueelle tai Virustorjunta.net:iin. HUOM! Oman hyödyn takia kuuntele ainoastaan fixaajien neuvoja login suhteen!