Ehtiskö joku "guru" kattomaan tän Hjt-login?

hopo14 · 02.06.2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:31, on 2.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\service.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\mlJAspQk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192744158773
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: mlJAspQk - C:\WINDOWS\SYSTEM32\mlJAspQk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg

--
End of file - 8067 bytes

AfterDawn

hopo14 · 02.06.2008

Eli miten tästä nyt edetään, voisiko joku jelppiä?

yaht · 02.06.2008

Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.

hopo14 · 02.06.2008

Malwarebytes' Anti-Malware 1.14
Tietokantaversio: 814

19:38:41 2.6.2008
mbam-log-6-2-2008 (19-38-41).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|)
Tarkistetut kohteet: 99227
Kulunut aika: 1 hour(s), 47 minute(s), 3 second(s)

Saastuneita muistiprosesseja: 1
Saastuneita muistimoduuleja: 1
Saastuneita rekisteriavaimia: 4
Saastuneita rekisteriarvoja: 2
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 9

Saastuneita muistiprosesseja:
C:\WINDOWS\service.exe (Backdoor.Bot) -> Unloaded process successfully.

Saastuneita muistimoduuleja:
C:\WINDOWS\system32\mlJAspQk.dll (Trojan.Vundo) -> Unloaded module successfully.

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaspqk (Trojan.Vundo) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{487c9905-26a8-42c8-8033-c58ad3d2aec3} (Trojan.Vundo) -> Quarantined and deleted successfully.

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\dci.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\setup.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\setup1.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP178\A0040992.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP179\A0041042.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C9B5433-8E72-468F-9A63-712FEFB52B73}\RP179\A0041043.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\bot.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJAspQk.dll (Trojan.Vundo) -> Delete on reboot.

yaht · 02.06.2008

uuden hijacthis login kun viellä saisi niin olisi mukavaa

hopo14 · 02.06.2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:24, on 2.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg

--
End of file - 7403 bytes

hopo14 · 02.06.2008

menikö oikein? en oo mikään hirvee virtuoosi näissä hommissa!

yaht · 02.06.2008

1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä:
Combofix.exe
Combofix.exe

seuraa näyttön tulevia ohjeita

Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

hopo14 · 02.06.2008

Siis en ymmärrä. Eihän tossa combofix.exe oo mitään sisältöä, 0 kt?? Miten siis voin lähettää sen sisällön tänne?

Hujo · 02.06.2008

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/KRKI~1/LOCALS~1/Temp/msohtml1/06/clip_image002.jpg

===============

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

hopo14 · 04.06.2008

ComboFix 08-06-03.1 - Kärki 2008-06-04 11:01:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.180 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\setup.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.

2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

*Newly Created Service* - CATCHME
.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-04 07:07:43 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 11:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-04 11:08:14
ComboFix-quarantined-files.txt 2008-06-04 08:08:05

Pre-Run: 16,029,470,720 tavua vapaana
Post-Run: 22,099,120,128 tavua vapaana

115

hopo14 · 04.06.2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:53, on 4.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

--
End of file - 7163 bytes

hopo14 · 04.06.2008

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - tätä ei löytyny.

O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll - Tämmönen kyllä löyty, olisko se pitäny poistaa? en siis poistanut tätä vielä.

Hujo · 04.06.2008

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\WINDOWS\mservice.exe
C:\bot1.exe
C:\sexy.com
C:\is154890.0xe
C:\WINDOWS\SYSTEM32\ddcCRKef.dll

Laajenna...

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

hopo14 · 05.06.2008

ComboFix 08-06-03.1 - Kärki 2008-06-05 19:49:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.105 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-05 to 2008-06-05 )))))))))))))))))
.

2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_11.07.22,03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 07:06:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 16:36:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2003-10-22 12:43:32 229,376 ----a-r C:\WINDOWS\IP4000,3000\uninstall.exe
+ 2004-06-15 05:10:00 68,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP61.DLL
+ 2004-06-15 05:00:00 153,600 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD561.DLL
+ 2004-06-15 05:00:00 397,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP61.DLL
+ 2004-06-15 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP061.DAT
+ 2004-06-15 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP161.DAT
+ 2004-06-15 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP261.DAT
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI61.DLL
+ 2004-06-15 05:00:00 80,896 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV61.EXE
+ 2004-06-15 05:00:00 837,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB61.DLL
+ 2004-06-15 05:00:00 8,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD61.EXE
+ 2004-06-15 05:00:00 130,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM61.EXE
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ61.EXE
+ 2004-06-15 05:00:00 111,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR61.DLL
+ 2004-06-15 05:00:00 322,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB61.DLL
+ 2004-06-15 05:00:00 1,571,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI61.DLL
+ 2004-06-15 05:00:00 219,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR61.DLL
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW361.DLL
+ 2004-06-15 05:10:00 68,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMCP61.DLL
+ 2004-06-15 05:00:00 153,600 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMD561.DLL
+ 2004-06-15 05:00:00 397,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMDR61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMFU61.DLL
+ 2004-06-15 05:00:00 19,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMOP61.DLL
+ 2004-06-15 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP061.DAT
+ 2004-06-15 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP161.DAT
+ 2004-06-15 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMP261.DAT
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMPI61.DLL
+ 2004-06-15 05:00:00 80,896 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMPV61.EXE
+ 2004-06-15 05:00:00 837,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSB61.DLL
+ 2004-06-15 05:00:00 8,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSD61.EXE
+ 2004-06-15 05:00:00 130,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSM61.EXE
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSQ61.EXE
+ 2004-06-15 05:00:00 111,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMSR61.DLL
+ 2004-06-15 05:00:00 322,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUB61.DLL
+ 2004-06-15 05:00:00 1,571,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUI61.DLL
+ 2004-06-15 05:00:00 219,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMUR61.DLL
+ 2004-06-15 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip300082f7\CNMW361.DLL
+ 2004-06-15 05:00:00 17,920 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD61.DLL
+ 2004-06-15 05:00:00 54,272 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP61.DLL
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-05 16:10:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 19:52:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-05 19:54:15
ComboFix-quarantined-files.txt 2008-06-05 16:53:58
ComboFix2.txt 2008-06-04 08:08:16

Pre-Run: 22,113,275,904 tavua vapaana
Post-Run: 22,153,404,416 tavua vapaana

172

Hujo · 05.06.2008

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\WINDOWS\mservice.exe
C:\bot1.exe
C:\sexy.com
C:\is154890.0xe
C:\WINDOWS\SYSTEM32\ddcCRKef.dll

Laajenna...

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

hopo14 · 05.06.2008

ComboFix 08-06-03.1 - Kärki 2008-06-05 21:56:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.103 [GMT 3:00]
Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-05 to 2008-06-05 )))))))))))))))))
.

2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-06-04 23:29 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-02 19:47 . 2008-06-02 19:47 57,344 --------- C:\WINDOWS\system32\ddcCRKef.dll
2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe
2008-05-05 20:26 . 2008-05-05 20:26 <KANSIO> d-------- C:\WINDOWS\Sun
2008-05-05 20:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 20:25 . 2008-06-02 13:01 <KANSIO> d-------- C:\Program Files\Java
2008-05-05 20:24 . 2008-05-05 20:24 <KANSIO> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}]
2008-06-02 19:47 57344 --------- C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"= C:\WINDOWS\system32\ddcCRKef.dll [2008-06-02 19:47 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
ddcCRKef.dll 2008-06-02 19:47 57344 C:\WINDOWS\system32\ddcCRKef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"E:\\Shareaza\\Shareaza.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2008-06-05 16:10:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 21:58:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcCRKef.dll
.
Completion time: 2008-06-05 22:00:40
ComboFix-quarantined-files.txt 2008-06-05 19:00:30
ComboFix2.txt 2008-06-05 16:54:17
ComboFix3.txt 2008-06-04 08:08:16

Pre-Run: 22,122,463,232 tavua vapaana
Post-Run: 22,126,665,728 tavua vapaana

125

Hujo · 05.06.2008

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

=============

Lataa: RegSeeker.zip työpöydälle:

Pura zip C:\RegSeeker\ kansioon. Sieltä käynnistät RegSeeker.exe ohjelman.
Oikeasa yläkulmassa on Languages.... linkki, josta valitset Suomenkielen.
Vasemmasta alakulmasta ruksit Luo vrmuuskopio ja sitten linkki Puhdista rekisteri
Ruksit kaikkiin muihin kohtiin paitsi "Käyttökelvottomat.." sitten "OK" (odotat hetken).
Ruutuun ilmestyy lista epäkelvoista rekisterimerkinnöistä, jotka alapalkista Valitse kohdasta
klikkaat Valitse kaikki jolloin valitut saavat keltaisen pohjavärin.
Alapalkin Toiminnot linkistä klikkaat Poista valitut kohteet
Ponnahdusikkunaan "Kaikki valitut kohteet poistetaan ? vastaat "OK".
Seuraavaan Ponnahdusikkunaan "Varmuuskopiot" vastaat "OK".
Klikaa vasemmalta Lopeta RegSeeker ja käynnistä koneesi uudelleen.

hopo14 · 06.06.2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:06, on 6.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192744158773
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

--
End of file - 7857 bytes

Hujo · 06.06.2008

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {487C9905-26A8-42C8-8033-C58AD3D2AEC3} - C:\WINDOWS\system32\ddcCRKef.dll
O20 - Winlogon Notify: ddcCRKef - C:\WINDOWS\SYSTEM32\ddcCRKef.dll

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

File::
C:\WINDOWS\SYSTEM32\ddcCRKef.dll
C:\WINDOWS\system32\ddcCRKef.dll

Laajenna...

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

================

Lataa TÄSTÄ VundoFix.exe työpöydällesi.

Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Fix Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

Kirjaudu tai liity jäseneksi

Ehtiskö joku "guru" kattomaan tän Hjt-login?

hopo14 Member

hopo14 Member

yaht Regular member

hopo14 Member

yaht Regular member

hopo14 Member

hopo14 Member

yaht Regular member

hopo14 Member

Hujo Guest

hopo14 Member

hopo14 Member

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

Ehtiskö joku "guru" kattomaan tän Hjt-login?

hopo14 Member

hopo14 Member

yaht Regular member

hopo14 Member

yaht Regular member

hopo14 Member

hopo14 Member

yaht Regular member

hopo14 Member

Hujo Guest

hopo14 Member

hopo14 Member

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

hopo14 Member

Hujo Guest

Jaa tämä sivu

Hyödyllisiä hakuja