1. Tämä sivusto käyttää keksejä (cookie). Jatkamalla sivuston käyttämistä hyväksyt keksien käyttämisen. Lue lisää.

Ehtiskö joku "guru" kattomaan tän Hjt-login?

Viestiketju Virukset ja haittaohjelmat - HijackThis -logit -osiossa. Ketjun avasi hopo14 02.06.2008.

  1. hopo14

    hopo14 Member

    Liittynyt:
    02.06.2008
    Viestejä:
    16
    Kiitokset:
    0
    Pisteet:
    11
    ComboFix 08-06-03.1 - Kärki 2008-06-06 19:02:55.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.89 [GMT 3:00]
    Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\SYSTEM32\ddcCRKef.dll
    C:\WINDOWS\system32\ddcCRKef.dll
    .

    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\ddcCRKef.dll

    .
    ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-06 to 2008-06-06 )))))))))))))))))
    .

    2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
    2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
    2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
    2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
    2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
    2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
    2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
    2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
    2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
    2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
    2008-06-04 10:07 . 2008-06-04 10:07 3,423 --a------ C:\setz.exe
    2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
    2008-06-02 21:36 . 2008-06-02 21:35 96,950 -r-hs---- C:\WINDOWS\mservice.exe
    2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
    2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
    2008-06-02 17:36 . 2008-06-02 22:29 60,114 --a------ C:\bot1.exe
    2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro
    2008-06-01 20:46 . 2008-06-01 20:46 86,502 --a------ C:\sexy.com
    2008-05-30 17:31 . 2008-05-30 19:09 96,768 --------- C:\is154890.0xe

    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-02 10:01 --------- d-----w C:\Program Files\Java
    2008-05-05 17:24 --------- d-----w C:\Program Files\Common Files\Java
    .

    (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
    "F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
    ddcCRKef.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter"= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Shareaza\\Shareaza.exe"=
    "E:\\Shareaza\\Shareaza.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
    R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
    R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
    \Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

    .
    'Ajoitetut teht„v„t'-kansion sis„lt”
    "2008-06-06 06:54:13 C:\WINDOWS\Tasks\Scheduled scanning task.job"
    - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-06 19:08:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\PROGRA~1\F-SECU~1\FSGUI\fsguidll.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe
    C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-06 19:11:07 - machine was rebooted [K„rki]
    ComboFix-quarantined-files.txt 2008-06-06 16:10:56
    ComboFix2.txt 2008-06-05 19:00:44
    ComboFix3.txt 2008-06-05 16:54:17
    ComboFix4.txt 2008-06-04 08:08:16

    Pre-Run: 23,253,381,120 tavua vapaana
    Post-Run: 23,332,323,328 tavua vapaana

    146
     
  2.  
  3. Hujo

    Hujo Guest

    Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

    Tallenna se nimellä CFScript.txt

    Sitten raahaa CFScript ComboFix.exeen kuten alla.
    [​IMG]

    Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

    ================

    aja tuo Malwarebytes' Anti-Malware uudelleen

    ===============

    scannaa viimisenä uusi hjt:n loki
     
  4. hopo14

    hopo14 Member

    Liittynyt:
    02.06.2008
    Viestejä:
    16
    Kiitokset:
    0
    Pisteet:
    11
    Toi fundofix ei löytäny mitään. Tässä combofix txt tiedosto.
     
  5. hopo14

    hopo14 Member

    Liittynyt:
    02.06.2008
    Viestejä:
    16
    Kiitokset:
    0
    Pisteet:
    11
    siis tässä :D

    ComboFix 08-06-03.1 - Kärki 2008-06-06 19:57:17.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.117 [GMT 3:00]
    Running from: C:\Documents and Settings\Kärki\Työpöytä\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Kärki\Työpöytä\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\bot1.exe
    C:\is154890.0xe
    C:\setz.exe
    C:\sexy.com
    C:\WINDOWS\mservice.exe
    .

    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\bot1.exe
    C:\is154890.0xe
    C:\setz.exe
    C:\sexy.com
    C:\WINDOWS\mservice.exe

    .
    ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-06 to 2008-06-06 )))))))))))))))))
    .

    2008-06-06 19:18 . 2008-06-06 19:18 <KANSIO> d-------- C:\VundoFix Backups
    2008-06-06 19:11 . 2008-06-06 19:11 <KANSIO> d-------- C:\Documents and Settings\Kõrki
    2008-06-04 23:31 . 2004-01-14 04:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
    2008-06-04 23:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
    2008-06-04 23:29 . 2008-06-04 23:29 0 --a------ C:\WINDOWS\OpPrintServer.INI
    2008-06-04 23:17 . 2008-06-04 23:31 <KANSIO> d-------- C:\Program Files\Canon
    2008-06-04 23:00 . 2004-06-15 08:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
    2008-06-04 23:00 . 2004-06-04 18:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
    2008-06-04 23:00 . 2004-06-15 08:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
    2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d--h----- C:\BJPrinter
    2008-06-04 22:57 . 2008-06-04 23:17 <KANSIO> d-------- C:\WINDOWS\StartHtmico
    2008-06-04 22:57 . 2008-06-04 22:59 <KANSIO> d-------- C:\WINDOWS\IP4000,3000
    2008-06-02 22:29 . 2008-06-02 22:29 97,116 --a------ C:\WINDOWS\DC5177176.zip
    2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
    2008-06-02 21:35 . 2008-06-02 22:33 96,950 --a------ C:\Documents and Settings\Kärki\setup.exe
    2008-06-02 19:51 . 2008-06-04 10:07 3,423 --a------ C:\WINDOWS\is154890.exe
    2008-06-02 18:57 . 2008-06-02 18:57 6,144 --a------ C:\mgoilhuqomfmnhs.exe
    2008-06-02 14:14 . 2008-06-02 14:14 <KANSIO> d-------- C:\Documents and Settings\Kärki\Application Data\Malwarebytes
    2008-06-02 14:13 . 2008-06-02 14:14 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-02 14:13 . 2008-06-02 14:13 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-02 14:13 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-02 14:13 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-02 11:26 . 2008-06-02 11:26 <KANSIO> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-02 10:01 --------- d-----w C:\Program Files\Java
    2008-05-05 17:24 --------- d-----w C:\Program Files\Common Files\Java
    .

    (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-14 16:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 16:12 183208]
    "F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 16:11 740208]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRKef]
    ddcCRKef.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter"= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\Win32\\RpcDataSrv.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII\\RpcSandraSrv.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Shareaza\\Shareaza.exe"=
    "E:\\Shareaza\\Shareaza.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-20 18:34]
    R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-02-15 12:57]
    R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 16:08]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 16:09]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 16:09]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{385872e4-8a05-11dc-aa8a-0004617b15fc}]
    \Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

    .
    'Ajoitetut tehtävät'-kansion sisältö
    "2008-06-06 06:54:13 C:\WINDOWS\Tasks\Scheduled scanning task.job"
    - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-06 19:59:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
    .
    Completion time: 2008-06-06 20:00:51
    ComboFix-quarantined-files.txt 2008-06-06 17:00:46
    ComboFix2.txt 2008-06-06 16:11:10
    ComboFix3.txt 2008-06-05 19:00:44
    ComboFix4.txt 2008-06-05 16:54:17
    ComboFix5.txt 2008-06-04 08:08:16

    Pre-Run: 23,303,348,224 tavua vapaana
    Post-Run: 23,307,509,760 tavua vapaana

    126
     
  6. Hujo

    Hujo Guest

    Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

    Tallenna se nimellä CFScript.txt

    Sitten raahaa CFScript ComboFix.exeen kuten alla.
    [​IMG]

    Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
     
  7. hopo14

    hopo14 Member

    Liittynyt:
    02.06.2008
    Viestejä:
    16
    Kiitokset:
    0
    Pisteet:
    11
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:46:18, on 6.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192744158773
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: ddcCRKef - ddcCRKef.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe
    O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

    --
    End of file - 7110 bytes
     
  8. Hujo

    Hujo Guest

    scannaa hjt:llä merkkaa paina Fix checked

    O20 - Winlogon Notify: ddcCRKef - ddcCRKef.dll (file missing)


    =========

    No mites kone toimii
     

Jaa tämä sivu