HJT-logi (ask toolbar firefox ongelmia?)

Firefox kenkkuilee välillä "oudolla osoite ei löydy linkillä" ja sain selvitettyä että ongelma johtuu ask.com toolbaarista vaikka se olisi poistettu. Nyt pyydänkin nöyrimmin että joku asiansa osaava kerkeäisi vielä näin joulun alla auttamaan sillä läppäri olisi lähdössä eukon matkassa joulunajaksi pois. Iso kiitos auttajille jo etukäteen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:16, on 19.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
F:\PhoneConnectorVMC.exe
F:\vmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=FI&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA}: NameServer = 195.226.224.72 195.226.224.76
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 5925 bytes

 

scannaa hjt:llä merkkaa paina Fix checked

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

samutta ja käynnistä


==================

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi

 

HJT jutut poistettu. MBAM oli jo koneella ja on ollut useamman kk jo vakiokaluste, päivitetty ja skannattu

Malwarebytes' Anti-Malware 1.31
Tietokantaversio: 1520
Windows 5.1.2600 Service Pack 2

19.12.2008 13:54:08
mbam-log-2008-12-19 (13-54-08).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 73575
Kulunut aika: 10 minute(s), 6 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)



-----UUSI HJT LOKI----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:26, on 19.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
F:\PhoneConnectorVMC.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
F:\vmc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=FI&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\fin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA}: NameServer = 195.226.224.72 195.226.224.76
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 5440 bytes

 

MBAM onkin hyvä kalusto

================

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
Älä asenna Palautuskonsolia Recovery Console Klikkaa EI
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen

 

ComboFix 08-12-18.01 - Dream 2008-12-19 14:34:01.1 - NTFSx86
Sijainti: c:\cf\ComboFix.exe
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-19 to 2008-12-19 )))))))))))))))))
.

2008-12-19 14:31 . 2008-12-19 14:32 <KANSIO> d-------- C:\cf
2008-12-19 12:00 . 2008-12-19 13:57 <KANSIO> d-------- C:\hjt
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\program files\Exact Audio Copy
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AccurateRip
2008-12-18 15:56 . 2008-12-18 15:56 <KANSIO> d-------- C:\lame
2008-12-17 18:05 . 2008-12-17 19:59 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\vlc
2008-12-17 18:05 . 2008-12-18 17:15 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\dvdcss
2008-12-17 18:04 . 2008-12-17 18:04 <KANSIO> d-------- c:\program files\VideoLAN
2008-12-17 17:11 . 2008-12-17 17:11 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Sonic
2008-12-17 17:06 . 2008-12-17 17:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Leadertech
2008-12-16 02:29 . 2008-12-16 02:29 11,381 --a------ c:\windows\E220AutoRunLog.tmp
2008-12-16 00:02 . 2008-12-16 00:02 <KANSIO> d-------- c:\program files\OpenAL
2008-12-16 00:02 . 2008-12-16 00:02 413,696 --a------ c:\windows\system32\wrap_oal.dll
2008-12-16 00:02 . 2008-12-16 00:02 110,592 --a------ c:\windows\system32\OpenAL32.dll
2008-12-15 23:42 . 2008-12-15 23:42 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenArena
2008-12-15 20:27 . 2008-12-15 20:31 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Wormux
2008-12-15 18:13 . 2008-12-15 18:13 <KANSIO> d-------- C:\Games
2008-12-13 18:38 . 2008-12-13 18:38 <KANSIO> d-------- c:\program files\uTorrent
2008-12-13 18:38 . 2008-12-18 05:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\uTorrent
2008-12-13 02:29 . 2008-12-13 02:29 <KANSIO> d-------- c:\program files\Alwil Software
2008-12-13 01:45 . 2008-12-13 01:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AdobeUM
2008-12-12 06:48 . 2008-12-12 06:55 <KANSIO> d-------- c:\program files\Notebook Hardware Control
2008-12-12 06:25 . 2008-12-12 06:25 <KANSIO> d-------- c:\program files\xp-AntiSpy
2008-12-12 06:07 . 2008-12-12 06:08 <KANSIO> d-------- c:\documents and settings\Dream\Shared
2008-12-12 06:06 . 2008-12-12 06:06 <KANSIO> d-------- c:\program files\AskSearch
2008-12-12 06:02 . 2008-12-12 06:02 <KANSIO> d-------- C:\x
2008-12-12 06:02 . 2008-12-12 06:03 <KANSIO> d-------- C:\Incomplete
2008-12-12 06:02 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Incomplete
2008-12-12 06:01 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\MP3Rocket
2008-12-12 05:28 . 2008-12-12 05:28 <KANSIO> d-------- c:\program files\CCleaner
2008-12-12 03:16 . 2008-12-12 03:16 <KANSIO> d-------- c:\program files\Empire Interactive
2008-12-12 01:29 . 2008-12-12 01:31 <KANSIO> d-------- c:\windows\system32\NtmsData
2008-12-12 01:13 . 2008-12-12 01:13 <KANSIO> d-------- c:\program files\MagicDisc
2008-12-12 01:13 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-12 01:12 . 2008-12-12 03:22 <KANSIO> d-------- c:\program files\SlySoft
2008-12-12 01:12 . 2008-12-12 01:19 24 ---hs---- c:\windows\SA26448C1.tmp
2008-12-12 01:11 . 2008-12-12 01:11 617 --a------ c:\windows\eReg.dat
2008-12-12 00:23 . 2008-12-12 00:51 <KANSIO> d-------- c:\program files\Cube
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d-------- c:\program files\Soldier Under Fire
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d--h----- c:\program files\InstallJammer Registry
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\OEMCUST
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\FACTONLY
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\CABS
2008-12-11 01:14 . 2008-12-11 01:14 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\CyberLink
2008-12-11 00:04 . 2008-08-14 15:39 2,188,288 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,065,280 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,023,424 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-10 23:51 . 2008-10-03 12:17 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-10 13:43 . 2007-03-08 01:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-10 13:43 . 2007-03-08 01:51 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-10 13:43 . 2007-03-08 01:51 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-10 13:42 . 2008-12-10 13:49 <KANSIO> d-------- c:\program files\Winamp
2008-12-10 13:42 . 2008-12-10 13:50 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Winamp
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Vodafone
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-09 00:36 . 2008-12-09 00:37 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Media Player Classic
2008-12-07 17:24 . 2008-12-07 17:24 741,888 --a------ c:\program files\uTool.exe
2008-12-07 14:28 . 2008-12-07 14:33 <KANSIO> d-------- c:\windows\SxsCaPendDel
2008-12-06 22:32 . 2008-12-06 22:32 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Vodafone
2008-12-06 22:29 . 2008-12-06 22:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-06 22:27 . 2008-12-06 22:27 <KANSIO> d-------- c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 22:26 . 2008-12-07 14:27 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 22:24 . 2008-12-06 22:24 8,464 --a------ c:\windows\system32\SpOrder.dll
2008-12-05 20:01 . 2008-12-14 20:34 <KANSIO> d-------- c:\documents and settings\Dream\amsn
2008-12-05 14:37 . 2008-12-05 14:37 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\F-Secure
2008-12-05 14:26 . 2008-12-05 14:26 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenOffice.org
2008-12-05 14:14 . 2008-12-11 01:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\GlarySoft
2008-12-05 14:13 . 2008-12-05 14:13 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Malwarebytes
2008-12-05 14:13 . 2008-12-09 00:35 <KANSIO> d-------- c:\documents and settings\Dream\.smplayer
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Verkkoympäristö
2008-12-05 14:02 . 2008-12-19 13:19 <KANSIO> dr------- c:\documents and settings\Dream\Työpöytä
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Tulostinympäristö
2008-12-05 14:02 . 2008-12-05 14:03 <KANSIO> dr------- c:\documents and settings\Dream\Suosikit
2008-12-05 14:02 . 2008-12-18 17:13 <KANSIO> dr------- c:\documents and settings\Dream\Omat tiedostot
2008-12-05 14:02 . 2008-12-05 23:52 <KANSIO> d--h----- c:\documents and settings\Dream\Mallit
2008-12-05 14:02 . 2008-12-13 18:38 <KANSIO> dr------- c:\documents and settings\Dream\Käynnistä-valikko

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 06:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 06:12 --------- d-----w c:\program files\SpywareBlaster
2008-12-17 17:59 --------- d-----w c:\documents and settings\Dream\Application Data\vlc
2008-12-13 00:28 --------- d-----w c:\program files\F-Secure
2008-12-13 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2008-12-11 23:12 12,464 ----a-w c:\windows\system32\drivers\secdrv.sys
2008-12-10 23:14 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-10 23:05 --------- d-----w c:\program files\Sonic
2008-12-07 12:27 --------- d-----w c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 20:27 --------- d-----w c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 20:25 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 21:53 --------- d-----w c:\program files\ShowTime
2008-12-05 21:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 21:51 --------- d-----w c:\program files\Synaptics
2008-12-05 21:51 --------- d-----w c:\program files\S3
2008-12-05 21:51 --------- d-----w c:\program files\microsoft frontpage
2008-12-05 21:51 --------- d-----w c:\program files\CyberLink
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\Java
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 19:07 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 18:00 --------- d-----w c:\program files\aMSN
2008-12-05 14:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-05 14:40 --------- d-----w c:\program files\Java
2008-12-05 13:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-05 12:24 --------- d-----w c:\program files\OpenOffice.org 3
2008-12-05 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-12-05 12:14 --------- d-----w c:\program files\Glary Utilities
2008-12-05 12:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 17:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 17:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:00 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:00 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:00 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Glary Memory Optimizer"="c:\program files\Glary Utilities\memdefrag.exe" [2008-12-01 89600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 688218]
"STDSB"="c:\windows\system32\drivers\STDSB.exe" [2003-12-17 28672]
"Icon"="c:\windows\system32\drivers\Icon.exe" [2005-08-23 221184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-09-14 c:\windows\system32\VTTrayp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\Dream\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-12 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PCMService"="c:\apps\Powercinema\PCMService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\aMSN\\bin\\wish.exe"=
"c:\\Games\\Paintball2\\paintball2.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\utorrent.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\openarena.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\oa_ded.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\RC44.5\\Stealthy.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-13 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-13 20560]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2006-07-04 11279]
S2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2006-07-04 11279]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27a-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27b-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb26-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb27-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83d7e908-cb08-11dd-9589-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95379f20-c385-11dd-9545-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee6-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee7-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21804-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21805-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c6-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c7-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cc91c0-c2c3-11dd-953e-806d6172696f}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

*Newly Created Service* - PROCEXP90
.
'Ajoitetut tehtävät'-kansion sisältö

2008-12-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-12-01 09:38]

2008-12-12 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-07-15 09:14]
.
.
------- Täydentävä tarkistus -------
.
TCP: {F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA} = 195.226.224.72 195.226.224.76
FF - ProfilePath - c:\documents and settings\Dream\Application Data\Mozilla\Firefox\Profiles\yu73rc09.default\
FF - prefs.js: browser.startup.homepage - about:blank

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 14:35:17
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
Valmistumisajankohta: 2008-12-19 14:36:02
ComboFix-quarantined-files.txt 2008-12-19 12:36:00

Ennen ajoa: 29 974 614 016 tavua vapaana
Ajon jälkeen: 29,990,719,488 tavua vapaana

241 --- E O F --- 2008-12-11 00:10:54

 

Poista lisää poista sovelutuksesta

XP Antispyware 2009

===========

Nyt tuon punaisella merkityn Kopioit / liität Tyhjään muistioon
käynnistä nappi >apuohjelmat > muistio


Folder::
c:\program files\xp-AntiSpy
c:\program files\AskSearch
c:\documents and settings\Dream\Application Data\F-Secure
c:\program files\F-Secure
c:\documents and settings\All Users\Application Data\F-Secure

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

sittten vasemmasta ylä reunasta tiedosto > tallenna nimellä

Kohde: työpöytä

Tiedostonimi: CFScript.txt

Tallennusmuoto: kaikki tiedostot

sitten raahaat sen kuvan osoittamalla tavalla. Työpöydällä Combofix.exe:een ja pudotat sen sinne.



combofix työstää tulee sininen taulu paina numeroa 1 ja enter

Laita tuleva loki tänne.

Sammutat ja käynnistät koneen

 

Koneessa ei ole mainitsemaasi XP Antispywarea lisää/poista paikassa. Koneessa on kyllä "xp-AntiSpy 3.97 " eli http://www.xp-antispy.org/ haettu "rekisterin muokkaus" ohjelma. Jonka luulen olevan ihan pätevä ja hyväksi tunnettu. Eli voisitko tarkistaa asian tuosta linkistä ennen kun poistan tuota.


Poistin XP-Spy jutun ja odottelen vastaustasi, ilman sitä on nyt muuten tehty ja uusi logi.

ComboFix 08-12-18.01 - Dream 2008-12-19 16:37:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.703.446 [GMT 2:00]
Sijainti: c:\cf\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\cf\CFScript.txt
* Uusi palautuspiste luotu
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\F-Secure
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_revoke_hq.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_root.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\cert\fsc (revoke hq).crl
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\DAAS2INS.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\Daas2Uni.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSFW\action.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSFW\alertlog.dat
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma_old.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\ORSPINST.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\OrspUnin.LOG
c:\documents and settings\Dream\Application Data\F-Secure
c:\program files\AskSearch
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\F-Secure
c:\program files\F-Secure\Anti-Virus\deleteme_pwr.log
c:\program files\F-Secure\Anti-Virus\fa_gem.log
c:\program files\F-Secure\Anti-Virus\fa_peg.log
c:\program files\F-Secure\Anti-Virus\fsbts.sys
c:\program files\F-Secure\common\daas2_cdsa.cr
c:\program files\F-Secure\Gemini\fsgem.db

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-19 to 2008-12-19 )))))))))))))))))
.

2008-12-19 14:31 . 2008-12-19 16:37 <KANSIO> d-------- C:\cf
2008-12-19 12:00 . 2008-12-19 13:57 <KANSIO> d-------- C:\hjt
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\program files\Exact Audio Copy
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AccurateRip
2008-12-18 15:56 . 2008-12-18 15:56 <KANSIO> d-------- C:\lame
2008-12-17 18:05 . 2008-12-17 19:59 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\vlc
2008-12-17 18:05 . 2008-12-18 17:15 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\dvdcss
2008-12-17 18:04 . 2008-12-17 18:04 <KANSIO> d-------- c:\program files\VideoLAN
2008-12-17 17:11 . 2008-12-17 17:11 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Sonic
2008-12-17 17:06 . 2008-12-17 17:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Leadertech
2008-12-16 02:29 . 2008-12-16 02:29 11,381 --a------ c:\windows\E220AutoRunLog.tmp
2008-12-16 00:02 . 2008-12-16 00:02 <KANSIO> d-------- c:\program files\OpenAL
2008-12-16 00:02 . 2008-12-16 00:02 413,696 --a------ c:\windows\system32\wrap_oal.dll
2008-12-16 00:02 . 2008-12-16 00:02 110,592 --a------ c:\windows\system32\OpenAL32.dll
2008-12-15 23:42 . 2008-12-15 23:42 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenArena
2008-12-15 20:27 . 2008-12-15 20:31 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Wormux
2008-12-15 18:13 . 2008-12-15 18:13 <KANSIO> d-------- C:\Games
2008-12-13 18:38 . 2008-12-13 18:38 <KANSIO> d-------- c:\program files\uTorrent
2008-12-13 18:38 . 2008-12-18 05:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\uTorrent
2008-12-13 02:29 . 2008-12-13 02:29 <KANSIO> d-------- c:\program files\Alwil Software
2008-12-13 01:45 . 2008-12-13 01:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AdobeUM
2008-12-12 06:48 . 2008-12-12 06:55 <KANSIO> d-------- c:\program files\Notebook Hardware Control
2008-12-12 06:25 . 2008-12-12 06:25 <KANSIO> d-------- c:\program files\xp-AntiSpy
2008-12-12 06:07 . 2008-12-12 06:08 <KANSIO> d-------- c:\documents and settings\Dream\Shared
2008-12-12 06:02 . 2008-12-12 06:02 <KANSIO> d-------- C:\x
2008-12-12 06:02 . 2008-12-12 06:03 <KANSIO> d-------- C:\Incomplete
2008-12-12 06:02 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Incomplete
2008-12-12 06:01 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\MP3Rocket
2008-12-12 05:28 . 2008-12-12 05:28 <KANSIO> d-------- c:\program files\CCleaner
2008-12-12 03:16 . 2008-12-12 03:16 <KANSIO> d-------- c:\program files\Empire Interactive
2008-12-12 01:29 . 2008-12-12 01:31 <KANSIO> d-------- c:\windows\system32\NtmsData
2008-12-12 01:13 . 2008-12-12 01:13 <KANSIO> d-------- c:\program files\MagicDisc
2008-12-12 01:13 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-12 01:12 . 2008-12-12 03:22 <KANSIO> d-------- c:\program files\SlySoft
2008-12-12 01:12 . 2008-12-12 01:19 24 ---hs---- c:\windows\SA26448C1.tmp
2008-12-12 01:11 . 2008-12-12 01:11 617 --a------ c:\windows\eReg.dat
2008-12-12 00:23 . 2008-12-12 00:51 <KANSIO> d-------- c:\program files\Cube
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d-------- c:\program files\Soldier Under Fire
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d--h----- c:\program files\InstallJammer Registry
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\OEMCUST
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\FACTONLY
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\CABS
2008-12-11 01:14 . 2008-12-11 01:14 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\CyberLink
2008-12-11 00:04 . 2008-08-14 15:39 2,188,288 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,065,280 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,023,424 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-10 23:51 . 2008-10-03 12:17 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-10 13:43 . 2007-03-08 01:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-10 13:43 . 2007-03-08 01:51 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-10 13:43 . 2007-03-08 01:51 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-10 13:42 . 2008-12-10 13:49 <KANSIO> d-------- c:\program files\Winamp
2008-12-10 13:42 . 2008-12-10 13:50 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Winamp
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Vodafone
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-09 00:36 . 2008-12-09 00:37 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Media Player Classic
2008-12-07 17:24 . 2008-12-07 17:24 741,888 --a------ c:\program files\uTool.exe
2008-12-07 14:28 . 2008-12-07 14:33 <KANSIO> d-------- c:\windows\SxsCaPendDel
2008-12-06 22:32 . 2008-12-06 22:32 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Vodafone
2008-12-06 22:29 . 2008-12-06 22:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-06 22:27 . 2008-12-06 22:27 <KANSIO> d-------- c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 22:26 . 2008-12-07 14:27 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 22:24 . 2008-12-06 22:24 8,464 --a------ c:\windows\system32\SpOrder.dll
2008-12-05 20:01 . 2008-12-14 20:34 <KANSIO> d-------- c:\documents and settings\Dream\amsn
2008-12-05 14:26 . 2008-12-05 14:26 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenOffice.org
2008-12-05 14:14 . 2008-12-11 01:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\GlarySoft
2008-12-05 14:13 . 2008-12-05 14:13 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Malwarebytes
2008-12-05 14:13 . 2008-12-09 00:35 <KANSIO> d-------- c:\documents and settings\Dream\.smplayer
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Verkkoympäristö
2008-12-05 14:02 . 2008-12-19 13:19 <KANSIO> dr------- c:\documents and settings\Dream\Työpöytä
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Tulostinympäristö
2008-12-05 14:02 . 2008-12-05 14:03 <KANSIO> dr------- c:\documents and settings\Dream\Suosikit
2008-12-05 14:02 . 2008-12-18 17:13 <KANSIO> dr------- c:\documents and settings\Dream\Omat tiedostot
2008-12-05 14:02 . 2008-12-05 23:52 <KANSIO> d--h----- c:\documents and settings\Dream\Mallit
2008-12-05 14:02 . 2008-12-13 18:38 <KANSIO> dr------- c:\documents and settings\Dream\Käynnistä-valikko

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 06:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 06:12 --------- d-----w c:\program files\SpywareBlaster
2008-12-17 17:59 --------- d-----w c:\documents and settings\Dream\Application Data\vlc
2008-12-11 23:12 12,464 ----a-w c:\windows\system32\drivers\secdrv.sys
2008-12-10 23:14 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-10 23:05 --------- d-----w c:\program files\Sonic
2008-12-07 12:27 --------- d-----w c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 20:27 --------- d-----w c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 20:25 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 21:53 --------- d-----w c:\program files\ShowTime
2008-12-05 21:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 21:51 --------- d-----w c:\program files\Synaptics
2008-12-05 21:51 --------- d-----w c:\program files\S3
2008-12-05 21:51 --------- d-----w c:\program files\microsoft frontpage
2008-12-05 21:51 --------- d-----w c:\program files\CyberLink
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\Java
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 19:07 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 18:00 --------- d-----w c:\program files\aMSN
2008-12-05 14:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-05 14:40 --------- d-----w c:\program files\Java
2008-12-05 13:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-05 12:24 --------- d-----w c:\program files\OpenOffice.org 3
2008-12-05 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-12-05 12:14 --------- d-----w c:\program files\Glary Utilities
2008-12-05 12:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 17:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 17:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:00 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:00 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:00 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-19_14.35.32,40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-19 14:22:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2008-12-19 14:22:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_d4.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Glary Memory Optimizer"="c:\program files\Glary Utilities\memdefrag.exe" [2008-12-01 89600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 688218]
"STDSB"="c:\windows\system32\drivers\STDSB.exe" [2003-12-17 28672]
"Icon"="c:\windows\system32\drivers\Icon.exe" [2005-08-23 221184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-09-14 c:\windows\system32\VTTrayp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\Dream\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-12 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PCMService"="c:\apps\Powercinema\PCMService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\aMSN\\bin\\wish.exe"=
"c:\\Games\\Paintball2\\paintball2.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\utorrent.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\openarena.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\oa_ded.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\RC44.5\\Stealthy.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-13 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-13 20560]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2006-07-04 11279]
S2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2006-07-04 11279]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27a-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27b-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb26-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb27-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83d7e908-cb08-11dd-9589-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95379f20-c385-11dd-9545-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee6-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee7-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21804-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21805-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c6-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c7-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cc91c0-c2c3-11dd-953e-806d6172696f}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe
.
'Ajoitetut tehtävät'-kansion sisältö

2008-12-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-12-01 09:38]

2008-12-12 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-07-15 09:14]
.
.
------- Täydentävä tarkistus -------
.
TCP: {F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA} = 195.226.224.72 195.226.224.76
FF - ProfilePath - c:\documents and settings\Dream\Application Data\Mozilla\Firefox\Profiles\yu73rc09.default\
FF - prefs.js: browser.startup.homepage - about:blank

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 16:39:04
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
Valmistumisajankohta: 2008-12-19 16:39:48
ComboFix-quarantined-files.txt 2008-12-19 14:39:44
ComboFix2.txt 2008-12-19 12:36:04

Ennen ajoa: 30 083 305 472 tavua vapaana
Ajon jälkeen: 30,075,006,976 tavua vapaana

266 --- E O F --- 2008-12-11 00:10:54

 

Luo poistolista:
• Avaa HiJackThis
• Klikkaa "Configure" valintaa oikealla alhaalla
• Klikkaa "Misc Tools"
• Klikkaa boxia joka sanoo "Uninstall Manager"
• Klikkaa valintaa "Save list"
• Kopioi ja liitä kyseinen lista muistiosta ketjuusi

laitas tuokin tuleen

Juu eipä löytynyt tuohon viitaavia tiedostoja joten annetaan olla koneella vielä xp-AntiSpy

 

Adobe Flash Player 10 Plugin
Adobe Reader 7.0 - Suomi
aMSN 0.97.2
avast! Antivirus
CCleaner (remove only)
Exact Audio Copy 0.99pb4
Glary Utilities 2.9.0.518
HijackThis 2.0.2
Hotfix-päivitys Windows XP:lle (KB896256)
Hotfix-päivitys Windows XP:lle (KB952287)
J2SE Runtime Environment 5.0 Update 4
Java(TM) 6 Update 11
Macromedia Shockwave Player
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Finnish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - FIN
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB954430)
OpenAL
OpenOffice.org 3.0
Paintball2 Alpha build 23
Päivitys Windows XP:lle (KB894391)
Päivitys Windows XP:lle (KB898461)
Päivitys Windows XP:lle (KB910437)
Päivitys Windows XP:lle (KB912945)
Päivitys Windows XP:lle (KB951072-v2)
Päivitys Windows XP:lle (KB955839)
Smart Link 56K Modem
Sonic RecordNow!
SpywareBlaster 4.1
Suojauspäivitys ohjelmistolle Windows XP (KB923689)
Suojauspäivitys ohjelmistolle Windows XP (KB941569)
Suojauspäivitys Windows Media Player 10:lle (KB936782)
Suojauspäivitys Windows Media Playerille (KB911564)
Suojauspäivitys Windows Media Playerille (KB952069)
Suojauspäivitys Windows XP:lle (KB890046)
Suojauspäivitys Windows XP:lle (KB893756)
Suojauspäivitys Windows XP:lle (KB896358)
Suojauspäivitys Windows XP:lle (KB896422)
Suojauspäivitys Windows XP:lle (KB896423)
Suojauspäivitys Windows XP:lle (KB896424)
Suojauspäivitys Windows XP:lle (KB896428)
Suojauspäivitys Windows XP:lle (KB899587)
Suojauspäivitys Windows XP:lle (KB899589)
Suojauspäivitys Windows XP:lle (KB899591)
Suojauspäivitys Windows XP:lle (KB900725)
Suojauspäivitys Windows XP:lle (KB901017)
Suojauspäivitys Windows XP:lle (KB901190)
Suojauspäivitys Windows XP:lle (KB901214)
Suojauspäivitys Windows XP:lle (KB902400)
Suojauspäivitys Windows XP:lle (KB904706)
Suojauspäivitys Windows XP:lle (KB905414)
Suojauspäivitys Windows XP:lle (KB905749)
Suojauspäivitys Windows XP:lle (KB908519)
Suojauspäivitys Windows XP:lle (KB911927)
Suojauspäivitys Windows XP:lle (KB912919)
Suojauspäivitys Windows XP:lle (KB913446)
Suojauspäivitys Windows XP:lle (KB938464)
Suojauspäivitys Windows XP:lle (KB944338-v2)
Suojauspäivitys Windows XP:lle (KB946648)
Suojauspäivitys Windows XP:lle (KB950762)
Suojauspäivitys Windows XP:lle (KB950974)
Suojauspäivitys Windows XP:lle (KB951066)
Suojauspäivitys Windows XP:lle (KB951376-v2)
Suojauspäivitys Windows XP:lle (KB951698)
Suojauspäivitys Windows XP:lle (KB952954)
Suojauspäivitys Windows XP:lle (KB954211)
Suojauspäivitys Windows XP:lle (KB954600)
Suojauspäivitys Windows XP:lle (KB955069)
Suojauspäivitys Windows XP:lle (KB956390)
Suojauspäivitys Windows XP:lle (KB956391)
Suojauspäivitys Windows XP:lle (KB956802)
Suojauspäivitys Windows XP:lle (KB956803)
Suojauspäivitys Windows XP:lle (KB956841)
Suojauspäivitys Windows XP:lle (KB957095)
Suojauspäivitys Windows XP:lle (KB957097)
Suojauspäivitys Windows XP:lle (KB958215)
Suojauspäivitys Windows XP:lle (KB958644)
VIA/S3G Display Driver
Winamp
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
VLC media player 0.9.8a
Vodafone Mobile Connect Lite Runtime Components
xp-AntiSpy 3.97

 

poista lisää poista sovelutuksesta

J2SE Runtime Environment 5.0 Update 4

============

xp-AntiSpy 3.97 annetaan olla koneella

===========

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:30, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\PhoneConnectorVMC.exe
C:\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 5523 bytes



SDFix: Version 1.240
Run by Dream on pe 19.12.2008 at 17:32

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\Documents and Settings\Dream\Ty”p”yt„\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\x - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 17:37:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\aMSN\\bin\\wish.exe"="C:\\Program Files\\aMSN\\bin\\wish.exe:*:Enabled:Wish Application"
"C:\\Games\\Paintball2\\paintball2.exe"="C:\\Games\\Paintball2\\paintball2.exe:*:Enabledaintball2"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\utorrent.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\openarena.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\openarena.exe:*:Enabledpenarena"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\oa_ded.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\oa_ded.exe:*:Enableda_ded"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\RC44.5\\Stealthy.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\RC44.5\\Stealthy.exe:*:EnabledC++"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Dream\TYPYT~1\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 4 Jul 2006 210 A.SHR --- "C:\BOOT.BAK"
Fri 12 Dec 2008 24 ..SH. --- "C:\WINDOWS\SA26448C1.tmp"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 15 Sep 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 15 Sep 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Thu 2 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Fri 19 Dec 2008 25,522,962 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\62d62e0211952100601ada7c358a5218\download\BIT18.tmp"

Finished!

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:30, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\PhoneConnectorVMC.exe
C:\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 5523 bytes



SDFix: Version 1.240
Run by Dream on pe 19.12.2008 at 17:32

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\Documents and Settings\Dream\Ty”p”yt„\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\x - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 17:37:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\aMSN\\bin\\wish.exe"="C:\\Program Files\\aMSN\\bin\\wish.exe:*:Enabled:Wish Application"
"C:\\Games\\Paintball2\\paintball2.exe"="C:\\Games\\Paintball2\\paintball2.exe:*:Enabledaintball2"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\utorrent.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\openarena.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\openarena.exe:*:Enabledpenarena"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\oa_ded.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\openarena-0.8.1\\oa_ded.exe:*:Enableda_ded"
"C:\\Documents and Settings\\Dream\\Ty”p”yt„\\RC44.5\\Stealthy.exe"="C:\\Documents and Settings\\Dream\\Ty”p”yt„\\RC44.5\\Stealthy.exe:*:EnabledC++"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Dream\TYPYT~1\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 4 Jul 2006 210 A.SHR --- "C:\BOOT.BAK"
Fri 12 Dec 2008 24 ..SH. --- "C:\WINDOWS\SA26448C1.tmp"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 15 Sep 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 15 Sep 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Thu 2 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Fri 19 Dec 2008 25,522,962 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\62d62e0211952100601ada7c358a5218\download\BIT18.tmp"

Finished!

Mutta itse asiaan edelleen on tämä ongelma joka esiintyy välillä. Eli kun sivua ei löydy tulee: "jar:file:///C:/Program%20Files/Mozilla%20Firefox/chrome/fi.jar!/locale/browser-region/region.propertieskeskustelu.afterdawn.com" jossa osoite on tuossa lopussa vain eri.

 

-Lataa tämä ohjelma!
HostsXpert.zip
- Tee uusi kansio: C:\HostsXpert
- Pura kansioon C:\HostsXpert
Täältä englanniksi lisäohjeita
- Paina HostsXpert.exe ajaaksesi sen (sen pitää siis olla tuolla C:\HostsXpert kansiossa)

- Paina "Make Hosts Writable?" oikeassa yläkulmassa (jos toiminnassa)
- Klikkaa "Restore Microsoft's Hosts File" ja sitten OK
- Paina X lopettaaksesi

 

Host tiedosto oli koskematon mutta tein kuten neuvoit. Ongelma esiintyy silti. Onkos enää mitään tehtävissä vai poistanko firefoxin ja putsaan rekisterin kaikesta sen roskasta ja asennan uusiksi.

 

Scannaa hjt:llä merkkaa paina Fix checked

O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe

onkos koneella ripaiblaster ollut vai onko vielä

 

Poistin Firefoxin ja kävin sen "pääkansiossa" siellä oli komponent kansio ja chrome kansio. Poistin ne boottasin koneen ja asensin firefoxin uudelleen. Nyt vikaa ei esiinny eli component kansion ask.js oli varmaan syyllinen.


Poistin mainitsemasi merkinnät.

Uusi logi onko vielä jotain nyt olisi 2h enää aikaan koneen lähtöön:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:50, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
F:\PhoneConnectorVMC.exe
F:\vmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [HDReg] c:\Apps\HDReg\HDRegApp.exe -r
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA}: NameServer = 195.226.224.72 195.226.224.76
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 5520 bytes

 

taitaa tuo cookelin selain vain tuoda ongelmia

Tossa oli yksi kaukku valmiina mutta lokin mukaan sitä ei tarvita

Onkos toi sun
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fin.htm
jos ei oo niin fixsaa pois

=============

scannaa uusi combofix loki

 

Koneessani ei ole koskaan ollutkaan Googlen omaa vaan sen muokattu opensource versio Iron ( http://www.srware.net/en/software_srware_iron.php ). Tuo ongelma tosin ei ole Ironin mukana tullut

Tuo ofline on taas Packard Bellin oma vakio IE sivu joka tulee kun koneen asentaa uusiksi palautusosiolta mutta poistin senkin vielä kun IE ei muutenkaan ole käytössä. Muutenkin vihaan PB tyyliä pakkotyrkyttää Norttonia .

ComboFix 08-12-18.01 - Dream 2008-12-20 4:08:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.703.263 [GMT 2:00]
Sijainti: c:\cf\ComboFix.exe
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-20 to 2008-12-20 )))))))))))))))))
.

2008-12-20 02:37 . 2008-12-20 02:39 <KANSIO> d-------- C:\HostsXpert
2008-12-19 17:31 . 2008-12-19 17:31 577,536 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-19 17:30 . 2008-12-19 17:30 <KANSIO> d-------- c:\windows\ERUNT
2008-12-19 17:13 . 2008-12-20 03:02 <KANSIO> d-------- c:\windows\system32\CatRoot_bak
2008-12-19 14:31 . 2008-12-19 16:37 <KANSIO> d-------- C:\cf
2008-12-19 12:00 . 2008-12-20 04:07 <KANSIO> d-------- C:\hjt
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\program files\Exact Audio Copy
2008-12-18 15:57 . 2008-12-18 15:57 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AccurateRip
2008-12-18 15:56 . 2008-12-18 15:56 <KANSIO> d-------- C:\lame
2008-12-17 18:05 . 2008-12-17 19:59 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\vlc
2008-12-17 18:05 . 2008-12-18 17:15 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\dvdcss
2008-12-17 18:04 . 2008-12-17 18:04 <KANSIO> d-------- c:\program files\VideoLAN
2008-12-17 17:11 . 2008-12-17 17:11 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Sonic
2008-12-17 17:06 . 2008-12-17 17:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Leadertech
2008-12-16 02:29 . 2008-12-16 02:29 11,381 --a------ c:\windows\E220AutoRunLog.tmp
2008-12-16 00:02 . 2008-12-16 00:02 <KANSIO> d-------- c:\program files\OpenAL
2008-12-15 23:42 . 2008-12-15 23:42 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenArena
2008-12-15 20:27 . 2008-12-15 20:31 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Wormux
2008-12-15 18:13 . 2008-12-15 18:13 <KANSIO> d-------- C:\Games
2008-12-13 18:38 . 2008-12-13 18:38 <KANSIO> d-------- c:\program files\uTorrent
2008-12-13 18:38 . 2008-12-18 05:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\uTorrent
2008-12-13 02:29 . 2008-12-13 02:29 <KANSIO> d-------- c:\program files\Alwil Software
2008-12-13 01:45 . 2008-12-13 01:45 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\AdobeUM
2008-12-12 06:48 . 2008-12-12 06:55 <KANSIO> d-------- c:\program files\Notebook Hardware Control
2008-12-12 06:25 . 2008-12-12 06:25 <KANSIO> d-------- c:\program files\xp-AntiSpy
2008-12-12 06:07 . 2008-12-12 06:08 <KANSIO> d-------- c:\documents and settings\Dream\Shared
2008-12-12 06:02 . 2008-12-12 06:03 <KANSIO> d-------- C:\Incomplete
2008-12-12 06:02 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Incomplete
2008-12-12 06:01 . 2008-12-12 06:12 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\MP3Rocket
2008-12-12 05:28 . 2008-12-12 05:28 <KANSIO> d-------- c:\program files\CCleaner
2008-12-12 03:16 . 2008-12-12 03:16 <KANSIO> d-------- c:\program files\Empire Interactive
2008-12-12 01:29 . 2008-12-12 01:31 <KANSIO> d-------- c:\windows\system32\NtmsData
2008-12-12 01:13 . 2008-12-12 01:13 <KANSIO> d-------- c:\program files\MagicDisc
2008-12-12 01:13 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-12 01:12 . 2008-12-12 03:22 <KANSIO> d-------- c:\program files\SlySoft
2008-12-12 01:12 . 2008-12-12 01:19 24 ---hs---- c:\windows\SA26448C1.tmp
2008-12-12 01:11 . 2008-12-12 01:11 617 --a------ c:\windows\eReg.dat
2008-12-12 00:23 . 2008-12-12 00:51 <KANSIO> d-------- c:\program files\Cube
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d-------- c:\program files\Soldier Under Fire
2008-12-11 23:57 . 2008-12-12 00:00 <KANSIO> d--h----- c:\program files\InstallJammer Registry
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\OEMCUST
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\FACTONLY
2008-12-11 01:24 . 2008-12-11 01:24 <KANSIO> d-------- C:\CABS
2008-12-11 01:14 . 2008-12-11 01:14 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\CyberLink
2008-12-11 00:04 . 2008-08-14 15:39 2,188,288 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,065,280 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-11 00:04 . 2008-08-14 15:39 2,023,424 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-10 23:51 . 2008-10-03 12:17 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-10 13:43 . 2007-03-08 01:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-10 13:43 . 2007-03-08 01:51 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-10 13:43 . 2007-03-08 01:51 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-10 13:42 . 2008-12-10 13:49 <KANSIO> d-------- c:\program files\Winamp
2008-12-10 13:42 . 2008-12-10 13:50 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Winamp
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Vodafone
2008-12-09 21:02 . 2008-12-09 21:02 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-09 00:36 . 2008-12-09 00:37 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Media Player Classic
2008-12-07 17:24 . 2008-12-07 17:24 741,888 --a------ c:\program files\uTool.exe
2008-12-07 14:28 . 2008-12-07 14:33 <KANSIO> d-------- c:\windows\SxsCaPendDel
2008-12-06 22:32 . 2008-12-06 22:32 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Vodafone
2008-12-06 22:29 . 2008-12-06 22:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-06 22:27 . 2008-12-06 22:27 <KANSIO> d-------- c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 22:26 . 2008-12-07 14:27 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 22:24 . 2008-12-06 22:24 8,464 --a------ c:\windows\system32\SpOrder.dll
2008-12-05 20:01 . 2008-12-14 20:34 <KANSIO> d-------- c:\documents and settings\Dream\amsn
2008-12-05 14:26 . 2008-12-05 14:26 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\OpenOffice.org
2008-12-05 14:14 . 2008-12-11 01:06 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\GlarySoft
2008-12-05 14:13 . 2008-12-05 14:13 <KANSIO> d-------- c:\documents and settings\Dream\Application Data\Malwarebytes
2008-12-05 14:13 . 2008-12-09 00:35 <KANSIO> d-------- c:\documents and settings\Dream\.smplayer
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Verkkoympäristö
2008-12-05 14:02 . 2008-12-20 03:40 <KANSIO> dr------- c:\documents and settings\Dream\Työpöytä
2008-12-05 14:02 . 2008-12-05 23:51 <KANSIO> d--h----- c:\documents and settings\Dream\Tulostinympäristö
2008-12-05 14:02 . 2008-12-20 03:21 <KANSIO> dr------- c:\documents and settings\Dream\Suosikit
2008-12-05 14:02 . 2008-12-18 17:13 <KANSIO> dr------- c:\documents and settings\Dream\Omat tiedostot
2008-12-05 14:02 . 2008-12-05 23:52 <KANSIO> d--h----- c:\documents and settings\Dream\Mallit
2008-12-05 14:02 . 2008-12-13 18:38 <KANSIO> dr------- c:\documents and settings\Dream\Käynnistä-valikko

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 15:23 --------- d-----w c:\program files\Java
2008-12-18 06:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 06:12 --------- d-----w c:\program files\SpywareBlaster
2008-12-17 17:59 --------- d-----w c:\documents and settings\Dream\Application Data\vlc
2008-12-11 23:12 12,464 ----a-w c:\windows\system32\drivers\secdrv.sys
2008-12-10 23:14 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-10 23:05 --------- d-----w c:\program files\Sonic
2008-12-07 12:27 --------- d-----w c:\documents and settings\All Users\Application Data\Vodafone
2008-12-06 20:27 --------- d-----w c:\documents and settings\LocalService\Application Data\Vodafone
2008-12-06 20:25 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 21:53 --------- d-----w c:\program files\ShowTime
2008-12-05 21:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 21:51 --------- d-----w c:\program files\Synaptics
2008-12-05 21:51 --------- d-----w c:\program files\S3
2008-12-05 21:51 --------- d-----w c:\program files\microsoft frontpage
2008-12-05 21:51 --------- d-----w c:\program files\CyberLink
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-12-05 21:51 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 19:07 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 18:00 --------- d-----w c:\program files\aMSN
2008-12-05 14:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-05 13:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-05 12:24 --------- d-----w c:\program files\OpenOffice.org 3
2008-12-05 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-12-05 12:14 --------- d-----w c:\program files\Glary Utilities
2008-12-05 12:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 17:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 17:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:00 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:00 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:00 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:45 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-19_14.35.32,40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 13:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-19 15:30:38 3,518,464 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-12-19 15:30:38 274,432 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 13:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-19 15:30:28 3,518,464 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-12-19 15:30:28 274,432 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-11-03 14:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-19 23:21:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2008-12-19 23:21:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_ec.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Glary Memory Optimizer"="c:\program files\Glary Utilities\memdefrag.exe" [2008-12-01 89600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 688218]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-09-14 c:\windows\system32\VTTrayp.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\Dream\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-12 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PCMService"="c:\apps\Powercinema\PCMService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\aMSN\\bin\\wish.exe"=
"c:\\Games\\Paintball2\\paintball2.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\utorrent.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\openarena.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\openarena-0.8.1\\oa_ded.exe"=
"c:\\Documents and Settings\\Dream\\Työpöytä\\RC44.5\\Stealthy.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-13 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-13 20560]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2006-07-04 11279]
S2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2006-07-04 11279]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27a-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a98d27b-c3d5-11dd-954f-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb26-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b91fb27-c45d-11dd-9552-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83d7e908-cb08-11dd-9589-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95379f20-c385-11dd-9545-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee6-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98727ee7-c621-11dd-9562-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21804-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9d21805-c623-11dd-9565-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c6-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecd9d0c7-c55c-11dd-955c-0040d0955565}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cc91c0-c2c3-11dd-953e-806d6172696f}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe
.
'Ajoitetut tehtävät'-kansion sisältö

2008-12-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-12-01 09:38]

2008-12-20 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-07-15 09:14]
.
- - - - POISTETUT JÄMÄRIVIT - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Täydentävä tarkistus -------
.
TCP: {F9A23660-FFC3-4CE0-AFA6-6E41A429E6FA} = 195.226.224.72 195.226.224.76
FF - ProfilePath - c:\documents and settings\Dream\Application Data\Mozilla\Firefox\Profiles\hvtu78d5.default\

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 04:09:56
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
Valmistumisajankohta: 2008-12-20 4:10:43
ComboFix-quarantined-files.txt 2008-12-20 02:10:40
ComboFix2.txt 2008-12-19 14:39:50
ComboFix3.txt 2008-12-19 12:36:04

Ennen ajoa: 29 516 255 232 tavua vapaana
Ajon jälkeen: 29,506,445,312 tavua vapaana

250 --- E O F --- 2008-12-19 16:17:47

 

Kirjoita suorita luukkuun

ComboFix /u

Klikkaa OK

=============

Tyhjennä Malwarebytes' Anti-Malware karanteeni

tyhjennä roskat

=============

Poista kansiot:
C:\HostsXpert
SDFix
C:\cf <-- oo tehnyt vissiin combofix kansion noin poista sieltä löytyy omakin kansio
C:\ComboFix
C:\Qoobox

============

Miltäs se kone tuntuu

 

Toimii hyvin Kiitos avusta.