1. Tämä sivusto käyttää keksejä (cookie). Jatkamalla sivuston käyttämistä hyväksyt keksien käyttämisen. Lue lisää.

Koneessa joku virus/haittaohjelma, ilmeisesti messengeristä

Viestiketju Virukset ja haittaohjelmat - HijackThis -logit -osiossa. Ketjun avasi mrjonessi 02.06.2008.

  1. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Nyt on kone ihan sekasin, menin avaamaan sen "sun kuva?"-meseviruksen ja nyt on kone ihan sekasin, C:n juureen tulee exejä ja avast hälyttää jatkuvasti, muttei auta yhtään. Tässä Hjt-logi:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:25:49, on 2.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\BitComet\BitComet.exe
    D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    D:\Program Files\DAEMON Tools Lite\daemon.exe
    D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    D:\WINDOWS\system32\telecms.exe
    D:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    D:\Program Files\Windows Live\Messenger\usnsvc.exe
    D:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
    O4 - HKLM\..\Run: [psyspy-2.1.4 Client Server] D:\WINDOWS\system32\telecms.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Windows UDP Control Center] winudpmgr.exe
    O4 - HKLM\..\RunServices: [psyspy-2.1.4 Client Server] D:\WINDOWS\system32\telecms.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Microsoft security update service (msupdate) - Unknown owner - d:\windows\system32\mssrv32.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5264 bytes
     
  2.  
  3. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Jos joku voisi vaikka auttaa..
     
  4. Hujo

    Hujo Guest

    1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
    combofix1
    combofix2

    2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
    3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
    Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
     
  5. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Tässäpä tämä:

    ComboFix 08-06-01.6 - Jouni Ala 2008-06-03 18:18:30.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.562 [GMT 3:00]
    Running from: D:\Documents and Settings\Jouni Ala\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\WINDOWS\service.exe
    D:\WINDOWS\system32\mssrv32.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_msupdate
    -------\Service_msupdate


    ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
    .

    2008-06-03 18:20 . 2008-06-03 18:20 9,216 --a------ D:\WINDOWS\system32\kxhhj.exe
    2008-06-03 18:13 . 2008-06-03 18:13 9,216 --a------ D:\WINDOWS\system32\gnuqjjal.exe
    2008-06-03 18:05 . 2008-06-03 18:05 9,216 --a------ D:\WINDOWS\system32\cxjbzl.exe
    2008-06-03 17:35 . 2008-06-03 17:35 9,216 --a------ D:\WINDOWS\system32\ltrvvlq.exe
    2008-06-02 21:35 . 2008-06-03 18:18 8,176 --a------ D:\Documents and Settings\Jouni Ala\setup.exe
    2008-06-02 20:23 . 2008-06-02 20:23 9,216 --a------ D:\WINDOWS\system32\fjiiywj.exe
    2008-06-02 19:10 . 2008-06-02 19:10 9,216 --a------ D:\WINDOWS\system32\uoikl.exe
    2008-06-02 18:58 . 2008-06-02 18:58 9,216 --a------ D:\WINDOWS\system32\krjvry.exe
    2008-06-02 18:22 . 2008-06-03 18:21 71,602 --a------ D:\WINDOWS\system32\hcnwg4u.sys
    2008-06-01 20:08 . 2008-06-01 20:08 <DIR> d-------- D:\Program Files\MSXML 4.0
    2008-06-01 18:15 . 2008-06-01 18:15 1,355 --a------ D:\WINDOWS\imsins.BAK
    2008-06-01 15:40 . 2008-06-01 15:40 <DIR> d-------- D:\VundoFix Backups
    2008-06-01 15:23 . 2008-06-01 15:23 2,352 --a------ D:\WINDOWS\system32\tmp.reg
    2008-06-01 15:21 . 2007-09-06 00:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
    2008-06-01 15:21 . 2006-04-27 17:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
    2008-06-01 15:21 . 2008-05-27 13:54 86,528 --a------ D:\WINDOWS\system32\VACFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\404Fix.exe
    2008-06-01 15:21 . 2003-06-05 21:13 53,248 --a------ D:\WINDOWS\system32\Process.exe
    2008-06-01 15:21 . 2004-07-31 18:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
    2008-06-01 15:21 . 2007-10-04 00:36 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
    2008-06-01 14:59 . 2004-03-09 01:00 1,081,616 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX
    2008-05-31 21:12 . 2008-05-31 21:12 43,520 --a------ D:\WINDOWS\system32\CmdLineExt03.dll
    2008-05-31 18:53 . 2008-05-31 20:38 86,512 --a------ D:\Documents and Settings\Jouni Ala\setup1.exe
    2008-05-31 12:00 . 2008-05-31 12:00 83,400 -r-hs---- D:\WINDOWS\winudpmgr.exe
    2008-05-31 11:34 . 2008-05-31 11:34 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Program Files\Nero
    2008-05-31 11:29 . 2008-05-31 11:32 <DIR> d-------- D:\Program Files\Common Files\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
    2008-05-29 22:59 . 2008-05-29 22:59 <DIR> d-------- D:\Program Files\Windows Media Connect 2
    2008-05-29 22:58 . 2008-05-29 22:58 <DIR> d-------- D:\WINDOWS\system32\LogFiles
    2008-05-29 22:58 . 2008-05-29 22:59 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
    2008-05-28 19:22 . 2008-05-29 17:03 56,832 -r-hs---- D:\WINDOWS\winudspm.exe
    2008-05-27 18:59 . 2008-05-27 18:59 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
    2008-05-27 18:58 . 2008-05-27 18:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InstallShield
    2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- D:\Program Files\DAEMON Tools Lite
    2008-05-27 18:54 . 2008-05-27 18:54 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\DAEMON Tools
    2008-05-27 18:54 . 2008-05-27 18:54 717,296 --a------ D:\WINDOWS\system32\drivers\sptd.sys
    2008-05-26 20:43 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
    2008-05-26 20:43 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
    2008-05-26 20:43 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
    2008-05-26 16:38 . 2008-05-26 20:41 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Contacts
    2008-05-26 16:17 . 2008-05-26 16:32 <DIR> d-------- D:\Program Files\Windows Live
    2008-05-26 16:17 . 2008-05-26 16:21 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
    2008-05-26 16:17 . 2008-05-26 16:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-05-24 13:13 . 2003-09-17 15:57 8,440 --a------ D:\WINDOWS\system32\drivers\LANPkt.sys
    2008-05-23 17:42 . 2006-03-17 03:38 28,672 --------- D:\WINDOWS\system32\verclsid.exe
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a------ D:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a--c--- D:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
    2008-05-23 16:08 . 2008-05-23 16:08 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-23 07:47 . 2008-05-23 07:48 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\fretsonfire
    2008-05-22 21:41 . 2008-05-22 21:41 2,560 --a------ D:\WINDOWS\system32\bitcometres.dll
    2008-05-22 21:40 . 2008-05-22 23:05 <DIR> d-------- D:\Program Files\BitComet
    2008-05-22 21:15 . 2008-05-22 21:42 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\uTorrent

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-31 17:08 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-05-31 17:07 --------- d-----w D:\Program Files\Common Files\InstallShield
    2008-05-23 13:34 360,064 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
    2008-05-23 13:08 --------- d-----w D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-22 17:22 315,392 ----a-w D:\WINDOWS\HideWin.exe
    2008-05-22 17:22 --------- d-----w D:\Program Files\Realtek
    2008-05-22 17:21 --------- d-----w D:\Program Files\DIFX
    2008-05-22 17:04 --------- d-----w D:\Program Files\microsoft frontpage
    2007-06-13 10:23 249,496 --sh--r D:\WINDOWS\system32\telecms.exe
    .

    ------- Sigcheck -------

    2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2004-08-04 15:00 359040 9f4b36614a0fc234525ba224957de55c D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\dllcache\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
    "BitComet"="D:\Program Files\BitComet\BitComet.exe" [2008-03-25 09:38 2196280]
    "MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 15:00 208952]
    "PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 10:28 16126464 D:\WINDOWS\RTHDCPL.exe]
    "NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
    "nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224]
    "Windows UDP Control"="winudspm.exe" [2008-05-29 17:03 56832 D:\WINDOWS\winudspm.exe]
    "psyspy-2.1.4 Client Server"="D:\WINDOWS\system32\telecms.exe" [2007-06-13 13:23 249496]
    "Windows svchost"="service.exe" []
    "NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "Windows UDP Control Center"="winudpmgr.exe" [2008-05-31 12:00 83400 D:\WINDOWS\winudpmgr.exe]
    "RegistryMechanic"="" []
    "Local Security Authority Service"="D:\WINDOWS\system32\lssas.exe" [2007-06-13 13:23 35840]
    "Advanced DHTML Enable"="c:\ple.exe" [2008-06-03 18:21 24064]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "psyspy-2.1.4 Client Server"="D:\WINDOWS\system32\telecms.exe" [2007-06-13 13:23 249496]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\BitComet\\BitComet.exe"=
    "D:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\WINDOWS\\system32\\telecms.exe"=
    "C:\\ple.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "27329:TCP"= 27329:TCP:BitComet 27329 TCP
    "27329:UDP"= 27329:UDP:BitComet 27329 UDP

    R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
    R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
    S2 qandr;qandr;D:\WINDOWS\system32\drivers\qandr.sys []
    S3 oflpydin;oflpydin;D:\DOCUME~1\JOUNIA~1\LOCALS~1\Temp\oflpydin.sys []


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}]
    c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-03 18:20:54
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    D:\Program Files\Windows Live\Messenger\usnsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-03 18:22:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-03 15:21:57

    Pre-Run: 14,569,308,160 bytes free
    Post-Run: 16,702,857,216 bytes free

    169 --- E O F --- 2008-06-01 17:08:37
     
  6. Hujo

    Hujo Guest

    Scannaa hjt:llä merkkaa paina Fix checked

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
    O4 - HKLM\..\Run: [psyspy-2.1.4 Client Server] D:\WINDOWS\system32\telecms.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe
    O4 - HKLM\..\Run: [Windows UDP Control Center] winudpmgr.exe

    Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

    Tallenna se nimellä CFScript.txt

    Sitten raahaa CFScript ComboFix.exeen kuten alla.
    [​IMG]

    Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

    ==================

    Lataa TÄSTÄ VundoFix.exe työpöydällesi.

    Tupla-klikkaa VundoFix.exe ajaaksesi sen.
    Klikkaa Scan for Vundo valintaa.
    Kun skannaus on valmis, klikkaa Fix Vundo valintaa.
    Sinulta kysytään haluatko poistaa filut - klikkaa YES.
    Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
    Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
    Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

    Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
    Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

    ================

    Lataa Malwarebytes' Anti-Malware työpöydällesi.

    1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
    2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
    Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
    3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
    4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
    5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
    6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
    7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
    löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
    Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
    8. Lähetä lokin sisältö seuraavassa viestissäsi.

     
  7. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Tässä on combofixin logi:

    ComboFix 08-06-01.6 - Jouni Ala 2008-06-03 20:47:09.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT 3:00]
    Running from: D:\Documents and Settings\Jouni Ala\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\Jouni Ala\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\service.exe
    C:\WINDOWS\winudpmgr.exe
    C:\WINDOWS\winudspm.exe
    D:\WINDOWS\system32\telecms.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\WINDOWS\system32\telecms.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
    .

    2008-06-03 18:20 . 2008-06-03 18:20 9,216 --a------ D:\WINDOWS\system32\kxhhj.exe
    2008-06-03 18:13 . 2008-06-03 18:13 9,216 --a------ D:\WINDOWS\system32\gnuqjjal.exe
    2008-06-03 18:05 . 2008-06-03 18:05 9,216 --a------ D:\WINDOWS\system32\cxjbzl.exe
    2008-06-03 17:35 . 2008-06-03 17:35 9,216 --a------ D:\WINDOWS\system32\ltrvvlq.exe
    2008-06-02 21:35 . 2008-06-03 18:18 8,176 --a------ D:\Documents and Settings\Jouni Ala\setup.exe
    2008-06-02 20:23 . 2008-06-02 20:23 9,216 --a------ D:\WINDOWS\system32\fjiiywj.exe
    2008-06-02 19:10 . 2008-06-02 19:10 9,216 --a------ D:\WINDOWS\system32\uoikl.exe
    2008-06-02 18:58 . 2008-06-02 18:58 9,216 --a------ D:\WINDOWS\system32\krjvry.exe
    2008-06-02 18:22 . 2008-06-03 20:47 71,602 --a------ D:\WINDOWS\system32\hcnwg4u.sys
    2008-06-01 20:08 . 2008-06-01 20:08 <DIR> d-------- D:\Program Files\MSXML 4.0
    2008-06-01 18:15 . 2008-06-01 18:15 1,355 --a------ D:\WINDOWS\imsins.BAK
    2008-06-01 15:40 . 2008-06-01 15:40 <DIR> d-------- D:\VundoFix Backups
    2008-06-01 15:23 . 2008-06-01 15:23 2,352 --a------ D:\WINDOWS\system32\tmp.reg
    2008-06-01 15:21 . 2007-09-06 00:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
    2008-06-01 15:21 . 2006-04-27 17:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
    2008-06-01 15:21 . 2008-05-27 13:54 86,528 --a------ D:\WINDOWS\system32\VACFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\404Fix.exe
    2008-06-01 15:21 . 2003-06-05 21:13 53,248 --a------ D:\WINDOWS\system32\Process.exe
    2008-06-01 15:21 . 2004-07-31 18:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
    2008-06-01 15:21 . 2007-10-04 00:36 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
    2008-06-01 14:59 . 2004-03-09 01:00 1,081,616 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX
    2008-05-31 21:12 . 2008-05-31 21:12 43,520 --a------ D:\WINDOWS\system32\CmdLineExt03.dll
    2008-05-31 18:53 . 2008-05-31 20:38 86,512 --a------ D:\Documents and Settings\Jouni Ala\setup1.exe
    2008-05-31 12:00 . 2008-05-31 12:00 83,400 -r-hs---- D:\WINDOWS\winudpmgr.exe
    2008-05-31 11:34 . 2008-05-31 11:34 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Program Files\Nero
    2008-05-31 11:29 . 2008-05-31 11:32 <DIR> d-------- D:\Program Files\Common Files\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
    2008-05-29 22:59 . 2008-05-29 22:59 <DIR> d-------- D:\Program Files\Windows Media Connect 2
    2008-05-29 22:58 . 2008-05-29 22:58 <DIR> d-------- D:\WINDOWS\system32\LogFiles
    2008-05-29 22:58 . 2008-05-29 22:59 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
    2008-05-28 19:22 . 2008-05-29 17:03 56,832 -r-hs---- D:\WINDOWS\winudspm.exe
    2008-05-27 18:59 . 2008-05-27 18:59 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
    2008-05-27 18:58 . 2008-05-27 18:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InstallShield
    2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- D:\Program Files\DAEMON Tools Lite
    2008-05-27 18:54 . 2008-05-27 18:54 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\DAEMON Tools
    2008-05-27 18:54 . 2008-05-27 18:54 717,296 --a------ D:\WINDOWS\system32\drivers\sptd.sys
    2008-05-26 20:43 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
    2008-05-26 20:43 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
    2008-05-26 20:43 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
    2008-05-26 16:38 . 2008-05-26 20:41 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Contacts
    2008-05-26 16:17 . 2008-05-26 16:32 <DIR> d-------- D:\Program Files\Windows Live
    2008-05-26 16:17 . 2008-05-26 16:21 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
    2008-05-26 16:17 . 2008-05-26 16:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-05-24 13:13 . 2003-09-17 15:57 8,440 --a------ D:\WINDOWS\system32\drivers\LANPkt.sys
    2008-05-23 17:42 . 2006-03-17 03:38 28,672 --------- D:\WINDOWS\system32\verclsid.exe
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a------ D:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a--c--- D:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
    2008-05-23 16:08 . 2008-05-23 16:08 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-23 07:47 . 2008-05-23 07:48 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\fretsonfire
    2008-05-22 21:41 . 2008-05-22 21:41 2,560 --a------ D:\WINDOWS\system32\bitcometres.dll
    2008-05-22 21:40 . 2008-05-22 23:05 <DIR> d-------- D:\Program Files\BitComet
    2008-05-22 21:15 . 2008-05-22 21:42 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\uTorrent

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-31 17:08 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-05-31 17:07 --------- d-----w D:\Program Files\Common Files\InstallShield
    2008-05-23 13:34 360,064 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
    2008-05-23 13:08 --------- d-----w D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-22 17:22 315,392 ----a-w D:\WINDOWS\HideWin.exe
    2008-05-22 17:22 --------- d-----w D:\Program Files\Realtek
    2008-05-22 17:21 --------- d-----w D:\Program Files\DIFX
    2008-05-22 17:04 --------- d-----w D:\Program Files\microsoft frontpage
    2008-03-27 08:12 151,583 ----a-w D:\WINDOWS\system32\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
    .

    ------- Sigcheck -------

    2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2004-08-04 15:00 359040 9f4b36614a0fc234525ba224957de55c D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\dllcache\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
    "BitComet"="D:\Program Files\BitComet\BitComet.exe" [2008-03-25 09:38 2196280]
    "MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 15:00 208952]
    "PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 10:28 16126464 D:\WINDOWS\RTHDCPL.exe]
    "NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
    "nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224]
    "NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "RegistryMechanic"="" []
    "Local Security Authority Service"="D:\WINDOWS\system32\lssas.exe" [2007-06-13 13:23 35840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "psyspy-2.1.4 Client Server"="D:\WINDOWS\system32\telecms.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\BitComet\\BitComet.exe"=
    "D:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\ple.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "27329:TCP"= 27329:TCP:BitComet 27329 TCP
    "27329:UDP"= 27329:UDP:BitComet 27329 UDP

    R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
    R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
    S2 qandr;qandr;D:\WINDOWS\system32\drivers\qandr.sys []
    S3 oflpydin;oflpydin;D:\DOCUME~1\JOUNIA~1\LOCALS~1\Temp\oflpydin.sys []

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-03 20:47:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-06-03 20:48:31
    ComboFix-quarantined-files.txt 2008-06-03 17:48:26
    ComboFix2.txt 2008-06-03 15:22:01

    Pre-Run: 16,693,252,096 bytes free
    Post-Run: 16,679,563,264 bytes free

    150 --- E O F --- 2008-06-01 17:08:37
     
  8. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Tässä vundofix-logi:


    VundoFix V7.0.5

    Scan started at 15:40:40 1.6.2008

    Listing files found while scanning....


    VundoFix V7.0.5

    Scan started at 20:51:30 3.6.2008

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Beginning removal...


    ..sekä tuore hjt-logi:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:55:24, on 3.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    D:\WINDOWS\system32\lssas.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\BitComet\BitComet.exe
    D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\DAEMON Tools Lite\daemon.exe
    D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    c:\ple.exe
    c:\ple.exe
    D:\Program Files\Windows Live\Messenger\usnsvc.exe
    c:\ple.exe
    c:\ple.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: BitComet ClickCapture - {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Local Security Authority Service] D:\WINDOWS\system32\lssas.exe
    O4 - HKLM\..\RunServices: [psyspy-2.1.4 Client Server] D:\WINDOWS\system32\telecms.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &d&ownload &with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &d&ownload all video with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &d&ownload all with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4972 bytes
     
  9. Hujo

    Hujo Guest

    Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

    Tallenna se nimellä CFScript.txt

    Sitten raahaa CFScript ComboFix.exeen kuten alla.
    [​IMG]

    Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.
     
  10. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Tässä ComboFix:

    ComboFix 08-06-01.6 - Jouni Ala 2008-06-03 21:43:23.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT 3:00]
    Running from: D:\Documents and Settings\Jouni Ala\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\Jouni Ala\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    c:\ple.exe
    D:\WINDOWS\service.exe
    D:\WINDOWS\system32\lssas.exe
    D:\WINDOWS\system32\telecms.exe
    D:\WINDOWS\winudpmgr.exe
    D:\WINDOWS\winudspm.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\ple.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
    .

    2008-06-03 20:57 . 2008-06-03 20:57 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\Malwarebytes
    2008-06-03 20:57 . 2008-06-03 20:57 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-03 20:57 . 2008-05-30 01:06 34,296 --a------ D:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-03 20:57 . 2008-05-30 01:06 15,864 --a------ D:\WINDOWS\system32\drivers\mbam.sys
    2008-06-02 18:22 . 2008-06-03 21:44 71,602 --a------ D:\WINDOWS\system32\hcnwg4u.sys
    2008-06-01 20:08 . 2008-06-01 20:08 <DIR> d-------- D:\Program Files\MSXML 4.0
    2008-06-01 18:15 . 2008-06-01 18:15 1,355 --a------ D:\WINDOWS\imsins.BAK
    2008-06-01 15:40 . 2008-06-01 15:40 <DIR> d-------- D:\VundoFix Backups
    2008-06-01 15:23 . 2008-06-01 15:23 2,352 --a------ D:\WINDOWS\system32\tmp.reg
    2008-06-01 15:21 . 2007-09-06 00:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
    2008-06-01 15:21 . 2006-04-27 17:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
    2008-06-01 15:21 . 2008-05-27 13:54 86,528 --a------ D:\WINDOWS\system32\VACFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe
    2008-06-01 15:21 . 2008-05-18 21:40 82,944 --a------ D:\WINDOWS\system32\404Fix.exe
    2008-06-01 15:21 . 2003-06-05 21:13 53,248 --a------ D:\WINDOWS\system32\Process.exe
    2008-06-01 15:21 . 2004-07-31 18:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
    2008-06-01 15:21 . 2007-10-04 00:36 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
    2008-06-01 14:59 . 2004-03-09 01:00 1,081,616 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX
    2008-05-31 21:12 . 2008-05-31 21:12 43,520 --a------ D:\WINDOWS\system32\CmdLineExt03.dll
    2008-05-31 11:34 . 2008-05-31 11:34 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Program Files\Nero
    2008-05-31 11:29 . 2008-05-31 11:32 <DIR> d-------- D:\Program Files\Common Files\Ahead
    2008-05-31 11:29 . 2008-05-31 11:29 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
    2008-05-29 22:59 . 2008-05-29 22:59 <DIR> d-------- D:\Program Files\Windows Media Connect 2
    2008-05-29 22:58 . 2008-05-29 22:58 <DIR> d-------- D:\WINDOWS\system32\LogFiles
    2008-05-29 22:58 . 2008-05-29 22:59 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
    2008-05-27 18:59 . 2008-05-27 18:59 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
    2008-05-27 18:58 . 2008-05-27 18:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\InstallShield
    2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- D:\Program Files\DAEMON Tools Lite
    2008-05-27 18:54 . 2008-05-27 18:54 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\DAEMON Tools
    2008-05-27 18:54 . 2008-05-27 18:54 717,296 --a------ D:\WINDOWS\system32\drivers\sptd.sys
    2008-05-26 20:43 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
    2008-05-26 20:43 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
    2008-05-26 20:43 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
    2008-05-26 16:38 . 2008-05-26 20:41 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Contacts
    2008-05-26 16:17 . 2008-05-26 16:32 <DIR> d-------- D:\Program Files\Windows Live
    2008-05-26 16:17 . 2008-05-26 16:21 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
    2008-05-26 16:17 . 2008-05-26 16:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-05-24 13:13 . 2003-09-17 15:57 8,440 --a------ D:\WINDOWS\system32\drivers\LANPkt.sys
    2008-05-23 17:42 . 2006-03-17 03:38 28,672 --------- D:\WINDOWS\system32\verclsid.exe
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a------ D:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
    2008-05-23 16:34 . 2007-10-30 20:20 360,064 --a--c--- D:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
    2008-05-23 16:08 . 2008-05-23 16:08 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-23 07:47 . 2008-05-23 07:48 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\fretsonfire
    2008-05-22 21:41 . 2008-05-22 21:41 2,560 --a------ D:\WINDOWS\system32\bitcometres.dll
    2008-05-22 21:40 . 2008-06-03 21:05 <DIR> d-------- D:\Program Files\BitComet
    2008-05-22 21:15 . 2008-05-22 21:42 <DIR> d-------- D:\Documents and Settings\Jouni Ala\Application Data\uTorrent

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-31 17:08 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-05-31 17:07 --------- d-----w D:\Program Files\Common Files\InstallShield
    2008-05-23 13:34 360,064 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
    2008-05-23 13:08 --------- d-----w D:\Documents and Settings\Jouni Ala\Application Data\vlc
    2008-05-22 17:22 315,392 ----a-w D:\WINDOWS\HideWin.exe
    2008-05-22 17:22 --------- d-----w D:\Program Files\Realtek
    2008-05-22 17:21 --------- d-----w D:\Program Files\DIFX
    2008-05-22 17:04 --------- d-----w D:\Program Files\microsoft frontpage
    2008-03-27 08:12 151,583 ----a-w D:\WINDOWS\system32\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
    .

    ------- Sigcheck -------

    2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2004-08-04 15:00 359040 9f4b36614a0fc234525ba224957de55c D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\dllcache\tcpip.sys
    2008-05-23 16:34 360064 482ab7f9cd41702e8f856c11cfefb02d D:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((( snapshot@2008-06-03_18.21.48.45 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-03 15:20:24 2,048 --s-a-w D:\WINDOWS\bootstat.dat
    + 2008-06-03 18:37:52 2,048 --s-a-w D:\WINDOWS\bootstat.dat
    + 2008-06-03 18:38:06 16,384 ----atw D:\WINDOWS\Temp\Perflib_Perfdata_624.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
    "BitComet"="D:\Program Files\BitComet\BitComet.exe" [2008-03-25 09:38 2196280]
    "MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 15:00 208952]
    "PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
    "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 10:28 16126464 D:\WINDOWS\RTHDCPL.exe]
    "NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
    "nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 02:19 79224]
    "NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "RegistryMechanic"="" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\BitComet\\BitComet.exe"=
    "D:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "27329:TCP"= 27329:TCP:BitComet 27329 TCP
    "27329:UDP"= 27329:UDP:BitComet 27329 UDP

    R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
    R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
    S3 oflpydin;oflpydin;D:\DOCUME~1\JOUNIA~1\LOCALS~1\Temp\oflpydin.sys []

    *Newly Created Service* - catchme
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-03 21:44:05
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-06-03 21:44:31
    ComboFix-quarantined-files.txt 2008-06-03 18:44:27
    ComboFix2.txt 2008-06-03 17:48:32
    ComboFix3.txt 2008-06-03 15:22:01

    Pre-Run: 16,688,656,384 bytes free
    Post-Run: 16,676,294,656 bytes free

    148 --- E O F --- 2008-06-01 17:08:37
     
  11. Hujo

    Hujo Guest

    Nyt vain listaa alaspäin
     
  12. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Jos MalwareBytesiä meinaat niin tehty on ja tässä on loki:

    Malwarebytes' Anti-Malware 1.14
    Tietokantaversio: 818

    21:36:02 3.6.2008
    mbam-log-6-3-2008 (21-36-02).txt

    Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
    Tarkistetut kohteet: 106950
    Kulunut aika: 35 minute(s), 6 second(s)

    Saastuneita muistiprosesseja: 1
    Saastuneita muistimoduuleja: 0
    Saastuneita rekisteriavaimia: 1
    Saastuneita rekisteriarvoja: 2
    Saastuneita rekisterikohteita: 0
    Saastuneita hakemistoja: 0
    Saastuneita tiedostoja: 56

    Saastuneita muistiprosesseja:
    D:\WINDOWS\system32\lssas.exe (Trojan.Agent) -> Unloaded process successfully.

    Saastuneita muistimoduuleja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita rekisteriavaimia:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.

    Saastuneita rekisteriarvoja:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Service (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\psyspy-2.1.4 Client Server (Worm.IRCBot) -> Quarantined and deleted successfully.

    Saastuneita rekisterikohteita:
    (Haitallisia kohteita ei löydetty)

    Saastuneita hakemistoja:
    (Haitallisia kohteita ei löydetty)

    Saastuneita tiedostoja:
    D:\WINDOWS\system32\lssas.exe (Trojan.Agent) -> Delete on reboot.
    C:\emoge.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\hldtlwe.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\setup.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\stup.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\stupx.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009633.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009634.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009635.com (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009636.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009637.com (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009638.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009639.com (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009640.com (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP20\A0009641.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP21\A0009676.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP21\A0009681.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP21\A0009682.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011693.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011695.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011697.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011698.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011699.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0012723.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013725.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013736.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013744.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013756.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013766.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP28\A0013798.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP28\A0013835.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP28\A0013836.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    D:\Documents and Settings\Jouni Ala\setup1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\QooBox\Quarantine\D\WINDOWS\service.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\QooBox\Quarantine\D\WINDOWS\system32\telecms.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP15\A0009418.com (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP16\A0009439.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP21\A0009665.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP21\A0009675.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP23\A0009695.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP25\A0011694.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP27\A0013758.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP28\A0013781.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP28\A0013783.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{ED5926C0-369E-4C41-94D9-DEA4B92F15F8}\RP29\A0013845.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\WINDOWS\winudpmgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\WINDOWS\winudspm.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\cxjbzl.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\fjiiywj.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\gnuqjjal.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\krjvry.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\kxhhj.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\ltrvvlq.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\WINDOWS\system32\uoikl.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    D:\Documents and Settings\Jouni Ala\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  13. Hujo

    Hujo Guest

    1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
    2. Valitse ominaisuudet
    3. Valitse järjestelmän palauttaminen välilehti
    4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
    5. Paina Käytä
    6. Paina ok
    7. Sammuta ja käynnistä
    8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
    9. Käytä ja OK
     
  14. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Tehty on, pitäskö hjt:tä laittaa?
     
  15. Hujo

    Hujo Guest

    laita hjt:n loki vain olikos sulla tuo Malwarebytes' Anti-Malware
    enestään koneella
     
  16. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Ei ollu MalwareBytes' ennestään, mutta Vundofix oli. Tässä on Hjt-loki:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:25:04, on 4.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\RTHDCPL.EXE
    D:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\BitComet\BitComet.exe
    D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    D:\Program Files\DAEMON Tools Lite\daemon.exe
    D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    D:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: BitComet ClickCapture - {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &d&ownload &with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &d&ownload all video with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &d&ownload all with bitcomet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4755 bytes
     
  17. Hujo

    Hujo Guest

    Hjt:n loki kunnossa
    mites kone pätkii :)
     
  18. Septou

    Septou Member

    Liittynyt:
    31.07.2007
    Viestejä:
    21
    Kiitokset:
    0
    Pisteet:
    11
    Hei!
    Samanlainen ongelma tytön koneessa. Koska näyttää olevan ammattimies asialla, voisitko vilkaista oheisia lokeja ja antaa toimintaohjeet minullekin?

    Combofix:

    ComboFix 08-06-03.4 - Henna 2008-06-04 19:34:31.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.197 [GMT 3:00]
    Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\mssrv32.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MSUPDATE
    -------\Service_msupdate


    ((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-04 to 2008-06-04 )))))))))))))))))
    .

    2008-06-04 14:33 . 2008-06-04 18:33 3,424 --a------ C:\is155400.exe
    2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
    2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
    2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
    2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
    2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
    2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
    2008-06-03 22:47 . 2008-06-04 13:57 3,423 --a------ C:\WINDOWS\is154890.exe
    2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-06-03 22:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-06-03 22:11 . 2008-06-04 20:12 71,602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
    2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
    2008-06-03 20:17 . 2008-06-03 22:50 86,548 --a------ C:\ssetup.0xe
    2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
    2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
    2008-06-03 01:00 . 2008-06-03 01:00 104,078 --a------ C:\WINDOWS\sb.0xe
    2008-06-02 21:41 . 2008-06-03 15:22 96,950 --a------ C:\setup.0xe
    2008-06-02 21:35 . 2008-06-04 16:03 3,424 --a------ C:\Documents and Settings\Henna\setup.exe
    2008-06-02 21:27 . 2008-06-02 21:27 96,950 --a------ C:\stupx.0xe
    2008-06-02 21:23 . 2008-06-03 14:13 96,950 -r-hs---- C:\WINDOWS\mservice.0xe
    2008-06-02 21:23 . 2008-06-02 21:23 96,950 --a------ C:\stup.0xe
    2008-06-02 19:04 . 2008-06-02 19:04 0 --a------ C:\d1.exe
    2008-06-02 19:03 . 2008-06-02 19:03 2 --a------ C:\-1795943351
    2008-06-02 19:02 . 2008-06-02 19:03 15,360 --a------ C:\abhwevhi.exe
    2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
    2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\J„rjestelm„nvalvoja
    2008-05-27 20:20 . 2008-05-27 20:20 56,832 -r-hs---- C:\WINDOWS\winudspm.0xe

    .
    (((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
    2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
    2008-06-02 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
    2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
    2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
    2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
    2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
    2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
    .

    (((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
    "\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
    "Windows UDP Control"="winudspm.exe" []
    "Windows UDP Control Center"="winudpmgr.exe" []
    "Windows svchost"="service.exe" []
    "F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
    "F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
    "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12"= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
    "C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
    "C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
    "2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

    R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
    R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
    R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
    R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
    R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
    R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
    R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
    S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
    S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
    S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-04 20:10:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
    C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
    C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rserver30\FamItrfc.Exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\PROGRA~1\ELISAT~1\FSGUI\fsguidll.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    .
    **************************************************************************
    .
    Completion time: 2008-06-04 20:14:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-04 17:14:43

    Pre-Run: 1,653,342,208 tavua vapaana
    Post-Run: 1,626,771,456 tavua vapaana

    155 --- E O F --- 2008-05-28 19:45:23


    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:21:10, on 4.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
    C:\WINDOWS\system32\rserver30\RServer3.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
    C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
    C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rserver30\FamItrfc.Exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
    O4 - HKLM\..\Run: [Windows UDP Control Center] winudpmgr.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
    O17 - HKLM\Software\..\Telephony: DomainName = henna
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
    O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 4689 bytes
     
  19. Hujo

    Hujo Guest

    Septou
    yleensä aloitetaan oma vistiketju

    ====================


    Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

    Tallenna se nimellä CFScript.txt

    Sitten raahaa CFScript ComboFix.exeen kuten alla.
    [​IMG]

    Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

    ==============

    scannaa hjt:llä merkkaa paina Fix checkee

    O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
    O4 - HKLM\..\Run: [Windows UDP Control Center] winudpmgr.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe

    ==============

    scannaa uusi combofix ja uusi hjt:n loki

     
  20. mrjonessi

    mrjonessi Member

    Liittynyt:
    01.06.2008
    Viestejä:
    13
    Kiitokset:
    0
    Pisteet:
    11
    Kiitos paljon avusta, nyt ei ole mese spamminyt, avast kyllä vielä löytää epäilyttäviä tiedostoja, mutta ei ole vakavaa. Ja vielä kerran suuret kiitokset. :)
     
  21. Hujo

    Hujo Guest

    Mitäs se avasti löytää?

    ===========

    scannaa hjt:llä merkkaa paina Fix checked

    O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
    O4 - HKLM\..\Run: [Windows UDP Control Center] winudpmgr.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe
     
    Moderaattorin viimeksi muokkaama: 04.06.2008

Jaa tämä sivu