Koneessa joku virus/haittaohjelma, ilmeisesti messengeristä

Sorry,
lähetin samaan ketjuun, koska oli sama aihe. En tiennyt käytäntöä. Tässä Combofix.txt:

ComboFix 08-06-03.4 - Henna 2008-06-04 21:27:45.2 - NTFSx86
Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Henna\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mservice.0xe
C:\WINDOWS\service.exe
C:\WINDOWS\winudspm.0xe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mservice.0xe
C:\WINDOWS\winudspm.0xe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.

2008-06-04 20:14 . 2008-06-04 20:14 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-04 14:33 . 2008-06-04 18:33 3,424 --a------ C:\is155400.exe
2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-06-03 22:47 . 2008-06-04 13:57 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-03 22:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-03 22:11 . 2008-06-04 21:31 71,602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-03 20:17 . 2008-06-03 22:50 86,548 --a------ C:\ssetup.0xe
2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-03 01:00 . 2008-06-03 01:00 104,078 --a------ C:\WINDOWS\sb.0xe
2008-06-02 21:41 . 2008-06-03 15:22 96,950 --a------ C:\setup.0xe
2008-06-02 21:35 . 2008-06-04 16:03 3,424 --a------ C:\Documents and Settings\Henna\setup.exe
2008-06-02 21:27 . 2008-06-02 21:27 96,950 --a------ C:\stupx.0xe
2008-06-02 21:23 . 2008-06-02 21:23 96,950 --a------ C:\stup.0xe
2008-06-02 19:04 . 2008-06-02 19:04 0 --a------ C:\d1.exe
2008-06-02 19:03 . 2008-06-02 19:03 2 --a------ C:\-1795943351
2008-06-02 19:02 . 2008-06-02 19:03 15,360 --a------ C:\abhwevhi.exe
2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-02 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
"\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Windows UDP Control"="winudspm.exe" []
"Windows UDP Control Center"="winudpmgr.exe" []
"Windows svchost"="service.exe" []
"F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
"F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
"2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 21:30:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
.
Completion time: 2008-06-04 21:32:42
ComboFix-quarantined-files.txt 2008-06-04 18:32:23
ComboFix2.txt 2008-06-04 17:14:53

Pre-Run: 1,609,129,984 tavua vapaana
Post-Run: 1,599,123,456 tavua vapaana

150 --- E O F --- 2008-05-28 19:45:23

 

Ja tässä lokit uuden skannauksen jälkeen:

ComboFix 08-06-03.4 - Henna 2008-06-04 21:46:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.213 [GMT 3:00]
Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.

2008-06-04 20:14 . 2008-06-04 20:14 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-04 14:33 . 2008-06-04 18:33 3,424 --a------ C:\is155400.exe
2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-06-03 22:47 . 2008-06-04 13:57 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-03 22:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-03 22:11 . 2008-06-04 21:49 71,602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-03 20:17 . 2008-06-03 22:50 86,548 --a------ C:\ssetup.0xe
2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-03 01:00 . 2008-06-03 01:00 104,078 --a------ C:\WINDOWS\sb.0xe
2008-06-02 21:41 . 2008-06-03 15:22 96,950 --a------ C:\setup.0xe
2008-06-02 21:35 . 2008-06-04 16:03 3,424 --a------ C:\Documents and Settings\Henna\setup.exe
2008-06-02 21:27 . 2008-06-02 21:27 96,950 --a------ C:\stupx.0xe
2008-06-02 21:23 . 2008-06-02 21:23 96,950 --a------ C:\stup.0xe
2008-06-02 19:04 . 2008-06-02 19:04 0 --a------ C:\d1.exe
2008-06-02 19:03 . 2008-06-02 19:03 2 --a------ C:\-1795943351
2008-06-02 19:02 . 2008-06-02 19:03 15,360 --a------ C:\abhwevhi.exe
2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-02 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
"\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
"F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
"2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 21:48:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
.
Completion time: 2008-06-04 21:50:44
ComboFix-quarantined-files.txt 2008-06-04 18:50:21
ComboFix2.txt 2008-06-04 18:32:44
ComboFix3.txt 2008-06-04 17:14:53

Pre-Run: 1,607,032,832 tavua vapaana
Post-Run: 1,597,198,336 tavua vapaana

138 --- E O F --- 2008-05-28 19:45:23

_________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:51:16, on 4.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\Software\..\Telephony: DomainName = henna
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4478 bytes

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

============

scannaa uusi hjt:n loki

 

Tehty työtä käskettyä. Tässä uudet lokit:

ComboFix 08-06-03.4 - Henna 2008-06-04 22:02:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.208 [GMT 3:00]
Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Henna\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-1795943351
C:\is155400.exe
C:\setup.0xe
C:\ssetup.0xe
C:\stup.0xe
C:\stupx.0xe
C:\WINDOWS\sb.0xe
C:\WINDOWS\service.0xe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1795943351
C:\is155400.exe
C:\setup.0xe
C:\ssetup.0xe
C:\stup.0xe
C:\stupx.0xe
C:\WINDOWS\sb.0xe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.

2008-06-04 20:14 . 2008-06-04 20:14 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-06-03 22:47 . 2008-06-04 13:57 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-03 22:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-03 22:11 . 2008-06-04 22:04 71,602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-02 21:35 . 2008-06-04 16:03 3,424 --a------ C:\Documents and Settings\Henna\setup.exe
2008-06-02 19:04 . 2008-06-02 19:04 0 --a------ C:\d1.exe
2008-06-02 19:02 . 2008-06-02 19:03 15,360 --a------ C:\abhwevhi.exe
2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-02 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
"\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
"F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
"2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:04:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
.
Completion time: 2008-06-04 22:06:15
ComboFix-quarantined-files.txt 2008-06-04 19:05:49
ComboFix2.txt 2008-06-04 18:50:45
ComboFix3.txt 2008-06-04 18:32:44
ComboFix4.txt 2008-06-04 17:14:53

Pre-Run: 1,585,025,024 tavua vapaana
Post-Run: 1,575,247,872 tavua vapaana

153 --- E O F --- 2008-05-28 19:45:23

______________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:08:17, on 4.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\Software\..\Telephony: DomainName = henna
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4524 bytes

 

Lataa TÄSTÄ VundoFix.exe työpöydällesi.

Tupla-klikkaa VundoFix.exe ajaaksesi sen.
Klikkaa Scan for Vundo valintaa.
Kun skannaus on valmis, klikkaa Fix Vundo valintaa.
Sinulta kysytään haluatko poistaa filut - klikkaa YES.
Kun olet klikannut yes, työpöytäsi tyhjenee kun se alkaa poistamaan Vundoa.
Kun se on valmis, fiksi ilmoittaa käynnistäväsi koneesi uudelleen, klikkaa OK.
Postita C:\vundofix.txt lokin sekä tuoreen HijackThis lokin sisältö.

Huomaa: Se on mahdollista että VundoFix löysi tiedoston jota se ei pystynyt poistamaan.
Tässä tilanteessa, VundoFix ajaa itsensä rebootissa, seuraa vain yläpuolelle olevia ohjeita alkaen kohdasta "Klikkaa Scan for Vundo valintaa." kun VundoFix ilmaantuu uudelleenkäynnistyksen yhteydessä.

 

Vundo ei löytänyt mitään korjattavaa.

 

Tässä HJT:n loki buuttauksen jälkeen:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:31, on 4.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\Software\..\Telephony: DomainName = henna
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4589 bytes

 

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

 

Tässä:

Malwarebytes' Anti-Malware 1.14
Tietokantaversio: 826

0:06:03 5.6.2008
mbam-log-6-5-2008 (00-06-03).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 83347
Kulunut aika: 1 hour(s), 4 minute(s), 4 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 11

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\Lataukset\image23.JPG-www.msnimages.0om (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\setup.0xe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\stup.0xe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\stupx.0xe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\mservice.0xe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\winudspm.0xe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55DA0A9A-B1C9-42D6-AC57-5391CA90B27B}\RP298\A0035832.0xe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55DA0A9A-B1C9-42D6-AC57-5391CA90B27B}\RP298\A0037864.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Process.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hcnwg4u.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Henna\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

scannaa vielä combofixsillä

 

OK. Tässä loki:

ComboFix 08-06-03.4 - Henna 2008-06-05 0:27:21.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.157 [GMT 3:00]
Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-04 to 2008-06-04 )))))))))))))))))
.

2008-06-05 00:15 . 2008-06-05 00:17 <KANSIO> d-------- C:\Program Files\Windows Live
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\Malwarebytes
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 22:59 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 22:59 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 22:23 . 2008-06-04 22:23 <KANSIO> d-------- C:\VundoFix Backups
2008-06-04 20:14 . 2008-06-04 20:14 <KANSIO> d-------- C:\Documents and Settings\Jõrjestelmõnvalvoja
2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-06-03 22:47 . 2008-06-04 13:57 3,423 --a------ C:\WINDOWS\is154890.exe
2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-03 22:11 . 2008-06-05 00:30 71,602 --a------ C:\WINDOWS\system32\hcnwg4u.sys
2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-02 19:04 . 2008-06-02 19:04 0 --a------ C:\d1.exe
2008-06-02 19:02 . 2008-06-02 19:03 15,360 --a------ C:\abhwevhi.exe
2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:25 . 2007-05-09 00:15 <KANSIO> dr------- C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Verkkoympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Työpöytä
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Tulostinympäristö
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-09 00:15 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja\Suosikit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2007-05-08 21:26 <KANSIO> d--h----- C:\Documents and Settings\Järjestelmänvalvoja\Mallit
2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_20.14.18.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 16:40:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 19:45:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-02 19:51:53 29,926 ----a-r C:\WINDOWS\Installer\{A9174A72-1B46-445B-B3CF-90ED2C63D83B}\MsblIco.Exe
+ 2008-06-04 21:17:32 29,926 ----a-r C:\WINDOWS\Installer\{A9174A72-1B46-445B-B3CF-90ED2C63D83B}\MsblIco.Exe
+ 2007-10-18 08:31:46 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
+ 2006-06-05 11:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 11:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 11:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
"\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
"F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
"2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

*Newly Created Service* - CATCHME
*Newly Created Service* - wlsetupsvc
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 00:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
.
Completion time: 2008-06-05 0:32:05
ComboFix-quarantined-files.txt 2008-06-04 21:31:45
ComboFix2.txt 2008-06-04 19:06:17
ComboFix3.txt 2008-06-04 18:50:45
ComboFix4.txt 2008-06-04 18:32:44
ComboFix5.txt 2008-06-04 17:14:53

Pre-Run: 1,467,904,000 tavua vapaana
Post-Run: 1,459,810,304 tavua vapaana

154 --- E O F --- 2008-05-28 19:45:23

 

Unohdin mainita, että asensin tällä välin Messengerin uudelleen, joka saattaa vaikuttaa lokitiedostoon.

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

================

Poista tuolta vielä käsin jos löytyy

C:\Lataukset\image23.JPG-www.msnimages.0om

================

Lataa: RegSeeker.zip työpöydälle:

Pura zip C:\RegSeeker\ kansioon. Sieltä käynnistät RegSeeker.exe ohjelman.
Oikeasa yläkulmassa on Languages.... linkki, josta valitset Suomenkielen.
Vasemmasta alakulmasta ruksit Luo vrmuuskopio ja sitten linkki Puhdista rekisteri
Ruksit kaikkiin muihin kohtiin paitsi "Käyttökelvottomat.." sitten "OK" (odotat hetken).
Ruutuun ilmestyy lista epäkelvoista rekisterimerkinnöistä, jotka alapalkista Valitse kohdasta
klikkaat Valitse kaikki jolloin valitut saavat keltaisen pohjavärin.
Alapalkin Toiminnot linkistä klikkaat Poista valitut kohteet
Ponnahdusikkunaan "Kaikki valitut kohteet poistetaan ? vastaat "OK".
Seuraavaan Ponnahdusikkunaan "Varmuuskopiot" vastaat "OK".
Klikaa vasemmalta Lopeta RegSeeker ja käynnistä koneesi uudelleen.

 

Piti välillä nukkua ja käydä töissä. Jatkan RegSeeker:n kanssa. Tässä Combofix.txt:

ComboFix 08-06-03.4 - Henna 2008-06-05 19:56:37.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.229 [GMT 3:00]
Running from: C:\Documents and Settings\Henna\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Henna\Työpöytä\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\abhwevhi.exe
C:\d1.exe
C:\WINDOWS\is154890.exe
C:\WINDOWS\system32\hcnwg4u.sys
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abhwevhi.exe
C:\d1.exe
C:\WINDOWS\is154890.exe
C:\WINDOWS\system32\hcnwg4u.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hcnwg4u


((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-05 to 2008-06-05 )))))))))))))))))
.

2008-06-05 00:15 . 2008-06-05 00:17 <KANSIO> d-------- C:\Program Files\Windows Live
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\Malwarebytes
2008-06-04 22:59 . 2008-06-04 22:59 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 22:59 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 22:59 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 22:23 . 2008-06-04 22:23 <KANSIO> d-------- C:\VundoFix Backups
2008-06-04 20:14 . 2008-06-04 20:14 <KANSIO> d-------- C:\Documents and Settings\Järjestelmänvalvoja
2008-06-04 20:14 . <KANSIO> C:\Documents and Settings\Jõrjestelmõnvalvoja\Local Settings
2008-06-04 20:14 . <KANSIO> C:\Documents and Settings\Jõrjestelmõnvalvoja\Local Settings
2008-06-04 13:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-06-04 13:58 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-06-04 00:10 . 2008-06-04 19:10 <KANSIO> d-------- C:\Documents and Settings\Henna\Application Data\F-Secure
2008-06-04 00:04 . 2008-06-04 00:10 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-06-04 00:04 . 2008-06-04 00:10 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-06-04 00:03 . 2008-06-04 00:16 <KANSIO> d-------- C:\Program Files\Elisa Tietoturvapalvelu
2008-06-04 00:03 . 2008-06-04 00:04 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-04 00:02 . 2008-06-04 00:02 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-06-03 22:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-03 22:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-03 22:22 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-03 22:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-03 22:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-03 22:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-03 20:19 . 2008-06-03 21:09 <KANSIO> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-03 14:06 . 2008-06-03 22:22 1,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 13:58 . 2008-06-03 13:58 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-05-27 22:17 . 2008-05-27 22:17 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-27 21:24 . 2008-05-27 21:25 <KANSIO> d-------- C:\Documents and Settings\J„rjestelm„nvalvoja

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-03 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 19:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 19:10 --------- d-----w C:\Program Files\PartyGaming
2008-06-03 10:54 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-05-25 19:33 --------- d-----w C:\Program Files\RevConnect
2008-04-01 18:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_20.14.18.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 16:40:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 17:03:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-02 19:51:53 29,926 ----a-r C:\WINDOWS\Installer\{A9174A72-1B46-445B-B3CF-90ED2C63D83B}\MsblIco.Exe
+ 2008-06-04 21:17:32 29,926 ----a-r C:\WINDOWS\Installer\{A9174A72-1B46-445B-B3CF-90ED2C63D83B}\MsblIco.Exe
+ 2007-10-18 08:31:46 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
+ 2008-06-05 17:04:58 83,769 ----a-w C:\WINDOWS\Temp\fsaua.tmp\difflist_fsosfi06.socfi.f-sos.net_80_275840608_1\orion.dat
+ 2008-06-05 17:05:08 906,049 ----a-w C:\WINDOWS\Temp\fsaua.tmp\infopak_fsosfi06.socfi.f-sos.net_80_275840608\orion.dat
+ 2006-06-05 11:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 11:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 11:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29 165784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-04-20 02:17 421888]
"\VISTA\EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2006-12-25 05:00 177664]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"F-Secure Manager"="C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.exe" [2008-02-13 13:38 184800]
"F-Secure TNB"="C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" [2008-02-13 13:38 741800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RevConnect\\DCPlusPlus.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"2171:UDP"= 2171:UDP:Windows Media Format SDK (firefox.exe)
"2170:UDP"= 2170:UDP:Windows Media Format SDK (firefox.exe)

R0 fsfw;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-06-04 00:10]
R1 f-secure hips;F-Secure HIPS;C:\Program Files\Elisa Tietoturvapalvelu\HIPS\fshs.sys [2008-06-04 00:09]
R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2007-10-31 15:30]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 03:00]
R3 f-secure gatekeeper;F-Secure Gatekeeper;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\minifilter\fsgk.sys [2008-02-13 13:38]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 05:01]
S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-18 01:04]
S4 f-secure filter;F-Secure File System Filter;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSfilter.sys [2008-02-13 13:38]
S4 f-secure recognizer;F-Secure File System Recognizer;C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\Win2K\FSrec.sys [2008-02-13 13:38]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 20:05:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsus.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\PROGRA~1\ELISAT~1\ANTI-V~1\fsav32.exe
C:\PROGRA~1\ELISAT~1\Common\FSM32.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\ELISAT~1\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-06-05 20:10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 17:10:26
ComboFix2.txt 2008-06-04 21:32:06
ComboFix3.txt 2008-06-04 19:06:17
ComboFix4.txt 2008-06-04 18:50:45
ComboFix5.txt 2008-06-04 18:32:44

Pre-Run: 1,459,347,456 tavua vapaana
Post-Run: 1,448,624,128 tavua vapaana

177 --- E O F --- 2008-05-28 19:45:23

 

scannaa uusi hjt:n loki

 

Tässä:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28:15, on 5.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\Software\..\Telephony: DomainName = henna
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4821 bytes

 

Lataa fixwareout.exe täältä > FixWareout.exe
tai täältä >
FixWareout.exe
ja tallenna se työpöydälle. Tuplaklikkaa sitä ja seuraa ohjeita. Klikkaa Next, sitten Install ja varmistu, että "Run fixit" on valittu. Sinun pitää käynnistää kone uudelleen, kun niin käsketään.

Lähetä uusi HjT-loki ja c:\fixwareout\report.txt sisältö



==============

mites kone toimii

 

Tässä FixWareout:n loki:

Username "Henna" - 05.06.2008 21:41:47 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

DNS-tulkintatoiminnon välimuistin tyhjentäminen onnistui.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"F-Secure Manager"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Elisa Tietoturvapalvelu\\FSGUI\\TNBUtil.exe\" /CHECKALL /WAITFORSW"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"\\VISTA\\EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /FU \"C:\\DOCUME~1\\Henna\\LOCALS~1\\Temp\\E_S41.tmp\" /EF \"HKCU\""
"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

________________________________________

Ja tässä HJT:n loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:23, on 5.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsus.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [\VISTA\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\DOCUME~1\Henna\LOCALS~1\Temp\E_S41.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\Software\..\Telephony: DomainName = henna
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henna
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = henna
O23 - Service: FSGKHS (f-secure gatekeeper handler starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (fsaua) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (fsdfwd) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (fsma) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4867 bytes

___________________________________________

Ei ole ainakaan vielä tullut mitään virusilmoituksia, eikä muitakaan toimintahäiriöitä. Pitää vähän testata. Ilmoittelen sitten.

 

siistitään vielä pikkusen

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK


käynnistä > suorita laita tuo alla oleva siihen luukkuun

Combofix /u

paina Ok

 

Viimeiset toimenpiteet suoritettu ja Combofix poistettu. Oliko siinä kaikki?