Mese-virusta yritetty poistaa. Mahdollisesti muitakin viruksia. HJT-loki

Ajoin koneella SDFixin vikasietotilassa, jonka jälkeen näytti pari päivää toimivan ok. Sitten ongelmia alkoi taas tulla. Avastilla olen sen jälkeen ajanut tarkistuksen ennen koneen käynnistymistä. Kiinnostaisi tietää että vieläkö koneella on jotain viruksia ja miten niistä pääsee eroon.

Virus saastutti myös koneessa käytetyn muistitikun. Miten sen voi saada siltä pois?

Tässä Hjt-loki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:58, on 10.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\vieiiy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Windows\msservice.exe
C:\WINDOWS\system32\telecms.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKLM\..\Run: [MSN] C:\Windows\msservice.exe
O4 - HKLM\..\Run: [advap32] c:\uucn.exe/r
O4 - HKLM\..\RunServices: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WintelUpdate] C:\vieiiy.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BetOnBet Poker - {2B936D2B-EDD7-405f-9057-3685BE897E62} - C:\Microgaming\Poker\betonbetMPP\MPPoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207643444887
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9428 bytes

 

En halua etuilla jonossa, mutta... Olisi hieman kiire saada kone kuntoon. Mm. vaimon gradupäiväkirjä, johon on kerännyt tietoa noin vuoden ajalta, on vain koneella ja saastuneella muistitikulla sekä myös todennäköisesti saastuneella ulkoisella kovolla. Itse gradu on sentään turvassa sähköpostissa. Molemmat pitäisi palauttaa valmistumista varten ens viikon alussa :S

Helpottaisi minun (saastuttajan) elämää suuresti jos voisin varmuudella sanoa että tärkeät tiedostot ovat kunnossa ja ne saa pelastettua

Kiitän auttajia jo etukäteen.

 

laita muisti tikku koneeseen kinni

 

sitten jatketaan

1.Lataa combofix.exe työpöydällesi yhdestä linkistä:
combofix1
combofix2

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

ComboFixin loki:

ComboFix 08-06-09.7 - Mikke 2008-06-10 18:59:56.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.580 [GMT 3:00]
Running from: C:\Documents and Settings\Mikke\Työpöytä\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\WinCtrl32.dl_
F:\Autorun.inf
H:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Service_FCI
-------\Service_hcnwg4u


((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-10 to 2008-06-10 )))))))))))))))))
.

2008-06-05 22:43 . 2008-06-05 22:43 5,120 --a------ C:\rpqlvo.exe
2008-06-05 22:43 . 2004-09-15 20:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-05 22:43 . 2008-06-05 22:43 2 --a------ C:\47523789
2008-06-05 22:42 . 2008-06-05 22:43 12,800 --a------ C:\vieiiy.exe
2008-06-05 22:42 . 2008-06-05 22:43 12,288 --a------ C:\uucn.exe
2008-06-05 22:35 . 2008-06-05 22:36 75,776 --a------ C:\hldtlwe.exe
2008-06-05 10:03 . 2008-06-05 10:03 268 --ah----- C:\sqmdata00.sqm
2008-06-05 10:03 . 2008-06-05 10:03 244 --ah----- C:\sqmnoopt00.sqm
2008-06-04 10:06 . 2008-06-04 10:06 97,210 -r-hs---- C:\WINDOWS\msservice.exe
2008-06-04 10:06 . 2008-06-10 18:24 97,210 --a------ C:\emoge.exe
2008-05-29 23:09 . 2008-05-29 23:09 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-29 23:08 . 2008-05-29 23:08 <KANSIO> d-------- C:\SDFix
2008-05-28 19:54 . 2008-05-28 19:54 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-05-27 21:46 . 2008-05-29 20:18 86,340 -r-hs---- C:\WINDOWS\winudspm.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 17:47 --------- d-----w C:\Program Files\PAF Tournament Director's Poker Clock
2008-04-17 18:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-17 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 18:15 --------- d-----w C:\Documents and Settings\Mikke\Application Data\Microgaming
2008-04-17 14:45 --------- d-----w C:\Program Files\Java
2008-04-17 14:44 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 18:10 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-04-14 18:10 --------- d-----w C:\Documents and Settings\Mikke\Application Data\FileZilla
2008-04-14 18:04 --------- d-----w C:\Program Files\Notepad++
2008-04-14 18:04 --------- d-----w C:\Documents and Settings\Mikke\Application Data\Notepad++
2008-04-13 09:17 --------- d-----w C:\Documents and Settings\Mikke\Application Data\AdobeUM
2008-04-13 08:54 --------- d-----w C:\Program Files\EPSON
2008-04-12 08:41 --------- d-----w C:\Program Files\MSN Apps
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2007-06-13 13:22 249,496 --sh--r C:\WINDOWS\system32\telecms.exe
.

(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 20:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-20 14:02 53248]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-03-23 00:12 151552]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-09-15 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-15 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 20:00 455168]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-03-31 16:11 598016]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 12:07 761946]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-13 16:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"psyspy-2.1.4 Client Server"="C:\WINDOWS\system32\telecms.exe" [2007-06-13 16:22 249496]
"MSN"="C:\Windows\msservice.exe" [2008-06-10 19:05 97210]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"psyspy-2.1.4 Client Server"="C:\WINDOWS\system32\telecms.exe" [2007-06-13 16:22 249496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 20:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincs76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhe08.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjg76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winli30.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\telecms.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
S0 Wincs76;Wincs76;C:\WINDOWS\system32\Drivers\Wincs76.sys []
S0 Winhe08;Winhe08;C:\WINDOWS\system32\Drivers\Winhe08.sys []
S0 Winli30;Winli30;C:\WINDOWS\system32\Drivers\Winli30.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 19:03:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-06-10 19:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 16:06:30

Pre-Run: 14,716,747,776 tavua vapaana
Post-Run: 14,681,407,488 tavua vapaana

148 --- E O F --- 2008-05-28 17:01:03


Avast ei käynnistänyt taustasuojausta combofixin tekemän restartin jälkeen. Onko tämä normaalia?

 

Nooh avast varmaankin lähtee vielä käyntiin

=====

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

==============

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKLM\..\Run: [MSN] C:\Windows\msservice.exe
O4 - HKLM\..\Run: [advap32] c:\uucn.exe/r
O4 - HKLM\..\RunServices: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\vieiiy.exe
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)

===============

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

=============

Escan
Ohjeet tuolla sivulla.
http://koti.mbnet.fi/pattaya1/escanmwav.htm
lataa tuosta
http://www.spywareinfo.dk/download/mwav.exe
päivitä tuosta
http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat
laita täpit merkkauksien mukaan
http://koti.mbnet.fi/pattaya1/eScan6.jpg

scannaa

jos ala luukkuun tulee jotain niin kopioi se näin:
Käytä komentoa Ctrl+A.
Kopioi rivit komennolla Ctrl+C.
Liitä rivit komennolla Ctrl+V.

Laita virus log tänne.

 

Ajoin siis ensin combofixin ohjeiden mukaisesti. Seuraavaksi hjt scannaus. Tässä combofixin loki:

ComboFix 08-06-09.7 - Mikke 2008-06-10 20:17:00.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.565 [GMT 3:00]
Running from: C:\Documents and Settings\Mikke\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mikke\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\47523789
C:\emoge.exe
C:\hldtlwe.exe
C:\rpqlvo.exe
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\uucn.exe
C:\vieiiy.exe
C:\WINDOWS\msservice.exe
C:\WINDOWS\system32\telecms.exe
C:\WINDOWS\winudspm.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\47523789
C:\d.exe
C:\emoge.exe
C:\hldtlwe.exe
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\uucn.exe
C:\vieiiy.exe
C:\WINDOWS\msservice.exe
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\drivers\yjdq36.sys
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\service.sys
C:\WINDOWS\system32\telecms.exe
C:\WINDOWS\winudspm.exe
H:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_yjdq36
-------\Service_service.sys
-------\Service_yjdq36


((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-10 to 2008-06-10 )))))))))))))))))
.

2008-06-10 20:14 . 2008-06-10 20:15 36,352 --a------ C:\d1.exe
2008-06-10 19:39 . 2008-06-10 19:39 29 --a------ C:\WINDOWS\system32\aqgwqats.tmp
2008-06-10 19:38 . 63,922 C:\WINDOWS\system32\jwzpqng.sys
2008-06-10 19:27 . 2008-06-10 19:27 29,835 -r-hs---- C:\WINDOWS\serviceaaa.exe
2008-06-10 19:27 . 2008-06-10 19:27 29,835 --a------ C:\ageax.exe
2008-06-05 22:43 . 2004-09-15 20:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-29 23:09 . 2008-05-29 23:09 <KANSIO> d-------- C:\WINDOWS\ERUNT
2008-05-29 23:08 . 2008-05-29 23:08 <KANSIO> d-------- C:\SDFix
2008-05-28 19:54 . 2008-05-28 19:54 <KANSIO> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 17:14 578,048 ----a-w C:\WINDOWS\system32\user32.DLL
2008-06-10 17:14 578,048 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
2008-05-02 17:47 --------- d-----w C:\Program Files\PAF Tournament Director's Poker Clock
2008-04-17 18:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-17 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 18:15 --------- d-----w C:\Documents and Settings\Mikke\Application Data\Microgaming
2008-04-17 14:45 --------- d-----w C:\Program Files\Java
2008-04-17 14:44 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 18:10 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-04-14 18:10 --------- d-----w C:\Documents and Settings\Mikke\Application Data\FileZilla
2008-04-14 18:04 --------- d-----w C:\Program Files\Notepad++
2008-04-14 18:04 --------- d-----w C:\Documents and Settings\Mikke\Application Data\Notepad++
2008-04-13 09:17 --------- d-----w C:\Documents and Settings\Mikke\Application Data\AdobeUM
2008-04-13 08:54 --------- d-----w C:\Program Files\EPSON
2008-04-12 08:41 --------- d-----w C:\Program Files\MSN Apps
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
578,048 2008-06-10 17:14:50 C:\WINDOWS\system32\user32.DLL
578,048 2008-06-10 17:14:50 C:\WINDOWS\system32\dllcache\user32.dll
577,536 2005-03-02 18:20:22 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,560 2007-03-08 15:50:12 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2004-09-15 17:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,536 2005-03-02 18:18:14 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2005-03-02 18:18:14 C:\WINDOWS\$NtUninstallKB925902$\user32.dll.000


------- Sigcheck -------

2008-06-10 20:14 578048 d8a5518768dd1c5856c43122a2a45628 C:\WINDOWS\system32\user32.DLL
2008-06-10 20:14 578048 d8a5518768dd1c5856c43122a2a45628 C:\WINDOWS\system32\dllcache\user32.dll
2005-03-02 21:20 577536 409647243875a2f91bae81cbef248cb6 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 18:50 578560 90f1d04938bae133e2f4d8f7f0fa4fa0 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-09-15 20:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 21:18 577536 aeefa9d983c986e7a8d6d80ca165b93f C:\WINDOWS\$NtUninstallKB925902$\user32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-10_19.06.02.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 16:02:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 17:21:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 17:22:52 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
+ 2008-06-10 17:22:12 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_504.dat
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 20:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 12:39 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-20 14:02 53248]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-03-23 00:12 151552]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-09-15 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-15 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-15 20:00 455168]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-03-31 16:11 598016]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 12:07 761946]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-13 16:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"psyspy-2.1.4 Client Server"="C:\WINDOWS\system32\telecms.exe" [ ]
"Windows svchost"="serviceaaa.exe" [2008-06-10 19:27 29835 C:\WINDOWS\serviceaaa.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"psyspy-2.1.4 Client Server"="C:\WINDOWS\system32\telecms.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 20:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincs76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhe08.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjg76.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winli30.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\d1.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
S0 Wincs76;Wincs76;C:\WINDOWS\system32\Drivers\Wincs76.sys []
S0 Winhe08;Winhe08;C:\WINDOWS\system32\Drivers\Winhe08.sys []
S0 Winli30;Winli30;C:\WINDOWS\system32\Drivers\Winli30.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 20:23:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-06-10 20:27:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 17:27:02
ComboFix2.txt 2008-06-10 16:06:38

Pre-Run: 14,644,527,104 tavua vapaana
Post-Run: 14,623,850,496 tavua vapaana

202 --- E O F --- 2008-05-28 17:01:03

 

vielä

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

=============

vetase heti perään Malwarebytes' Anti-Malware

 

C: aseman juuressa on nyt monia muitakin exe-tiedostoja kuin nuo d.exe ja ageax.exe. Laitanko CFScript.txt tiedostoon kaikki exet mitä C: aseman juuressa on? Noiden kahden lisäksi on d1.exe, abhwehvi.exe, hldtlwe.exe, mastix.exe, msgtrion.exe, rpqvlo.exe, uucn.exe, vieiiy.exe

 

laita nyt noi ja sitten se

kuten laitoin

 

laitoin kaikki exet combofixin fileen. sen ajamisen jälkeen ne oli kaikki hävinny. ajoin heti perään malwaren. nyt sitten vielä se viimeinen softa mikä ohjeissa oli. tässä malwaren logi:

Malwarebytes' Anti-Malware 1.16
Tietokantaversio: 845

0:15:14 11.6.2008
mbam-log-6-11-2008 (00-15-14).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|F:\|H:\|)
Tarkistetut kohteet: 99513
Kulunut aika: 30 minute(s), 19 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 1
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 2

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\System Volume Information\_restore{3DBC17C4-C676-478F-A8BC-1FEE792D5D93}\RP60\A0013799.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\rpqlvo.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

 

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

=============

nyt sammutuksen ja käynnistyksen jälkeen

aja uusi Combofix loki
aja uusi Malwarebytes' Anti-Malware loki
aja uusi hjt:n loki

 

Apua! Ennenkuin huomasin sun uusimman viestin laitoin EScannin ajamaan ja menin nukkuun. Aamulla se oli saanu ajettua loppuun ja sanoi että kone täytyy bootata. Painoin OK ja kone boottasi, mutta ei enää käynnisty!

Aluksi lähtee käynnistymään normaalisti, Windows logo + progress ehtii tulla vähäksi aikaa näkyviin. Sitten on vähän aikaa musta ruutu ja sitten vilahtaa tosi nopeasti seuraava teksti:

"STOP: C000135 {osa ei
yhd}
Sovelluksen käynnistäminen ei onnistu, koska USER32.dll ei löytynyt. Sovelluksen uudelleenasentaminen saattaa korjata ongelman."

Piti antaa koneen yrittää käynnistyä varmaan 30 kertaa että sain sana kerrallaan tuon tekstin talteen, kun se vilahtaa pois niin nopeasti. Alun numerosarjasta en oo varma onko se oikein.

Yritin käynnistää viimeisellä toimivalla kokoonpanolla ja vikasietotilassa, mutta kumpikaan ei onnistu. Sama teksti vilahtaa taas ja kone yrittää käynnistää itsensä uudestaan.

Miten saan koneen taas käyntiin? Mulla on dvd:llä recovery levy. Onko enää toivoa saada konetta kuntoon ilman windowsin uudelleenasennusta?

 

mikäs on nyt viiminen tilanne sen koneen kanssa.

===================

Tossa neuvotaan myös kuinka tedään

myös
Recovery cd:llä korjaus asennus


===================

 

En oo kokeillu aamun jälkeen kun oon ollu päivän poissa. Viimeisin tilanne kun kokeilin oli että se ei käynnistyny loppuun vaan näytti aina sen viestin jonka laitoin ja aloitti bootin alusta.

 

tuota laitas sitten tuo korjausasennus.

 

jooh tosiaan itse jouduin vetämään tuon korjausasennuksen, nyt C: asemalla abixer.exe, d.exe, hldtlwe.exe, misvcsh.exe, misch.exe, mimsn.exe, misvvcsn.exe, uucn.exe, vieiu.exe
tarttis Hujolta apua, mut kattelen meen nyt tuolle koneelle ja katselen jos sais jotain aikaan

 

Vedin suoraan tuon ComboFixin ja laitoin tekstitiedostoon nuo kaikki exet mitä C:/ asemalla oli. tässä logi, alempana ComboFixin jälkeinen HJT logi

EDIT: Kun scannaan malwarebytesillä niin jossain 13000 filun kohdalla heittää bluescreenin. En tiedä että heittääkö jos en käynnistä ohjelmaa. Helppiä, nyt nukkumaan, huomen paikalla ku herään ja jossain 17.00 jälkeen.

ComboFix 08-06-11.1 - Jose 2008-06-13 2:39:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.1519 [GMT 3:00]
Running from: C:\Documents and Settings\Jose\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jose\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\346376571
C:\abixer.exe
C:\d.exe
C:\hldtlwe.exe
C:\mimsn.exe
C:\miscsn.exe
C:\misvcsn.exe
C:\misvvcsn.exe
C:\uucn.exe
C:\vieiiy.exe
C:\WINDOWS\msservice.exe
C:\WINDOWS\system32\telecms.exe
C:\WINDOWS\winudspm.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\346376571
C:\abixer.exe
C:\d.exe
C:\hldtlwe.exe
C:\miscsn.exe
C:\misvcsn.exe
C:\misvvcsn.exe
C:\uucn.exe
C:\vieiiy.exe
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\_000121_.tmp.dll
C:\WINDOWS\system32\_000228_.tmp.dll
C:\WINDOWS\system32\_000232_.tmp.dll
C:\WINDOWS\system32\drivers\qandr.sys
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\telecms.exe
C:\WINDOWS\system32\VuvFPXyb.ini
C:\WINDOWS\system32\VuvFPXyb.ini2
C:\WINDOWS\winudspm.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-12 to 2008-06-12 )))))))))))))))))
.

2008-06-13 04:39 . 2008-06-13 04:44 <KANSIO> d-------- C:\WINDOWS\tmp
2008-06-13 03:12 . 2008-06-13 03:12 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2008-06-13 03:05 . 2008-06-13 03:05 4,730 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-06-13 03:04 . 2008-06-13 03:10 <KANSIO> d-------- C:\WINDOWS\LastGood
2008-06-12 23:24 . 2006-03-02 15:00 577,536 --a------ C:\WINDOWS\system32\wmggcui
2008-06-12 23:24 . 2008-06-12 23:24 124,416 --a------ C:\WINDOWS\system32\drivers\Tjq38.sys
2008-06-12 23:21 . 2008-06-12 23:21 124,416 --a------ C:\WINDOWS\system32\drivers\Qeno47.sys
2008-06-12 23:21 . 2008-06-12 23:24 65,456 --a------ C:\WINDOWS\system32\narqwe.sys
2008-06-12 21:26 . 2008-06-12 21:26 29,865 -r-hs---- C:\WINDOWS\mobilesync.exe
2008-06-12 21:18 . 2008-06-12 21:18 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-12 21:17 . 2008-06-12 21:18 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\skypePM
2008-06-12 21:16 . 2008-06-12 23:23 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Skype
2008-06-12 21:15 . 2008-06-12 21:15 <KANSIO> d-------- C:\Program Files\Skype
2008-06-12 21:15 . 2008-06-12 21:15 <KANSIO> d-------- C:\Program Files\Common Files\Skype
2008-06-12 16:15 . 2008-06-12 16:15 32,768 --------- C:\mismsn.exe
2008-06-12 15:47 . 2008-06-12 15:47 131,584 --a------ C:\WINDOWS\system32\drivers\Jad26.sys
2008-06-12 15:47 . 2008-06-12 15:47 29 --a------ C:\WINDOWS\system32\gototege.tmp
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\SUPERAntiSpyware.com
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-12 14:30 . 2008-06-12 14:30 <KANSIO> d-------- C:\Program Files\Common Files\PC Tools
2008-06-12 14:30 . 2008-06-12 14:30 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-12 14:30 . 2008-06-12 14:30 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-12 14:21 . 2008-06-12 14:52 <KANSIO> d-------- C:\Program Files\Spyware Doctor
2008-06-12 14:21 . 2008-06-12 14:21 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\PC Tools
2008-06-12 14:21 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-12 14:21 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-12 14:21 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-12 14:21 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-12 14:19 . 2008-06-12 23:23 29,835 -r-hs---- C:\WINDOWS\serviceaaa.exe
2008-06-12 13:46 . 2008-06-12 13:46 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Grisoft
2008-06-12 13:34 . 2008-06-12 13:34 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-12 13:31 . 2008-06-12 14:49 <KANSIO> d-------- C:\Program Files\SPYWAREfighter
2008-06-12 13:31 . 2008-06-12 13:31 <KANSIO> d-------- C:\Program Files\Common Files\Application
2008-06-12 13:30 . 2006-03-02 15:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-06-12 13:30 . 2006-03-02 15:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-06-12 13:30 . 2006-03-02 15:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-06-12 13:30 . 2006-03-02 15:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-06-12 13:30 . 2006-03-02 15:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-06-12 13:30 . 2006-03-02 15:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-06-12 13:30 . 2006-03-02 15:00 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2008-06-12 13:30 . 2006-03-02 15:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-06-12 13:30 . 2006-03-02 15:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-06-12 13:30 . 2006-03-02 15:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-06-12 13:12 . 2008-06-12 13:12 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Uniblue
2008-06-12 02:12 . 2008-06-12 02:12 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Creative
2008-06-11 23:43 . 2008-06-11 23:43 <KANSIO> d-------- C:\Documents and Settings\CS\Ty÷p÷ytõ
2008-05-27 18:14 . 2008-05-27 18:14 55,808 --a------ C:\WINDOWS\devcon.exe
2008-05-27 16:34 . 2008-05-27 17:43 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\dvdcss
2008-05-27 09:44 . 2008-05-27 09:44 <KANSIO> d---s---- C:\Documents and Settings\CS\UserData
2008-05-26 23:48 . 2008-05-26 23:48 <KANSIO> d-------- C:\Program Files\Maketorrent 2
2008-05-26 23:48 . 2008-05-27 00:26 271 --a------ C:\WINDOWS\maketorrent.ini
2008-05-26 23:31 . 2008-06-12 14:16 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\uTorrent
2008-05-26 22:57 . 2008-05-26 22:57 <KANSIO> d-------- C:\Program Files\VentriloMIX
2008-05-26 22:56 . 2008-05-26 23:21 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Sony
2008-05-26 22:56 . 2008-05-26 22:56 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Publish Providers
2008-05-26 22:41 . 2008-05-26 22:41 268 --ah----- C:\sqmdata02.sqm
2008-05-26 22:41 . 2008-05-26 22:41 244 --ah----- C:\sqmnoopt02.sqm
2008-05-26 22:38 . 2008-05-26 22:38 268 --ah----- C:\sqmdata01.sqm
2008-05-26 22:38 . 2008-05-26 22:38 244 --ah----- C:\sqmnoopt01.sqm
2008-05-26 22:32 . 2008-05-26 22:32 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Media Player Classic
2008-05-26 21:58 . 2008-05-26 21:58 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\vlc
2008-05-26 21:17 . 2008-05-26 23:02 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Winamp
2008-05-26 21:16 . 2008-05-27 00:32 <KANSIO> d-------- C:\Documents and Settings\CS\Contacts
2008-05-26 19:46 . 2008-05-26 19:46 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\URSoft
2008-05-26 19:41 . 2008-05-26 19:45 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Ventrilo
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> d--h----- C:\Documents and Settings\CS\Verkkoympäristö
2008-05-26 19:38 . 2008-06-12 21:15 <KANSIO> d-------- C:\Documents and Settings\CS\Työpöytä
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> d--h----- C:\Documents and Settings\CS\Tulostinympäristö
2008-05-26 19:38 . 2008-05-26 19:38 <KANSIO> d---s---- C:\Documents and Settings\CS\Suosikit
2008-05-26 19:38 . 2008-05-26 22:56 <KANSIO> d---s---- C:\Documents and Settings\CS\Omat tiedostot
2008-05-26 19:38 . 2007-09-05 16:15 <KANSIO> d--h----- C:\Documents and Settings\CS\Mallit
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> dr------- C:\Documents and Settings\CS\Käynnistä-valikko
2008-05-26 19:38 . 2008-06-11 23:43 <KANSIO> d-------- C:\Documents and Settings\CS
2008-05-22 17:53 . 2008-05-22 17:53 <KANSIO> d--hs---- C:\Documents and Settings\Jose\Recent
2008-05-19 21:57 . 2008-05-26 22:57 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-05-19 21:57 . 2008-05-26 22:57 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-19 21:57 . 2008-05-19 21:57 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-19 18:22 . 2008-05-19 18:22 <KANSIO> d-------- C:\Program Files\GetData
2008-05-19 18:11 . 2008-05-19 18:11 <KANSIO> d-------- C:\Program Files\JLC's Software
2008-05-19 18:11 . 2008-05-19 18:11 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\JLC's Software
2008-05-19 16:31 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-19 16:31 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-19 16:31 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-19 16:31 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-19 16:30 . 2008-05-19 16:30 <KANSIO> d-------- C:\Program Files\AeriaGames
2008-05-18 22:19 . 2008-05-18 22:19 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-18 22:14 . 2008-05-18 22:14 <KANSIO> d-------- C:\Program Files\Bonjour
2008-05-18 22:05 . 2008-05-18 22:05 <KANSIO> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-17 11:13 . 2008-05-26 15:21 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 00:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 00:12 --------- d-----w C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2008-06-13 00:04 8,126,464 ----a-w C:\Documents and Settings\Jose\NTUSER.DAT
2008-06-12 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-12 13:09 --------- d-----w C:\Documents and Settings\Jose\Application Data\NoNameScript
2008-06-12 12:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 10:21 --------- d-----w C:\Program Files\Hitman Pro
2008-06-12 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 21:49 --------- d-----w C:\Program Files\Last.fm
2008-05-26 20:52 --------- d-----w C:\Program Files\uTorrent
2008-05-26 18:58 --------- d-----w C:\Documents and Settings\CS\Application Data\vlc
2008-05-26 16:53 --------- d-----w C:\Documents and Settings\Jose\Application Data\LimeWire
2008-05-26 12:21 --------- d-----w C:\Documents and Settings\Jose\Application Data\dvdcss
2008-05-24 13:40 --------- d-----w C:\Documents and Settings\Jose\Application Data\uTorrent
2008-05-19 15:11 --------- d-----w C:\Documents and Settings\Jose\Application Data\JLC's Software
2008-05-18 19:25 --------- d-----w C:\Documents and Settings\Jose\Application Data\Adobe
2008-05-18 19:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-11 08:39 --------- d-----w C:\Program Files\BestGameEver
2008-05-09 08:40 --------- d-----w C:\Documents and Settings\Jose\Application Data\Lavasoft
2008-05-09 08:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-09 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-05-09 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-05-07 17:41 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.MSNFix
2008-05-07 12:10 --------- d-----w C:\Program Files\Vstplugins
2008-05-07 12:10 --------- d-----w C:\Program Files\Sony
2008-05-07 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-07 12:09 --------- d-----w C:\Program Files\Sony Setup
2008-05-05 15:28 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-05 15:28 --------- d-----w C:\Documents and Settings\Jose\Application Data\SystemRequirementsLab
2008-05-05 15:24 --------- d-----w C:\Program Files\Xfire
2008-05-05 14:23 --------- d-----w C:\Documents and Settings\Jose\Application Data\Xfire
2008-05-04 05:00 --------- d-----w C:\Documents and Settings\Jose\Application Data\Winamp
2008-04-22 22:29 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-04-20 16:43 --------- d-----w C:\Documents and Settings\Jose\Application Data\mIRC
2008-04-18 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-04-14 15:55 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-13 08:02 --------- d-----w C:\Documents and Settings\Jose\Application Data\InstallShield Installation Information
2008-04-13 07:53 --------- d-----w C:\Program Files\Winamp
2008-04-13 07:48 --------- d-----w C:\Program Files\Unreal Tournament 3
2008-04-13 07:47 --------- d-----w C:\Program Files\AGEIA Technologies
2008-04-13 07:43 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-12 19:42 --------- d-----w C:\Documents and Settings\Jose\Application Data\skypePM
2008-04-11 18:19 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-11 18:19 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-09 12:18 90,396 ----a-w C:\Documents and Settings\All Users\Application Data\firstlsp.reg.dat
2008-04-09 12:09 63,237 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-04-09 12:09 6,112 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-04-09 12:09 219,136 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-04-03 18:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-12 18:45 22,328 ----a-w C:\Documents and Settings\Jose\Application Data\PnkBstrK.sys
2006-03-02 12:00 241,031 --sh--r C:\WINDOWS\system32\vintxp.exe
.

------- Sigcheck -------

2006-03-02 15:00 14336 34c8d42b876703b3abf0562307428561 C:\WINDOWS\system32\svchost.exe
2006-03-02 15:00 14336 34c8d42b876703b3abf0562307428561 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 21:20 577536 409647243875a2f91bae81cbef248cb6 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 18:50 578560 90f1d04938bae133e2f4d8f7f0fa4fa0 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 18:38 578048 c198eac972598be7e61364f7db3b663d C:\WINDOWS\SoftwareDistribution\Download\5242227ca14d338f9f7297b8cf3c9c6e\sp2gdr\user32.dll
2005-03-02 21:18 577536 aeefa9d983c986e7a8d6d80ca165b93f C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\user32.dll
2006-03-02 15:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\system32\user32.dll
2006-03-02 15:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\system32\dllcache\user32.dll

2006-03-02 15:00 82944 911c48bb2df21e2088c23260dd112e80 C:\WINDOWS\system32\ws2_32.dll
2006-03-02 15:00 82944 911c48bb2df21e2088c23260dd112e80 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-06-26 17:36 665600 938ca93ec9c5288fbc2da79ad6d8f5b1 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-10-11 09:14 659456 ba86a6f850c95947fb4bb498e5db4fca C:\WINDOWS\SoftwareDistribution\Download\d58bbb9f6643c73c822efda2a7fdcba1\sp2gdr\wininet.dll
2007-10-11 09:00 666112 824805db3f45b2d721e9c0a589d3eec0 C:\WINDOWS\SoftwareDistribution\Download\d58bbb9f6643c73c822efda2a7fdcba1\sp2qfe\wininet.dll
2007-12-07 04:07 659456 7fd809bfe0a9d8d59526c7ceacec4a84 C:\WINDOWS\SoftwareDistribution\Download\e472af6a87e02e90b9fa51cc356af8d3\sp2gdr\wininet.dll
2007-12-07 03:46 666112 764669f4a159ff0b49012a832ca6739c C:\WINDOWS\SoftwareDistribution\Download\e472af6a87e02e90b9fa51cc356af8d3\sp2qfe\wininet.dll
2006-03-02 15:00 656384 24965d454199a92ee14f2f0e4374f89c C:\WINDOWS\system32\wininet.dll
2006-03-02 15:00 690688 7ea8a186e48b37aa11bf5a94b5c2e1c1 C:\WINDOWS\system32\dllcache\wininet.dll

2006-04-20 15:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2006-04-20 14:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\SoftwareDistribution\Download\1595af92f32261775c71e96d758f3d0f\sp2gdr\tcpip.sys
2007-10-30 20:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\cda1f8e74f35014f09096c606dcb5ea0\sp2gdr\tcpip.sys
2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\cda1f8e74f35014f09096c606dcb5ea0\sp2qfe\tcpip.sys
2006-03-02 15:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2006-03-02 15:00 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys

2006-03-02 15:00 502784 5f0714b1447dc0262789c3cc43752418 C:\WINDOWS\system32\winlogon.exe
2006-03-02 15:00 502784 5f0714b1447dc0262789c3cc43752418 C:\WINDOWS\system32\dllcache\winlogon.exe

2006-03-02 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2006-03-02 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2006-03-02 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2006-03-02 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 21:13 2059264 01f49730c2d76aad87c4d2b2dd4e12e2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:08 2061696 8bacc2a67078823acab7c8306f394918 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\SoftwareDistribution\Download\9332ded991ba798a70921b7d3b0f50d2\sp2gdr\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\SoftwareDistribution\Download\a1ea65155c8af8d6d56ddb22f7ad86fb\sp2gdr\ntkrnlpa.exe
2005-03-02 21:08 2059136 1c09a92e5a1c21ca1ad367f13f9b5a9d C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\ntkrnlpa.exe
2006-03-02 15:00 2017792 ec7ca6ab83b9754e560a4867539a251a C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 21:13 2181888 6e55b15ee58a0eaaaf20db1f4da39add C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:08 2184448 7ff07a634379ee2fd2b097fd76c49bfc C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\SoftwareDistribution\Download\9332ded991ba798a70921b7d3b0f50d2\sp2gdr\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\SoftwareDistribution\Download\a1ea65155c8af8d6d56ddb22f7ad86fb\sp2gdr\ntoskrnl.exe
2005-03-02 21:08 2181632 ae8d156d1028fba3939609f4c39eb1f1 C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\ntoskrnl.exe
2006-03-02 15:00 2150912 23e62e3b191b28e18fd9da415de54e26 C:\WINDOWS\system32\ntoskrnl.exe

2006-03-02 15:00 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\SoftwareDistribution\Download\d394e32fc4a4d58f5c265ad3a4b6bde6\sp2gdr\explorer.exe
2006-03-02 15:00 974848 400d118d09b84cbc7496cc141a30c62a C:\WINDOWS\system32\dllcache\explorer.exe

2006-03-02 15:00 108544 c2f8f8343435fc080c2de25a410e09e8 C:\WINDOWS\system32\services.exe
2006-03-02 15:00 108544 c2f8f8343435fc080c2de25a410e09e8 C:\WINDOWS\system32\dllcache\services.exe

2006-03-02 15:00 13312 39726087f99c7775b2ea1f2990709817 C:\WINDOWS\system32\lsass.exe
2006-03-02 15:00 13312 39726087f99c7775b2ea1f2990709817 C:\WINDOWS\system32\dllcache\lsass.exe

2006-03-02 15:00 15360 e8e7ce0d379630e7b0015e48fa90499b C:\WINDOWS\system32\ctfmon.exe
2006-03-02 15:00 15360 e8e7ce0d379630e7b0015e48fa90499b C:\WINDOWS\system32\dllcache\ctfmon.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 11:42 495616]
"Steam"="d:\program files\steam\steam.exe" [2008-05-27 18:12 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07 49152]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11 122880]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Steam\\steamapps\\jusso@jippii.fi\\counter-strike\\hl.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"D:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23291:TCP"= 23291:TCP:BitComet 23291 TCP
"23291:UDP"= 23291:UDP:BitComet 23291 UDP
"15596:TCP"= 15596:TCP:BitComet 15596 TCP
"15596:UDP"= 15596:UDP:BitComet 15596 UDP
"21656:TCP"= 21656:TCP:BitComet 21656 TCP
"21656:UDP"= 21656:UDP:BitComet 21656 UDP
"21565:TCP"= 21565:TCP:BitComet 21565 TCP
"21565:UDP"= 21565:UDP:BitComet 21565 UDP

S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]

*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 02:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 2:41:20
ComboFix-quarantined-files.txt 2008-06-12 23:41:16

Pre-Run: 206,112,718,848 tavua vapaana
Post-Run: 206,130,974,720 tavua vapaana

321 --- E O F --- 2008-06-13 00:12:33


HJT LOGI

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:52, on 13.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
D:\Program Files\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200673303994
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Messengerin jaettavien kansioiden USN Journal -lokin lukupalvelu (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)

--
End of file - 6590 bytes

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

==============

Lataa Malwarebytes' Anti-Malware työpöydällesi.

1. Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
2. Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes', Anti-Malwareja
Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaaFinish.
3. Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
4. Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
5. Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
6. Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
7. Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki
löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
8. Lähetä lokin sisältö seuraavassa viestissäsi.

 

noni, tässä CF logia, bootin nyt koneen ja koitan sitten malwarebytesiä

ComboFix 08-06-11.1 - Jose 2008-06-13 3:47:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.1613 [GMT 3:00]
Running from: C:\Documents and Settings\Jose\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jose\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\mismsn.exe
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\serviceaaa.exe
C:\WINDOWS\system32\vintxp.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\system32\vintxp.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-13 to 2008-06-13 )))))))))))))))))
.

2008-06-13 04:39 . 2008-06-13 04:44 <KANSIO> d-------- C:\WINDOWS\tmp
2008-06-13 03:44 . 2008-06-13 03:44 <KANSIO> d-------- C:\WINDOWS\LastGood
2008-06-13 03:12 . 2008-06-13 03:12 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2008-06-13 03:05 . 2008-06-13 03:05 4,730 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-06-13 02:51 . 2008-06-13 03:42 2,128,048,128 --a------ C:\WINDOWS\MEMORY.DMP
2008-06-13 02:47 . 2008-06-13 02:47 <KANSIO> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 02:47 . 2008-06-13 02:47 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\Malwarebytes
2008-06-13 02:47 . 2008-06-13 02:47 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 02:47 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 02:47 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-12 23:24 . 2006-03-02 15:00 577,536 --a------ C:\WINDOWS\system32\wmggcui
2008-06-12 23:24 . 2008-06-12 23:24 124,416 --a------ C:\WINDOWS\system32\drivers\Tjq38.sys
2008-06-12 23:21 . 2008-06-12 23:21 124,416 --a------ C:\WINDOWS\system32\drivers\Qeno47.sys
2008-06-12 23:21 . 2008-06-12 23:24 65,456 --a------ C:\WINDOWS\system32\narqwe.sys
2008-06-12 21:18 . 2008-06-12 21:18 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-12 21:17 . 2008-06-12 21:18 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\skypePM
2008-06-12 21:16 . 2008-06-12 23:23 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Skype
2008-06-12 21:15 . 2008-06-12 21:15 <KANSIO> d-------- C:\Program Files\Skype
2008-06-12 21:15 . 2008-06-12 21:15 <KANSIO> d-------- C:\Program Files\Common Files\Skype
2008-06-12 15:47 . 2008-06-12 15:47 131,584 --a------ C:\WINDOWS\system32\drivers\Jad26.sys
2008-06-12 15:47 . 2008-06-12 15:47 29 --a------ C:\WINDOWS\system32\gototege.tmp
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\SUPERAntiSpyware.com
2008-06-12 15:18 . 2008-06-12 15:18 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-12 14:30 . 2008-06-12 14:30 <KANSIO> d-------- C:\Program Files\Common Files\PC Tools
2008-06-12 14:30 . 2008-06-12 14:30 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-12 14:30 . 2008-06-12 14:30 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-12 14:21 . 2008-06-12 14:52 <KANSIO> d-------- C:\Program Files\Spyware Doctor
2008-06-12 14:21 . 2008-06-12 14:21 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\PC Tools
2008-06-12 14:21 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-12 14:21 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-12 14:21 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-12 14:21 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-12 13:46 . 2008-06-12 13:46 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Grisoft
2008-06-12 13:34 . 2008-06-12 13:34 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-06-12 13:31 . 2008-06-12 14:49 <KANSIO> d-------- C:\Program Files\SPYWAREfighter
2008-06-12 13:31 . 2008-06-12 13:31 <KANSIO> d-------- C:\Program Files\Common Files\Application
2008-06-12 13:30 . 2006-03-02 15:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-06-12 13:30 . 2006-03-02 15:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-06-12 13:30 . 2006-03-02 15:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-06-12 13:30 . 2006-03-02 15:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-06-12 13:30 . 2006-03-02 15:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-06-12 13:30 . 2006-03-02 15:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-06-12 13:30 . 2006-03-02 15:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-06-12 13:30 . 2006-03-02 15:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-06-12 13:30 . 2006-03-02 15:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-06-12 13:12 . 2008-06-12 13:12 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Uniblue
2008-06-12 02:12 . 2008-06-12 02:12 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Creative
2008-06-11 23:43 . 2008-06-11 23:43 <KANSIO> d-------- C:\Documents and Settings\CS\Ty÷p÷ytõ
2008-05-27 16:34 . 2008-05-27 17:43 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\dvdcss
2008-05-27 09:44 . 2008-05-27 09:44 <KANSIO> d---s---- C:\Documents and Settings\CS\UserData
2008-05-26 23:48 . 2008-05-26 23:48 <KANSIO> d-------- C:\Program Files\Maketorrent 2
2008-05-26 23:48 . 2008-05-27 00:26 271 --a------ C:\WINDOWS\maketorrent.ini
2008-05-26 23:31 . 2008-06-12 14:16 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\uTorrent
2008-05-26 22:57 . 2008-05-26 22:57 <KANSIO> d-------- C:\Program Files\VentriloMIX
2008-05-26 22:56 . 2008-05-26 23:21 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Sony
2008-05-26 22:56 . 2008-05-26 22:56 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Publish Providers
2008-05-26 22:32 . 2008-05-26 22:32 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Media Player Classic
2008-05-26 21:58 . 2008-05-26 21:58 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\vlc
2008-05-26 21:17 . 2008-05-26 23:02 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Winamp
2008-05-26 21:16 . 2008-05-27 00:32 <KANSIO> d-------- C:\Documents and Settings\CS\Contacts
2008-05-26 19:46 . 2008-05-26 19:46 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\URSoft
2008-05-26 19:41 . 2008-05-26 19:45 <KANSIO> d-------- C:\Documents and Settings\CS\Application Data\Ventrilo
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> d--h----- C:\Documents and Settings\CS\Verkkoympäristö
2008-05-26 19:38 . 2008-06-12 21:15 <KANSIO> d-------- C:\Documents and Settings\CS\Työpöytä
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> d--h----- C:\Documents and Settings\CS\Tulostinympäristö
2008-05-26 19:38 . 2008-05-26 19:38 <KANSIO> d---s---- C:\Documents and Settings\CS\Suosikit
2008-05-26 19:38 . 2008-05-26 22:56 <KANSIO> d---s---- C:\Documents and Settings\CS\Omat tiedostot
2008-05-26 19:38 . 2007-09-05 16:15 <KANSIO> d--h----- C:\Documents and Settings\CS\Mallit
2008-05-26 19:38 . 2007-09-05 19:11 <KANSIO> dr------- C:\Documents and Settings\CS\Käynnistä-valikko
2008-05-26 19:38 . 2008-06-11 23:43 <KANSIO> d-------- C:\Documents and Settings\CS
2008-05-22 17:53 . 2008-05-22 17:53 <KANSIO> d--hs---- C:\Documents and Settings\Jose\Recent
2008-05-19 21:57 . 2008-05-26 22:57 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-05-19 21:57 . 2008-05-26 22:57 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-19 21:57 . 2008-05-19 21:57 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-19 18:22 . 2008-05-19 18:22 <KANSIO> d-------- C:\Program Files\GetData
2008-05-19 18:11 . 2008-05-19 18:11 <KANSIO> d-------- C:\Program Files\JLC's Software
2008-05-19 18:11 . 2008-05-19 18:11 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\JLC's Software
2008-05-19 16:31 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-19 16:31 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-19 16:31 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-19 16:31 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-19 16:30 . 2008-05-19 16:30 <KANSIO> d-------- C:\Program Files\AeriaGames
2008-05-18 22:19 . 2008-05-18 22:19 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-18 22:14 . 2008-05-18 22:14 <KANSIO> d-------- C:\Program Files\Bonjour
2008-05-18 22:05 . 2008-05-18 22:05 <KANSIO> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-17 11:13 . 2008-05-26 15:21 <KANSIO> d-------- C:\Documents and Settings\Jose\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 00:12 --------- d-----w C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2008-06-13 00:04 8,126,464 ----a-w C:\Documents and Settings\Jose\NTUSER.DAT
2008-06-12 23:47 --------- d-----w C:\Documents and Settings\Jose\Application Data\Malwarebytes
2008-06-12 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-12 13:09 --------- d-----w C:\Documents and Settings\Jose\Application Data\NoNameScript
2008-06-12 12:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 10:21 --------- d-----w C:\Program Files\Hitman Pro
2008-06-12 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 21:49 --------- d-----w C:\Program Files\Last.fm
2008-05-26 20:52 --------- d-----w C:\Program Files\uTorrent
2008-05-26 18:58 --------- d-----w C:\Documents and Settings\CS\Application Data\vlc
2008-05-26 16:53 --------- d-----w C:\Documents and Settings\Jose\Application Data\LimeWire
2008-05-26 12:21 --------- d-----w C:\Documents and Settings\Jose\Application Data\dvdcss
2008-05-24 13:40 --------- d-----w C:\Documents and Settings\Jose\Application Data\uTorrent
2008-05-19 15:11 --------- d-----w C:\Documents and Settings\Jose\Application Data\JLC's Software
2008-05-18 19:25 --------- d-----w C:\Documents and Settings\Jose\Application Data\Adobe
2008-05-18 19:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-11 08:39 --------- d-----w C:\Program Files\BestGameEver
2008-05-09 08:40 --------- d-----w C:\Documents and Settings\Jose\Application Data\Lavasoft
2008-05-09 08:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-09 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-05-09 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-05-07 17:41 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.MSNFix
2008-05-07 12:10 --------- d-----w C:\Program Files\Vstplugins
2008-05-07 12:10 --------- d-----w C:\Program Files\Sony
2008-05-07 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-07 12:09 --------- d-----w C:\Program Files\Sony Setup
2008-05-05 15:28 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-05 15:28 --------- d-----w C:\Documents and Settings\Jose\Application Data\SystemRequirementsLab
2008-05-05 15:24 --------- d-----w C:\Program Files\Xfire
2008-05-05 14:23 --------- d-----w C:\Documents and Settings\Jose\Application Data\Xfire
2008-05-04 05:00 --------- d-----w C:\Documents and Settings\Jose\Application Data\Winamp
2008-04-22 22:29 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-04-20 16:43 --------- d-----w C:\Documents and Settings\Jose\Application Data\mIRC
2008-04-18 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-04-14 15:55 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-13 08:02 --------- d-----w C:\Documents and Settings\Jose\Application Data\InstallShield Installation Information
2008-04-13 07:53 --------- d-----w C:\Program Files\Winamp
2008-04-13 07:48 --------- d-----w C:\Program Files\Unreal Tournament 3
2008-04-13 07:47 --------- d-----w C:\Program Files\AGEIA Technologies
2008-04-13 07:43 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-11 18:19 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-11 18:19 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-09 12:18 90,396 ----a-w C:\Documents and Settings\All Users\Application Data\firstlsp.reg.dat
2008-04-09 12:09 63,237 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-04-09 12:09 6,112 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-04-09 12:09 219,136 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-04-03 18:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-12 18:45 22,328 ----a-w C:\Documents and Settings\Jose\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2006-03-02 15:00 14336 34c8d42b876703b3abf0562307428561 C:\WINDOWS\system32\svchost.exe
2006-03-02 15:00 14336 34c8d42b876703b3abf0562307428561 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 21:20 577536 409647243875a2f91bae81cbef248cb6 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 18:50 578560 90f1d04938bae133e2f4d8f7f0fa4fa0 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 18:38 578048 c198eac972598be7e61364f7db3b663d C:\WINDOWS\SoftwareDistribution\Download\5242227ca14d338f9f7297b8cf3c9c6e\sp2gdr\user32.dll
2005-03-02 21:18 577536 aeefa9d983c986e7a8d6d80ca165b93f C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\user32.dll
2006-03-02 15:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\system32\user32.dll
2006-03-02 15:00 577536 44c02bc54d56ed3a685302e91396720a C:\WINDOWS\system32\dllcache\user32.dll

2006-03-02 15:00 82944 911c48bb2df21e2088c23260dd112e80 C:\WINDOWS\system32\ws2_32.dll
2006-03-02 15:00 82944 911c48bb2df21e2088c23260dd112e80 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-06-26 17:36 665600 938ca93ec9c5288fbc2da79ad6d8f5b1 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-10-11 09:14 659456 ba86a6f850c95947fb4bb498e5db4fca C:\WINDOWS\SoftwareDistribution\Download\d58bbb9f6643c73c822efda2a7fdcba1\sp2gdr\wininet.dll
2007-10-11 09:00 666112 824805db3f45b2d721e9c0a589d3eec0 C:\WINDOWS\SoftwareDistribution\Download\d58bbb9f6643c73c822efda2a7fdcba1\sp2qfe\wininet.dll
2007-12-07 04:07 659456 7fd809bfe0a9d8d59526c7ceacec4a84 C:\WINDOWS\SoftwareDistribution\Download\e472af6a87e02e90b9fa51cc356af8d3\sp2gdr\wininet.dll
2007-12-07 03:46 666112 764669f4a159ff0b49012a832ca6739c C:\WINDOWS\SoftwareDistribution\Download\e472af6a87e02e90b9fa51cc356af8d3\sp2qfe\wininet.dll
2006-03-02 15:00 656384 24965d454199a92ee14f2f0e4374f89c C:\WINDOWS\system32\wininet.dll
2006-03-02 15:00 690688 7ea8a186e48b37aa11bf5a94b5c2e1c1 C:\WINDOWS\system32\dllcache\wininet.dll

2006-04-20 15:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2006-04-20 14:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\SoftwareDistribution\Download\1595af92f32261775c71e96d758f3d0f\sp2gdr\tcpip.sys
2007-10-30 20:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\cda1f8e74f35014f09096c606dcb5ea0\sp2gdr\tcpip.sys
2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\cda1f8e74f35014f09096c606dcb5ea0\sp2qfe\tcpip.sys
2006-03-02 15:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2006-03-02 15:00 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys

2006-03-02 15:00 502784 5f0714b1447dc0262789c3cc43752418 C:\WINDOWS\system32\winlogon.exe
2006-03-02 15:00 502784 5f0714b1447dc0262789c3cc43752418 C:\WINDOWS\system32\dllcache\winlogon.exe

2006-03-02 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2006-03-02 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2006-03-02 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2006-03-02 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 21:13 2059264 01f49730c2d76aad87c4d2b2dd4e12e2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:08 2061696 8bacc2a67078823acab7c8306f394918 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\SoftwareDistribution\Download\9332ded991ba798a70921b7d3b0f50d2\sp2gdr\ntkrnlpa.exe
2007-02-28 19:02 2059904 9f7bc4398e9a43f533ed4d8e690b1cd6 C:\WINDOWS\SoftwareDistribution\Download\a1ea65155c8af8d6d56ddb22f7ad86fb\sp2gdr\ntkrnlpa.exe
2005-03-02 21:08 2059136 1c09a92e5a1c21ca1ad367f13f9b5a9d C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\ntkrnlpa.exe
2006-03-02 15:00 2017792 ec7ca6ab83b9754e560a4867539a251a C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 21:13 2181888 6e55b15ee58a0eaaaf20db1f4da39add C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:08 2184448 7ff07a634379ee2fd2b097fd76c49bfc C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\SoftwareDistribution\Download\9332ded991ba798a70921b7d3b0f50d2\sp2gdr\ntoskrnl.exe
2007-02-28 19:02 2182656 6a51f190523074b729702923fac865f4 C:\WINDOWS\SoftwareDistribution\Download\a1ea65155c8af8d6d56ddb22f7ad86fb\sp2gdr\ntoskrnl.exe
2005-03-02 21:08 2181632 ae8d156d1028fba3939609f4c39eb1f1 C:\WINDOWS\SoftwareDistribution\Download\c9d8cb87b5c72f2be951392f33cdf994\sp2gdr\ntoskrnl.exe
2006-03-02 15:00 2150912 23e62e3b191b28e18fd9da415de54e26 C:\WINDOWS\system32\ntoskrnl.exe

2006-03-02 15:00 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\SoftwareDistribution\Download\d394e32fc4a4d58f5c265ad3a4b6bde6\sp2gdr\explorer.exe
2006-03-02 15:00 974848 400d118d09b84cbc7496cc141a30c62a C:\WINDOWS\system32\dllcache\explorer.exe

2006-03-02 15:00 108544 c2f8f8343435fc080c2de25a410e09e8 C:\WINDOWS\system32\services.exe
2006-03-02 15:00 108544 c2f8f8343435fc080c2de25a410e09e8 C:\WINDOWS\system32\dllcache\services.exe

2006-03-02 15:00 13312 39726087f99c7775b2ea1f2990709817 C:\WINDOWS\system32\lsass.exe
2006-03-02 15:00 13312 39726087f99c7775b2ea1f2990709817 C:\WINDOWS\system32\dllcache\lsass.exe

2006-03-02 15:00 15360 e8e7ce0d379630e7b0015e48fa90499b C:\WINDOWS\system32\ctfmon.exe
2006-03-02 15:00 15360 e8e7ce0d379630e7b0015e48fa90499b C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-13_ 2.41.12.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 00:03:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 00:42:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 11:42 495616]
"Steam"="d:\program files\steam\steam.exe" [2008-05-27 18:12 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07 49152]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11 122880]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Steam\\steamapps\\jusso@jippii.fi\\counter-strike\\hl.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"D:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23291:TCP"= 23291:TCP:BitComet 23291 TCP
"23291:UDP"= 23291:UDP:BitComet 23291 UDP
"15596:TCP"= 15596:TCP:BitComet 15596 TCP
"15596:UDP"= 15596:UDP:BitComet 15596 UDP
"21656:TCP"= 21656:TCP:BitComet 21656 TCP
"21656:UDP"= 21656:UDP:BitComet 21656 UDP
"21565:TCP"= 21565:TCP:BitComet 21565 TCP
"21565:UDP"= 21565:UDP:BitComet 21565 UDP

S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 03:48:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 3:48:48
ComboFix-quarantined-files.txt 2008-06-13 00:48:44
ComboFix2.txt 2008-06-13 00:03:38
ComboFix3.txt 2008-06-12 23:41:21

Pre-Run: 203,969,953,792 tavua vapaana
Post-Run: 203,960,823,808 tavua vapaana

303 --- E O F --- 2008-06-13 00:12:33



Heitti bluescreenin äsken kun kokeilin scannata jossai 13000 filun kohralla, kokeilen poistaa nuo, boottia koneen ja sitten ajaa tuon. ei sulla sattuis ircciä olee?