1. Tämä sivusto käyttää keksejä (cookie). Jatkamalla sivuston käyttämistä hyväksyt keksien käyttämisen. Lue lisää.

RootKit epäily koneella!

Viestiketju Virukset ja haittaohjelmat - HijackThis -logit -osiossa. Ketjun avasi Axu83 14.09.2010.

  1. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Oli muutama virus koneessa mitkä sain poistettua Aviralla. SpyBot ei löytänyt eilen mitään. Tänään huomasin että Startup-valikkoon oli tullut tuo monmvr32.exe. Poistin sen valikosta, ei ollut käynnissä olevissa prosesseissa, mutta muutama pv sitten oli, en silloin tajunnut virukseksi. Saatoin putsata sen silloin tuolla Aviralla osittain.

    Ohjelmisto:
    Windows XP SP3
    Avira Anti-Virus
    Comodo Firewall Pro (vanha, ei pysty päivittämään!)
    (näille vaihtoehtoisesti F-Secure Internet Security 2010 maksullinen ohjelmisto, vei aikanaan kaiken prossutehon, niin disabloin sen)
    SpyBot
    a-squared Anti-Malware
    C-Cleaner

    Tässä nämä kolme logia, ajoin ensin ComboFixin (konsolin asennus ei onnistunut), sitten RootRepelin ja viimeksi HiJackThis.

    ------
    Näiden logien jälkeen ajoin vielä Aviran quickscanin ja karanteeniin kolme virusta: TR/RootKit.gen, RKIT/Agent.biiu (nämä kaksi olivat windows/system32/drivers/ kansiossa) ja ADSPY/Purityscan.ek (vanhassa pelitiedostossa)

    Eli nämä ComboFixin löytämät "ajurit" menivät karanteeniin Aviralla:
    --- Other Services/Drivers In Memory ---

    *Deregistered* - ekjofpi
    *Deregistered* - fvmarh

    ----------------------------------------------------------------------------

    ComboFix 10-09-13.02 - Admin 14.09.2010 12:51:05.1.1 - FAT32x86
    Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
    AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
    FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    FW: F-Secure Internet Security 2010 10.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Admin\Application Data\avdrn.dat
    c:\program files\Error Repair Professional

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
    .

    2010-09-14 09:37 . 2010-09-14 08:01 -------- d-----w- C:\32788R22FWJFW
    2010-09-12 18:13 . 2010-09-12 18:45 492330494 ----a-w- c:\program files\F-Secure Internet Security.zip
    2010-09-12 18:06 . 2010-09-12 18:06 -------- d-----w- c:\program files\Zone Labs
    2010-09-12 18:06 . 2010-09-12 18:06 -------- d-----w- c:\windows\Internet Logs
    2010-09-08 11:21 . 2010-09-08 11:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-09-07 23:28 . 2010-09-07 23:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth
    2010-09-07 22:52 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-09-07 22:40 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-09-04 21:15 . 2009-11-10 07:04 393587 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\aeemu.dll
    2010-09-04 20:47 . 2010-09-04 20:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Avira
    2010-09-04 20:30 . 2010-03-01 07:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-09-04 20:30 . 2010-02-16 11:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-09-04 20:30 . 2009-05-11 09:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-09-04 20:30 . 2009-05-11 09:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-09-04 20:30 . 2010-09-04 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-09-03 14:13 . 2010-09-03 14:13 1266056 ----a-w- c:\temp\WindowsXP-KB927891-v3-x86-ENU.exe
    2010-09-03 14:12 . 2010-09-03 14:12 3038 ----a-w- c:\temp\fix_svchost.bat
    2010-09-03 14:12 . 2010-09-03 14:12 6216032 ----a-w- c:\temp\windowsupdateagent30-x86.exe
    2010-09-02 11:41 . 2010-09-02 11:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Opera
    2010-09-02 11:37 . 2010-09-02 11:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\ActiveSMART
    2010-09-01 13:17 . 2010-09-01 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
    2010-09-01 12:26 . 2010-09-01 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-08-28 18:18 . 2010-08-28 18:18 -------- d-----w- C:\FOUND.000

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-13 08:42 . 2010-09-13 08:42 16 ----a-w- c:\documents and settings\Admin\Application Data\apiqfw.dat
    2010-09-11 22:30 . 2010-09-11 22:30 16 ----a-w- c:\documents and settings\NetworkService\Application Data\apiqfw.dat
    2010-08-30 10:41 . 2010-08-30 10:41 16 ----a-w- c:\documents and settings\NetworkService\Application Data\hngmfc.dat
    2010-08-10 09:26 . 2010-08-10 09:26 237320 ----a-w- c:\windows\system32\PDBoot.exe
    2010-06-30 12:31 . 1979-12-31 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 1979-12-31 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 1979-12-31 21:00 1851904 ------w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 1979-12-31 21:00 354304 ------w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 1979-12-31 21:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-17 05:44 . 2010-06-17 05:44 135184 ----a-w- c:\windows\system32\drivers\DefragFs.sys
    2009-08-14 10:33 . 2009-08-14 10:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-12 20:05 . 2009-09-12 20:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-12 20:06 . 2009-09-12 20:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-09-12 20:06 . 2009-09-12 20:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-12 20:07 . 2009-09-12 20:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-12 20:06 . 2009-09-12 20:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-12 20:06 . 2009-09-12 20:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-12 20:06 . 2009-09-12 20:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-12 20:06 . 2009-09-12 20:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2009-09-12 20:06 . 2009-09-12 20:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    .

    ------- Sigcheck -------

    [-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    [-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
    [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
    [-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
    [-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
    [-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\rpcss.dll
    [7] 2008-04-13 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
    [-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
    [-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll

    [-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
    [-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
    [7] 2008-04-13 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe

    [-] 2008-07-07 19:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
    [-] 2008-07-07 19:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
    [-] 2008-07-07 19:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
    [7] 2008-04-13 23:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
    [-] 2005-07-26 03:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

    [-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
    [-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
    [-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
    [7] 2008-04-13 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
    [-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
    [-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
    [-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
    [-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll
    [-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
    [7] 2008-04-13 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll

    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\MsPMSNSv.dll
    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\dllcache\mspmsnsv.dll
    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
    [7] 2004-08-04 02:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mobile Partner"="d:\program files\Mobile Partner\Mobile Partner.exe" [2008-01-29 110592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
    "CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
    "ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-12 103768]
    "COMODO Firewall Pro"="d:\program files\Palomuuri\Comodo\Firewall\cfp.exe" [2010-04-15 1655552]
    "epm-dm"="c:\acer\epm\epm-dm.exe" [2005-06-01 192512]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2009-09-04 09:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 01:08 35696 ----a-w- d:\program files\Adobe\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    2010-03-02 08:28 282792 ----a-w- d:\program files\Avira\AntiVir Desktop\avgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
    2009-09-12 20:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epm-dm]
    2005-06-01 11:17 192512 ----a-w- c:\acer\ePM\epm-dm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
    2005-06-29 14:26 352256 ----a-w- c:\program files\acer\eRecovery\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
    2009-07-09 09:34 199264 ----a-w- c:\program files\F-Secure Internet Security\Common\FSM32.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
    2009-07-09 09:32 2349664 ----a-w- c:\program files\F-Secure Internet Security\FSGUI\tnbutil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2005-01-23 07:31 126976 ------w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-01-23 07:36 155648 ------w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 02:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
    2005-07-25 10:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
    2005-06-06 08:52 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
    2005-07-25 07:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 02:00 59392 ------w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
    2005-05-31 11:45 356352 ----a-w- c:\program files\F-Secure Internet Security\FSGUI\ispnews.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 02:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 02:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
    2002-08-30 12:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
    2005-05-19 14:09 32768 ----a-w- c:\windows\RUNXMLPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2007-04-16 12:28 577536 ----a-w- c:\windows\soundman.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 01:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
    2005-07-25 10:34 81920 ----a-w- c:\program files\Launch Manager\WButton.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "d:\\Program Files\\Opera\\opera.exe"=
    "d:\\Program Files\\BitTorrent\\bittorrent.exe"=

    R1 mailKmd;mailKmd; [x]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2010-03-29 111296]
    R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.sys [2000-12-19 2343]
    R4 a2AntiMalware;a-squared Anti-Malware Service;d:\program files\Anti-Malware\a2service.exe [2009-10-01 1858144]
    R4 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2009-07-09 39776]
    R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2009-07-09 25184]
    R4 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [2010-03-01 55992]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-11-29 691696]
    S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-09-25 33920]
    S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2009-07-09 80000]
    S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-04-15 87056]
    S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-04-15 24208]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
    S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2009-07-09 68064]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - ekjofpi
    *Deregistered* - fvmarh

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.fi/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
    Trusted Zone: microsoft.com\www.update
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\k8adl0js.default\
    FF - component: c:\program files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - plugin: d:\program files\Adobe\Reader\browser\nppdf32.dll
    FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
    FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
    FF - plugin: d:\program files\Picasa3\npPicasa3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Adobe Photo Downloader - d:\program files\AdobeLightroom\apdproxy.exe
    MSConfigStartUp-PCMService - c:\program files\Arcade\PCMService.exe
    AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-14 13:01
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekjofpi]

    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvmarh]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:77,3d,25,f7,65,81,ed,6d,17,1b,13,58,01,7e,b0,9a,38,5a,c5,21,64,f5,71,
    be,03,7d,f8,f4,10,20,ed,21,b5,d0,5c,70,e1,e5,65,03,e3,76,0f,d4,a3,31,4a,08,\
    "??"=hex:50,7c,a2,1e,10,75,48,ba,d8,91,db,8e,f1,c0,17,b8
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(664)
    c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
    .
    Completion time: 2010-09-14 13:06:10
    ComboFix-quarantined-files.txt 2010-09-14 10:06

    Pre-Run: 1 543 503 872 bytes free
    Post-Run: 1 553 891 328 bytes free

    - - End Of File - - DB1BD06E571730AA35CD36C17458B8A5

    LOPPU
    -------------------------------------------------------------------------------
    -
    -
    -
    -
    -
    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2010/09/14 13:30
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: catchme.sys
    Image Path: C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys
    Address: 0xBA3D0000 Size: 31744 File Visible: No Signed: -
    Status: -

    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xA65A4000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xBA604000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: ekjofpi.sys
    Image Path: ekjofpi.sys
    Address: 0xB9EA8000 Size: 786432 File Visible: No Signed: -
    Status: -

    Name: fvmarh.sys
    Image Path: fvmarh.sys
    Address: 0xB9E19000 Size: 585504 File Visible: No Signed: -
    Status: -

    Name: giveio.sys
    Image Path: giveio.sys
    Address: 0xBA672000 Size: 1664 File Visible: No Signed: -
    Status: -

    Name: mbr.sys
    Image Path: C:\DOCUME~1\Admin\LOCALS~1\Temp\mbr.sys
    Address: 0xBA488000 Size: 20864 File Visible: No Signed: -
    Status: -

    Name: PROCEXP113.SYS
    Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    Address: 0xBA644000 Size: 7872 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xA5990000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: speedfan.sys
    Image Path: speedfan.sys
    Address: 0xBA5BA000 Size: 5248 File Visible: No Signed: -
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\HIBERFIL.SYS
    Status: Locked to the Windows API!

    Path: c:\documents and settings\admin\ntuser.dat
    Status: Allocation size mismatch (API: 6029312, Raw: 5767168)

    Path: C:\WINDOWS\SYSTEM32\DRIVERS\FVMARH.SYS
    Status: Locked to the Windows API!

    Path: C:\WINDOWS\SYSTEM32\DRIVERS\EKJOFPI.SYS
    Status: Locked to the Windows API!

    Path: c:\documents and settings\all users\application data\comodo\firewall pro\cfplogdb.sdb
    Status: Allocation size mismatch (API: 2064384, Raw: 1048576)

    Path: C:\Documents and Settings\All Users\Application Data\COMODO\Firewall Pro\cfplogdb.sdb-journal
    Status: Invisible to the Windows API!

    Path: d:\program files\mobile partner\log\atrecord.txt
    Status: Size mismatch (API: 161268, Raw: 160848)

    Path: d:\program files\mobile partner\log\callbalk_trace.txt
    Status: Size mismatch (API: 87226, Raw: 86773)

    SSDT
    -------------------
    #: 011 Function Name: NtAdjustPrivilegesToken
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4c8c

    #: 031 Function Name: NtConnectPort
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a43c4

    #: 037 Function Name: NtCreateFile
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a48a0

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "<unknown>" at address 0xba6ad296

    #: 046 Function Name: NtCreatePort
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4080

    #: 050 Function Name: NtCreateSection
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6084

    #: 052 Function Name: NtCreateSymbolicLinkObject
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4e72

    #: 053 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0xba6ad28c

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "<unknown>" at address 0xba6ad29b

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "<unknown>" at address 0xba6ad2a5

    #: 068 Function Name: NtDuplicateObject
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a3b02

    #: 097 Function Name: NtLoadDriver
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a5d24

    #: 098 Function Name: NtLoadKey
    Status: Hooked by "<unknown>" at address 0xba6ad2aa

    #: 116 Function Name: NtOpenFile
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4ab0

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "<unknown>" at address 0xba6ad278

    #: 125 Function Name: NtOpenSection
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4744

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "<unknown>" at address 0xba6ad27d

    #: 192 Function Name: NtRenameKey
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a57f2

    #: 193 Function Name: NtReplaceKey
    Status: Hooked by "<unknown>" at address 0xba6ad2b4

    #: 200 Function Name: NtRequestWaitReplyPort
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4196

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "<unknown>" at address 0xba6ad2af

    #: 210 Function Name: NtSecureConnectPort
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a5ae6

    #: 240 Function Name: NtSetSystemInformation
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a5ec4

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "<unknown>" at address 0xba6ad2a0

    #: 249 Function Name: NtShutdownSystem
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a45d2

    #: 255 Function Name: NtSystemDebugControl
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a4638

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a3f4a

    #: 258 Function Name: NtTerminateThread
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a3e18

    Stealth Objects
    -------------------
    Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
    Process: System Address: 0x8a732638 Size: 2505

    Object: Hidden Code [Driver: cmdHlp, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x8a2a91d0 Size: 3633

    Hidden Services
    -------------------
    Service Name: ekjofpi
    Image Path: C:\WINDOWS\system32\drivers\ekjofpi.sys

    Service Name: fvmarh
    Image Path: C:\WINDOWS\system32\drivers\fvmarh.sys

    Shadow SSDT
    -------------------
    #: 383 Function Name: NtUserGetAsyncKeyState
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6f3c

    #: 414 Function Name: NtUserGetKeyboardState
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6d42

    #: 416 Function Name: NtUserGetKeyState
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6e3c

    #: 460 Function Name: NtUserMessageCall
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6a8a

    #: 475 Function Name: NtUserPostMessage
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a673c

    #: 476 Function Name: NtUserPostThreadMessage
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a68e8

    #: 491 Function Name: NtUserRegisterRawInputDevices
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a703c

    #: 502 Function Name: NtUserSendInput
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a6c4c

    #: 549 Function Name: NtUserSetWindowsHookEx
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a7132

    #: 552 Function Name: NtUserSetWinEventHook
    Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa67a735c

    ==EOF==

    LOPPU
    ---------------------------------------------------------------------
    -
    -
    -
    -
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 13:53:17, on 14.9.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cisvc.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\explorer.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe
    D:\Program Files\Mobile Partner\Mobile Partner.exe
    D:\Program Files\Opera\opera.exe
    C:\WINDOWS\system32\msiexec.exe
    D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
    O4 - HKCU\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe"
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe" (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1257426773234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/fl...ent/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.246 62.241.198.245
    O17 - HKLM\System\CS1\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.246 62.241.198.245
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\PerfectDisk11\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\PerfectDisk11\PDEngine.exe

    --
    End of file - 5535 bytes


    Apua arvostetaan suuresti! Sain juuri lisättyä 512Mb -> 2Gb keskusmuistia tähän vanhaan kannettavaan, kun huomasin tämän, olis hieno saada kone kokonaan puhtaaksi.

    Epäilen että Comodo palomuuri vuotaa, tai sitten olen ladannut viruksen itse koneeseen, tulee käytettyä Googlen kuvahakua aika usein..

    Minkälaista vaaraa Rootkit-virukset aiheuttavat? Varastavatko salasanoja tai luottokorttitietoja? Kahden viikon päästä voin vaihtaa kiintolevyn ja asentaa kaiken uusiksi jos se auttaa asiaan.

    Kiitoksia kaikista neuvoista!
     
    Viimeksi muokattu: 14.09.2010
  2.  
  3. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    RootKitt virus tekee kaikkea mitä mainitsit ja lisäksi kutsuu
    kavereitaankin kylään pahan teolle.
    Itse piiloutuu niin hyvin koneelle ettei tahdo edes löytyä
    saati sitten poistua millään.

    -----------------------------------------------------

    Pidä tuo Comodo toistaksesi paikallaan.

    --------------------------------------------------------

    Mene Windowsin ControlPaneliin (Ohjauspaneli) ja sieltä Lisää / Poista sovellus
    Vistassa (7) Ohjelmat ja toiminnot
    Etsi ja poista ohjelma jonka nimessä on:

    Kaikki virusohjelmat paitsi
    Comodo

    -------------------------------------------------------------------

    * Lataa OTM by OldTimer.
    * Tallenna se työpöydällesi.
    * Tuplaklikkaa OTM.exe käynnistääksesi sen.
    * Kopioi (CTRL+C) alla olevasta laatikosta kaikki teksti.
    Koodi:
    :Processes
    explorer.exe
    :services
    ekjofpi
    fvmarh
    :files 
    C:\WINDOWS\system32\drivers\ekjofpi.sys
    C:\WINDOWS\system32\drivers\fvmarh.sys
    :reg
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekjofpi] 
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvmarh] 
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [start explorer]
    [Reboot]
    
    * Palaa takaisin OtmoveIt3, paina oikeanpuoleista hiiren nappia Paste Instructions for Items to be Move-ikkunassa (Keltaisen palkin alla) ja paina Liitä.
    * Paina punaista MoveIt! -nappia.
    * Kopioi (CTRL+C) ja liitä (CTRL+V) Results-ikkunaan (Vihreän palkin alla) tullut teksti seuraavaan viestiisi.
    * Sulje OTM.

    Jos jotain tiedostoa/kansiota ei voitu siirtää heti, ohjelma ehdottaa koneen uudelleenkäynnistystä. Vastaa ehdotukseen Yes, jolloin OtMoveIt käynnistää koneesi uudelleen.

    *********************************************************

    * Lataa TÄSTÄ random's system information tool (RSIT) by random/random ja tallenna se työpöydälle
    * Tuplaklikkaa RSIT.exeä ajaaksesi RSITin.
    * Klikkaa Continue.
    * Kun RSIT on valmis, kaksi lokia avautuu muistioon. Lähetä sekä
    log.txt:n (<<avautuu suurennettuna) että
    info.txt:n (<<avautuu pienennettynä) sisältö seuraavassa viestissäsi.

    Sekä OTMoveIt logi.
    :)
     
  4. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Tässä OTM-logi:

    All processes killed
    ========== PROCESSES ==========
    No active process named explorer.exe was found!
    ========== SERVICES/DRIVERS ==========
    Error: No service named ekjofpi was found to stop!
    Service\Driver key ekjofpi not found.
    Error: No service named fvmarh was found to stop!
    Service\Driver key fvmarh not found.
    ========== FILES ==========
    File move failed. C:\WINDOWS\system32\drivers\ekjofpi.sys scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32\drivers\fvmarh.sys scheduled to be moved on reboot.
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekjofpi\ not found.
    Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvmarh\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: All Users

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Opera cache emptied: 221148 bytes
    ->Flash cache emptied: 456 bytes

    User: Admin
    ->Temp folder emptied: 778120 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 38295180 bytes
    ->Opera cache emptied: 700469 bytes
    ->Flash cache emptied: 27237 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 98304 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 22374 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 38,00 mb


    OTM by OldTimer - Version 3.1.16.0 log created on 09142010_192638

    Files moved on Reboot...
    File C:\WINDOWS\system32\drivers\ekjofpi.sys not found!
    File C:\WINDOWS\system32\drivers\fvmarh.sys not found!

    Registry entries deleted on Reboot...

    LOPPU
    ---------------------------------------

    RSIT ei toiminut, tuli ilmoitus:

    Autolt error
    line 3903
    error: variable used without being declared

    ----------------------------------------

    Mitäs nyt? Kiitos muuten huippuhyvästä ja nopeasta avusta!
     
  5. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    Lataa Deckard's System Scanner Työpöydällesi.

    Huomioi: Sinulla tulee olla Järjestelmänvalvojan oikeudet ajaaksesi ohjelman.

    * Sulje kaikki avoimet ikkunat ja ohjelmat.
    * Tupla Klikkaa Dss.exe tiedostoa ajaaksesi ohjelman, seuraa ohjeita.
    * Kun Scannaus on valmis 2 textitiedostoa pitäisi avautua, Main.txt ja extra.txt
    * Näppäinkomennot Kopioi ( CTRL+A -> CTRL + C ) ja liitä ( CTRL + V )
    * Kopioi/liitä seuraavien raporttien sisältö seuraavaan vastaukseesi:
    DDS.txt
    Attach.txt
    :)
     
    Viimeksi muokattu: 14.09.2010
  6. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    OTL LOG:

    OTL logfile created on: 14.9.2010 20:34:40 - Run 1
    OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Admin\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 0000040B | Country: Finland | Language: FIN | Date Format: d.M.yyyy

    2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 80,00% Memory free
    6,00 Gb Paging File | 6,00 Gb Available in Paging File | 96,00% Paging File free
    Paging file location(s): D:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 35,60 Gb Total Space | 1,38 Gb Free Space | 3,89% Space Free | Partition Type: FAT32
    Drive D: | 35,98 Gb Total Space | 3,83 Gb Free Space | 10,64% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    Drive F: | 8,91 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ACER-684C9A655D
    Current User Name: Admin
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Processes (SafeList) ==========

    PRC - [2010.09.14 20:26:28 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
    PRC - [2010.04.15 13:46:24 | 000,519,936 | ---- | M] () -- D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    PRC - [2010.04.15 13:46:20 | 001,655,552 | ---- | M] () -- D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe
    PRC - [2008.04.14 02:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008.01.29 22:16:20 | 000,110,592 | ---- | M] () -- D:\Program Files\Mobile Partner\Mobile Partner.exe


    ========== Modules (SafeList) ==========

    MOD - [2010.09.14 20:26:28 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
    MOD - [2010.04.15 13:46:32 | 000,143,104 | ---- | M] () -- C:\WINDOWS\system32\guard32.dll
    MOD - [2008.04.14 02:12:10 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll
    MOD - [2008.04.14 02:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010.04.15 13:46:24 | 000,519,936 | ---- | M] () [Auto | Running] -- D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe -- (cmdAgent)
    SRV - [2010.03.01 16:46:34 | 000,055,992 | ---- | M] (F-Secure Corporation) [Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe -- (FSORSPClient)
    SRV - [2009.10.14 17:23:42 | 000,522,848 | ---- | M] (F-Secure Corporation) [Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe -- (FSDFWD)
    SRV - [2009.07.09 12:34:54 | 000,186,976 | ---- | M] (F-Secure Corporation) [Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE -- (FSMA)
    SRV - [2009.07.09 12:31:20 | 000,215,648 | ---- | M] (F-Secure Corporation) [Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
    SRV - [2007.01.31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [On_Demand | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
    SRV - [2005.06.06 19:08:58 | 001,273,344 | ---- | M] (OSA Technologies Inc.) [On_Demand | Stopped] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\Wbutton.sys -- (Wbutton)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010.04.15 13:46:32 | 000,087,056 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdguard.sys -- (cmdGuard)
    DRV - [2010.04.15 13:46:32 | 000,079,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
    DRV - [2010.04.15 13:46:32 | 000,024,208 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
    DRV - [2010.03.29 14:24:38 | 000,111,296 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
    DRV - [2009.11.29 19:34:52 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2009.09.25 12:13:24 | 000,033,920 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\fsbts.sys -- (fsbts)
    DRV - [2009.09.08 18:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
    DRV - [2009.07.09 12:34:18 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
    DRV - [2009.07.09 12:33:14 | 000,080,000 | ---- | M] (F-Secure Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\fsdfw.sys -- (FSFW)
    DRV - [2009.07.09 12:31:24 | 000,039,776 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\FSfilter.sys -- (F-Secure Filter)
    DRV - [2009.07.09 12:31:24 | 000,025,184 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\FSrec.sys -- (F-Secure Recognizer)
    DRV - [2008.09.24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2008.04.13 20:54:36 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
    DRV - [2008.04.13 20:36:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008.04.13 20:36:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2007.08.24 19:45:22 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2006.09.24 16:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
    DRV - [2005.12.09 07:56:22 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
    DRV - [2005.04.07 18:08:46 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
    DRV - [2005.03.04 16:37:26 | 000,008,704 | ---- | M] (Avocent/OSA Technologies Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio)
    DRV - [2005.02.04 10:59:46 | 000,193,216 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
    DRV - [2005.01.14 15:57:16 | 000,004,010 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
    DRV - [2005.01.13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\acer\eRecovery\int15.sys -- (int15.sys)
    DRV - [2004.12.22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2004.12.15 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2004.12.15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004.12.15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004.12.02 16:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
    DRV - [2004.07.19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
    DRV - [2003.12.05 18:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
    DRV - [2003.04.28 11:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\HOTKEY.sys -- (Hotkey)
    DRV - [2001.08.17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001.08.17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001.08.17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001.08.17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001.08.17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001.08.17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001.08.17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001.08.17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001.08.17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001.08.17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001.08.17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001.08.17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001.08.17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001.08.17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001.08.17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
    DRV - [2000.12.19 18:29:52 | 000,002,343 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Launch Manager\POWERKEY.SYS -- (POWERKEY)
    DRV - [1996.04.03 22:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    IE - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.fi;*.*.fi;*.*.*.fi;<local>
    IE - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.dial.inet.fi:800

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10

    FF - HKLM\software\mozilla\Firefox\extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com [2009.09.25 12:04:02 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.05.26 23:02:36 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009.05.26 23:02:36 | 000,000,000 | ---D | M]

    [2009.05.26 23:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
    [2009.05.26 23:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k8adl0js.default\extensions
    [2009.10.25 11:06:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\k8adl0js.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2009.05.26 23:02:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009.09.12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CCMSDK.dll
    [2009.09.12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
    [2009.09.12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
    [2009.09.12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
    [2009.09.12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
    [2009.09.12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
    [2010.08.12 22:43:04 | 000,002,062 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bookplus-fi.xml
    [2010.08.12 22:43:04 | 000,001,069 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons-fi.xml
    [2010.08.12 22:43:04 | 000,002,677 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\huuto-fi.xml
    [2010.08.12 22:43:04 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-fi.xml
    [2010.08.12 22:43:04 | 000,001,100 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-fi.xml

    O1 HOSTS File: ([2010.09.14 13:01:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation)
    O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation)
    O4 - HKLM..\Run: [COMODO Firewall Pro] D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe ()
    O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe (Wistron)
    O4 - HKLM..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe (Acer Value Labs, Taiwan)
    O4 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005..\Run: [Mobile Partner] D:\Program Files\Mobile Partner\Mobile Partner.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O15 - HKU\S-1-5-21-3845734143-1002380211-3227636783-1005\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1257426773234 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Reg Error: Key error.)
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007.07.05 15:04:10 | 000,106,496 | R--- | M] (Huawei Technologies Co., Ltd.) - F:\AutoRun.exe -- [ CDFS ]
    O32 - AutoRun File - [2007.11.08 10:41:52 | 000,000,047 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010.09.14 20:26:07 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
    [2010.09.14 20:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Desktop\Logiohjelmat
    [2010.09.14 19:38:23 | 000,000,000 | ---D | C] -- C:\rsit
    [2010.09.14 19:26:38 | 000,000,000 | ---D | C] -- C:\_OTM
    [2010.09.14 19:23:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Admin\Recent
    [2010.09.14 17:24:16 | 007,484,880 | ---- | C] (IObit ) -- C:\Documents and Settings\Admin\Desktop\asc-setup_v3.7.0.721.exe
    [2010.09.14 13:21:38 | 000,000,000 | -HSD | C] -- C:\Recycled
    [2010.09.14 13:06:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010.09.14 12:45:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010.09.14 12:45:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010.09.14 12:45:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010.09.14 12:45:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010.09.14 12:44:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010.09.14 12:39:38 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010.09.14 12:37:54 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2010.09.13 01:01:06 | 017,436,560 | ---- | C] (Agnitum, Ltd. ) -- C:\Documents and Settings\Admin\Desktop\OutpostFreeInstall.exe
    [2010.09.12 21:06:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
    [2010.09.08 02:28:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\PCHealth
    [2010.09.08 01:52:24 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
    [2010.09.08 01:40:37 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
    [2010.09.02 14:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010.09.02 14:42:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010.09.02 14:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Opera
    [2010.09.02 14:41:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Opera
    [2010.09.02 14:37:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\ActiveSMART
    [2010.09.01 15:26:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
    [2010.08.28 21:18:58 | 000,000,000 | ---D | C] -- C:\FOUND.000
    [2010.08.26 21:18:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [15 C:\Documents and Settings\Admin\Desktop\*.tmp files -> C:\Documents and Settings\Admin\Desktop\*.tmp -> ]
    [1 C:\Documents and Settings\Admin\My Documents\*.tmp files -> C:\Documents and Settings\Admin\My Documents\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010.09.14 20:41:20 | 000,757,248 | ---- | M] () -- C:\WINDOWS\System32\drivers\ekjofpi.sys
    [2010.09.14 20:41:12 | 000,585,504 | ---- | M] () -- C:\WINDOWS\System32\drivers\fvmarh.sys
    [2010.09.14 20:26:28 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
    [2010.09.14 19:35:40 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010.09.14 19:33:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010.09.14 19:33:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010.09.14 19:33:00 | 2137,509,888 | -HS- | M] () -- C:\hiberfil.sys
    [2010.09.14 19:30:50 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\Admin\NTUSER.DAT
    [2010.09.14 19:30:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Admin\ntuser.ini
    [2010.09.14 17:28:16 | 007,484,880 | ---- | M] (IObit ) -- C:\Documents and Settings\Admin\Desktop\asc-setup_v3.7.0.721.exe
    [2010.09.14 14:18:56 | 004,265,960 | -H-- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db
    [2010.09.14 13:27:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\settings.dat
    [2010.09.14 13:01:32 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010.09.13 20:07:28 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\PS3_pelit.doc
    [2010.09.13 11:42:32 | 000,000,016 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\apiqfw.dat
    [2010.09.13 01:03:26 | 017,436,560 | ---- | M] (Agnitum, Ltd. ) -- C:\Documents and Settings\Admin\Desktop\OutpostFreeInstall.exe
    [2010.09.12 23:54:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
    [2010.09.12 21:45:34 | 492,330,494 | ---- | M] () -- C:\Program Files\F-Secure Internet Security.zip
    [2010.09.12 17:42:16 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Admin\Desktop\~$3_pelit.doc
    [2010.09.11 22:25:00 | 000,002,776 | ---- | M] () -- C:\Documents and Settings\Admin\.recently-used.xbel
    [2010.09.10 15:28:32 | 000,150,739 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Examensarbete_mall.dotx
    [2010.09.10 15:22:18 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Praktikrapport2_Satakerta .doc
    [2010.09.09 12:53:28 | 008,411,635 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\CitrixOnlinePluginWeb.exe
    [2010.09.08 02:44:14 | 000,505,618 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010.09.08 02:44:14 | 000,443,860 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010.09.08 02:44:14 | 000,072,214 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010.09.08 02:22:16 | 000,202,528 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010.09.05 02:19:20 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
    [2010.09.05 02:19:20 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
    [2010.09.03 17:28:06 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
    [2010.09.03 17:28:06 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
    [2010.09.03 11:54:00 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Viikko 35 ja Ika is Back.doc
    [2010.08.28 20:42:54 | 000,660,056 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\emilian.m3u
    [2010.08.16 22:03:30 | 000,002,529 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Microsoft Office Word 2003.lnk
    [15 C:\Documents and Settings\Admin\Desktop\*.tmp files -> C:\Documents and Settings\Admin\Desktop\*.tmp -> ]
    [1 C:\Documents and Settings\Admin\My Documents\*.tmp files -> C:\Documents and Settings\Admin\My Documents\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010.09.14 13:27:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\settings.dat
    [2010.09.14 12:45:24 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010.09.14 12:45:23 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010.09.14 12:45:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010.09.14 12:45:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010.09.14 12:45:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010.09.14 11:45:19 | 2137,509,888 | -HS- | C] () -- C:\hiberfil.sys
    [2010.09.13 11:45:05 | 000,585,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\fvmarh.sys
    [2010.09.13 11:44:46 | 000,757,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\ekjofpi.sys
    [2010.09.13 11:42:29 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\apiqfw.dat
    [2010.09.12 21:13:24 | 492,330,494 | ---- | C] () -- C:\Program Files\F-Secure Internet Security.zip
    [2010.09.12 17:42:15 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Admin\Desktop\~$3_pelit.doc
    [2010.09.12 01:30:45 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\apiqfw.dat
    [2010.09.11 22:24:58 | 000,002,776 | ---- | C] () -- C:\Documents and Settings\Admin\.recently-used.xbel
    [2010.09.11 12:45:02 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\PS3_pelit.doc
    [2010.09.10 15:28:30 | 000,150,739 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Examensarbete_mall.dotx
    [2010.09.09 12:51:43 | 008,411,635 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\CitrixOnlinePluginWeb.exe
    [2010.09.05 17:41:22 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Praktikrapport2_Satakerta .doc
    [2010.09.03 11:54:00 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Viikko 35 ja Ika is Back.doc
    [2010.08.30 13:41:20 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\hngmfc.dat
    [2010.08.28 20:42:51 | 000,660,056 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\emilian.m3u
    [2010.04.15 13:46:47 | 000,143,104 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
    [2010.01.22 12:47:48 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010.01.22 12:47:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
    [2009.09.25 12:05:06 | 000,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
    [2006.12.23 16:23:54 | 001,236,992 | ---- | C] () -- C:\WINDOWS\System32\cfgmig32.dll
    [2006.12.23 16:23:54 | 001,187,840 | ---- | C] () -- C:\WINDOWS\System32\winsflt.dll
    [2006.12.10 18:49:14 | 000,000,783 | ---- | C] () -- C:\WINDOWS\NTIWVEDT.INI
    [2006.04.09 15:05:07 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2005.12.09 10:54:38 | 000,000,390 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005.12.09 07:55:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
    [2005.06.24 10:48:03 | 000,009,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\HOTKEY.sys
    [2005.06.20 02:42:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2005.06.20 02:17:30 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
    [2005.06.20 02:16:31 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
    [2005.06.20 02:16:31 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
    [2005.06.20 02:16:31 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
    [2005.06.20 02:16:31 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
    [2005.06.20 02:09:07 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
    [2005.06.20 01:39:37 | 000,872,448 | ---- | C] () -- C:\WINDOWS\iconv.dll
    [2005.06.20 01:39:37 | 000,743,424 | ---- | C] () -- C:\WINDOWS\libxml2.dll
    [2005.06.20 01:39:37 | 000,001,150 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2003.04.01 10:58:30 | 000,005,649 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001.12.26 16:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
    [2001.09.03 23:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
    [2001.07.30 16:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
    [2001.07.23 22:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
    [1996.04.03 22:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
    [1980.01.01 00:00:00 | 000,225,280 | ---- | C] () -- C:\WINDOWS\Capsule.dll
    < End of report >

    LOPPU
    -
    -
    -
    -
    -
    -
    -
    -
    -

    -----------------------------------

    OTL Extras logfile created on: 14.9.2010 20:34:40 - Run 1
    OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Admin\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 0000040B | Country: Finland | Language: FIN | Date Format: d.M.yyyy

    2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 80,00% Memory free
    6,00 Gb Paging File | 6,00 Gb Available in Paging File | 96,00% Paging File free
    Paging file location(s): D:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 35,60 Gb Total Space | 1,38 Gb Free Space | 3,89% Space Free | Partition Type: FAT32
    Drive D: | 35,98 Gb Total Space | 3,83 Gb Free Space | 10,64% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    Drive F: | 8,91 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ACER-684C9A655D
    Current User Name: Admin
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_USERS\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Classes\<extension>]
    .html [@ = Opera.HTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    http [open] -- "D:\Program Files\Opera\opera.exe" "%1" (Opera Software)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\DC++\DCPlusPlus.exe" = C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++ -- ()
    "D:\Program Files\Opera\opera.exe" = D:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
    "D:\Program Files\BitTorrent\bittorrent.exe" = D:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
    "{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 17
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
    "{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePowerManagement
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{70858C67-8761-4444-895A-0A8B2E9E144E}" = Opera 10.61
    "{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
    "{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
    "{90120000-0020-040B-0000-0000000FF1CE}" = 2007 Office Systemin yhteensopivuuspaketti
    "{9112040B-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1035-7B44-A92000000001}" = Adobe Reader 9.2 - Suomi
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
    "{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.0.8.8
    "{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
    "{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
    "7-Zip" = 7-Zip 9.12 beta
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "BitTorrent" = BitTorrent
    "CAL" = Canon Camera Access Library
    "CameraWindowDC" = Canon Utilities CameraWindow DC
    "CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    "CameraWindowLauncher" = Canon Utilities CameraWindow
    "Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
    "CCleaner" = CCleaner
    "CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
    "CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025" = SoftV90 Data Fax Modem with SmartCP
    "COMODO Firewall Pro" = COMODO Firewall Pro
    "CSCLIB" = Canon Camera Support Core Library
    "DC++" = DC++ 0.7091
    "ffdshow_is1" = ffdshow [rev 3119] [2009-10-27]
    "F-Secure Product 444" = F-Secure Internet Security 2010
    "Heroes of Might and Magic® III" = Heroes of Might and Magic® III Complete
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
    "LucasArts' Curse of Monkey Island" = LucasArts' Curse of Monkey Island
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mobile Partner" = Mobile Partner
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "MyCamera" = Canon Utilities MyCamera
    "MyCameraDC" = Canon Utilities MyCamera DC
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "PhotoStitch" = Canon Utilities PhotoStitch
    "Picasa 3" = Picasa 3
    "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
    "RegCure" = RegCure
    "RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
    "S2TNG" = The Settlers II - 10th Anniversary
    "Shockwave" = Shockwave
    "SpeedFan" = SpeedFan (remove only)
    "Starcraft" = Starcraft
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "Winamp" = Winamp
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinGimp-2.0_is1" = GIMP 2.6.7
    "VLC media player" = VLC media player 1.0.5
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3845734143-1002380211-3227636783-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 14.9.2010 8:48:26 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 8:48:34 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 8:48:49 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 8:48:56 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 9:28:33 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 9:29:25 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 9:29:32 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 9:29:42 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 9:29:51 | Computer Name = ACER-684C9A655D | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x800706ba.

    Error - 14.9.2010 12:00:30 | Computer Name = ACER-684C9A655D | Source = Application Hang | ID = 1002
    Description = Hanging application setup.exe, version 10.0.0.29, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 14.9.2010 11:20:17 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:17 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:17 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:17 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:17 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:18 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:20:18 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 14.9.2010 11:50:44 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7031
    Description = The ASP.NET State Service service terminated unexpectedly. It has
    done this 2 time(s). The following corrective action will be taken in 0 milliseconds:
    Restart the service.

    Error - 14.9.2010 11:51:18 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7031
    Description = The COM+ System Application service terminated unexpectedly. It has
    done this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
    Restart the service.

    Error - 14.9.2010 11:51:59 | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7034
    Description = The ASP.NET State Service service terminated unexpectedly. It has
    done this 3 time(s).


    < End of report >

    -----------------------
    Teen vielä tän toisen ohjelman minkä editoit viestiisi.
     
  7. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Älä suotta ::
    Poista RSIT ja lataa uudelleen
    jos se sitten toimis.
    SRI sekoiluni
    :)
     
  8. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Kokeilin jo uudestaan, ei toiminut RSIT. Oisko tiedosto korruptoitunut tms? En siis laita DDS logia näkyville? Ajoin sen ohjelman jo.

    Oisko kone jo puhdistunut, mitä luulet? Otanko F-Securen käyttöön, vai mikä palomuuri/antivirusohjelma olisi hyvä ja mielellään ilmainen?
     
    Viimeksi muokattu: 14.09.2010
  9. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Lataa ja aja =>
    F-Sekuren poistoohjelma: TÄÄLTÄ
    :)
     
  10. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Niin mutta mitä sen tilalle? Onko se pakko poistaa, olen disabloinut sen services.msc kautta eli se ei käynnisty.

    RSIT ei taida muuten toimia Comodon takia..
     
    Viimeksi muokattu: 14.09.2010
  11. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Laita HJT logi tässä vaiheessa
    :)
     
  12. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Laita tämä raksuttamaan ja jatketaan huomenna.
    Kyllä Comodo sen aikaa riittää.

    Tarkista koneesi F-Securen online skannerilla
    * Rastita I have read and accepted the license term ja paina install.

    * Jos käytät firefoxia, sinua pyydetään asentamaan F-securen lisäosa. Asenna se ja valitse
    "Käynnistä selain uudelleen" kun lisäosa on asennettu.
    * Jos käytät Internet Exploreria, sinua pyydetään asentamaan Active X komponentti, asenna se.

    * Paina Start. Sivusto lataa hetken ja F-secure Online Scanner -ikkuna aukeaa.
    * Valitse My scan ja paina sen alla Show option.
    * Valitse Select file types for scanning -kohtaan "all file types" ja rastita myös sen alla oleva "Scan inside compressed files (zip, rar, lzh, ...)" ja paina Ok.
    * Paina Start. Ohjelma lataa tarvittavat tiedostot ja aloittaa skannauksen. Skannauksessa voi kestää jonkin aikaa.
    * Kun skannaus valmis, varmista että Clean the files -kohdan merkki on kohdassa: "Automatically (recommended)" ja paina "Next".
    * Kun puhdistus on suoritettu paina "Full report...". Raportti aukeaa selaimeesi. Mene raportti sivulle ja paina Ctrl ja A maalataksesi koko sivuston tekstin ja paina Ctrl ja C kopioidaksesi maalatun tekstin.

    * Liitä F-securen skannaus raportti seuraavaan viestiisi painamalla Ctrl ja V vastaus kenttään.
    :)
     
  13. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 21:32:14, on 14.9.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    D:\Program Files\Mobile Partner\Mobile Partner.exe
    D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dial.inet.fi:800
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;*.*.fi;*.*.*.fi;<local>
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe"
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe" (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1257426773234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O17 - HKLM\System\CS1\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    --
    End of file - 5174 bytes
     
  14. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Huomasin äsken että services.exe yrittää yhdistää jatkuvasti eri ip-osoitteisiin. Normaalia? Blokkasin sen yhteydet Comodolla jo muutama pv sitten. Kiitos avusta, teen tuon skannin.
     
  15. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Ajoin online scanin F-Securella. 4 virusta jäi putsaamatta!

    Scanning type: Scan system for malware, spyware and rootkits
    Target: C:\ D:\
    5 malware found
    Suspicious:W32/Malware!Gemini (spyware)
    System (Disinfected)
    Suspicious:W32/Malware!Gemini (virus)
    C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP3\A0000976.exe (Not cleaned & Submitted)
    Suspicious:W32/Malware!Gemini (virus)
    C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP3\A0000982.exe (Not cleaned & Submitted)
    Suspicious:W32/Malware!Gemini (virus)
    C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP3\A0000987.exe (Not cleaned & Submitted)
    Suspicious:W32/Malware!Gemini (virus)
    C:\Documents and Settings\Admin\Desktop\Logiohjelmat\RSIT.exe (Not cleaned)
    Statistics
    Scanned:
    Files: 472811
    System: 3177
    Not scanned: 28
    Actions:
    Disinfected: 1
    Renamed: 0
    Deleted: 0
    Not cleaned: 4
    Submitted: 3
    Files not scanned:
    C:\PAGEFILE.SYS
    C:\HIBERFIL.SYS
    C:\DOCUMENTS AND SETTINGS\ADMIN\NTUSER.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\ADMIN\NTUSER.DAT
    C:\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
    C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
    C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
    C:\WINDOWS\SYSTEM32\DRIVERS\FVMARH.SYS
    C:\WINDOWS\SYSTEM32\DRIVERS\EKJOFPI.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\WINDOWS\SYSTEM32\CONFIG\SAM
    Options
    Scanning engines:
    Scanning options:
    Scan all files
    Scan inside archives
    Use advanced heuristics
     
    Viimeksi muokattu: 15.09.2010
  16. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Riippuu siitä mihinkä osoitteeseen yritetään
    sitähän varten palomuuri on.
    Monien ohjelmien auttomaatti päivitykset toimivat juuri noin.
    Keerro tai katso mihin ne IP:t Viittaa ???

    ---------------------------------------------------------------

    Ne neljä F-Sykerön löytöä lähtee tällä =>

    Tässä ohjeet kuinka System Restore (Järjestelmän palautuspiste) puhdistetaan. Windows XP:ssä
    (System Volume Information)

    1 Klikkaa hiiren oikealla napilla käynnistävalikon My Computer- tai oma tietokone-kuvaketta
    2 Valitse Properties/ominaisuudet (Järjestelmä)
    3 Valitse System Restore/järjestelmän palauttaminen välilehti
    4 Laita ruxi "Turn off System Restore"/poista järjestelmän palauttaminen kaikissa asemissa
    5 Paina Apply/käytä
    6 Paina OK
    7 Käynnistä Tietokoneesi uudelleen

    8 Laita System Restore taas päälle Kohdassa 4 ruxsi pois ruudusta.=> käytä => OK.

    9 Mene Käynnistä => Suorita ja kopioi laatikkoon %SystemRoot%\system32\restore\rstrui.exe => OK
    Laita täppi kohtaan Luo palautuspiste => Seuraava
    toimi ohjeiden mukaan.

    -------------------------------------------------------------

    Poista vain se Comodo ja
    "Enabloi" F-Secure

    ---------------------------------------------------------------

    Lataa SystemLook by. jpshortstuff TÄÄLTÄ. ja tallenna se työpöydälle.

    Tupla-klikkaa SystemLook.exe ajaaksesi sen.

    Kopioi(CTRL+C) alla olevasta laatikosta kaikki teksti, tekstialueeseen.

    Koodi:
    :regfind
    monmvr32.exe
    FVMARH.SYS
    EKJOFPI.SYS
    ekjofpi.sys
    fvmarh.sys
    
    :filefind 
    data.dat
    monmvr32.exe
    FVMARH.SYS
    EKJOFPI.SYS
    ekjofpi.sys
    fvmarh.sys
    
    :dir
    C:\WINDOWS\system32\drivers\etc /s
    
    Klikkaa nappulaa Look aloittaaksesi skannauksen.

    Kun skannaus on valmis avautuu muistio joka sisältää lokitiedot
    Klikkaa lokia hiiren oikealla painikkeella ja valitse "Valitse kaikki"
    Kopio ja liitä se seuraavaan viestiisi.
    (Loki löytyy myös työpöydältäsi nimellä SystemLook.txt)

    *******************************************************************

    Tämä =>
    Drive C: | 35,60 Gb Total Space | 1,38 Gb Free Space | 3,89% Space Free |
    on aivan liian pieni vaikka Swappi okin D:llä. (tee tilaa)

    ------------------------------------------------------------

    ComboFix:ilta on jäänyt =>

    Lataa Malwarebytes' Anti-Malware työpöydällesi.

    Jos linkki ei toimi, voit ladata myös seuraavista linkeistä:
    Linkki1
    Linkki2


    * Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
    * Lopuksi varmistu, että seuraavat on valittu: Päivitä Malwarebytes' Anti-Malware ja Käynnistä Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Lopeta.
    * Jos päivitys löytyy, ohjelma lataa ja asentaa uusimman version. Jos päivityksien lataaminen ei onnistu, voit ladata päivitykset tästä. Tuplaklikkaa mbam-rules.exe asentaaksesi päivitykset.
    * Kun ohjelma on latautunut ja päivitykset tehty, valitse Suorita täysi tarkistus ja klikkaa Tarkista.
    * Kun tarkistus on valmis, klikkaa OK ja sitten Näytä tulokset nähdäksesi tulokset.
    * Varmistu, että kaikki on merkitty ja klikkaa Poista valitut.
    * Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
    * Lähetä lokin sisältö seuraavassa viestissäsi.[/list]

    Huom. Jos Mbam ei pystynyt poistamaan tiedostoa, se pyytää sinua käynnistämään koneesi uudelleen. Käynnistä koneesi silloin uudelleen heti. Mbam voi tehdä muutoksia rekisteriisi osana puhdistusta. Jos käytät suojausohjelmaa, joka havaitsee rekisterin muutokset, salli Mbamin tehdä muutokset.

    Lähetä =>
    Uusi HJT logi ja
    Kopioi Malwarebytes' Anti-Malwaren Logitiedostot välilehdeltä uusin logi tänne.
    sekä SystemLook.txt
    :)
     
  17. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4623

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16.9.2010 12:16:30
    mbam-log-2010-09-16 (12-16-30).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 209310
    Time elapsed: 2 hour(s), 6 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Admin\Application Data\apiqfw.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\NetworkService\Application Data\apiqfw.dat (Malware.Trace) -> Quarantined and deleted successfully.

    LOPPU
    -
    -
    -
    -
    -

    SystemLook 04.09.10 by jpshortstuff
    Log created at 12:48 on 16/09/2010 by Admin
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "monmvr32.exe"
    No data found.

    Searching for "FVMARH.SYS"
    No data found.

    Searching for "EKJOFPI.SYS"
    No data found.

    Searching for "ekjofpi.sys"
    No data found.

    Searching for "fvmarh.sys"
    No data found.

    ========== filefind ==========

    Searching for "data.dat"
    C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data\data.dat --a---- 3072 bytes [16:25 28/08/2007] [16:11 04/09/2007] 685857333EE335F81E1F4831424E571D

    Searching for "monmvr32.exe"
    No files found.

    Searching for "FVMARH.SYS"
    C:\WINDOWS\system32\drivers\fvmarh.sys --a---- 585504 bytes [08:45 13/09/2010] [09:51 16/09/2010] (Unable to calculate MD5)

    Searching for "EKJOFPI.SYS"
    C:\WINDOWS\system32\drivers\ekjofpi.sys --a---- 757248 bytes [08:44 13/09/2010] [09:51 16/09/2010] (Unable to calculate MD5)

    Searching for "ekjofpi.sys"
    C:\WINDOWS\system32\drivers\ekjofpi.sys --a---- 757248 bytes [08:44 13/09/2010] [09:51 16/09/2010] (Unable to calculate MD5)

    Searching for "fvmarh.sys"
    C:\WINDOWS\system32\drivers\fvmarh.sys --a---- 585504 bytes [08:45 13/09/2010] [09:51 16/09/2010] (Unable to calculate MD5)

    ========== dir ==========

    C:\WINDOWS\system32\drivers\etc - Parameters: "/s"

    ---Files---
    lmhosts.sam ------- 3683 bytes [21:00 31/12/1979] [02:00 04/08/2004]
    networks ------- 407 bytes [21:00 31/12/1979] [02:00 04/08/2004]
    protocol ------- 799 bytes [21:00 31/12/1979] [02:00 04/08/2004]
    services ------- 7116 bytes [21:00 31/12/1979] [02:00 04/08/2004]
    hosts.20100222-123959.backup --a---- 734 bytes [09:39 22/02/2010] [02:00 04/08/2004]
    hosts --a---- 27 bytes [21:00 31/12/1979] [10:01 14/09/2010]

    No folders found.

    -= EOF =-

    LOPPU

    -
    -
    -
    -
    -
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:55:16, on 16.9.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\system32\dllhost.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Mobile Partner\Mobile Partner.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    D:\Program Files\Opera\opera.exe
    D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe" (User '?')
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1257426773234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O17 - HKLM\System\CS1\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    --
    End of file - 5723 bytes

    ----


    Poistin System Restore virukset kuten neuvoit. Kokeilen F-Securea, jos ei veisi kaikkia resursseja.. Mitäs seuraavaksi? Noi fvmarh** löytyy vielä koneelta, mutta ei antanut poistaa tiedostoa manuaalisesti.

    Laitoin eilen samalla tavalla äitin konetta kuntoon (oma vanha kone), siinä vähän samat ongelmat, mutta C: asemalla tilaa 0-300MB ja mistään ei saa lisää, kun 10Gb osiolla ei ole muuta kuin Windows XP. Formatointi on sit seuraava keino jos en saa jaettua siihen uutta partitiota. Senkin tekeminen vaan vaatii tilaa!
     
    Viimeksi muokattu: 16.09.2010
  18. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Nämä siellä on =>

    Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

    Koodi:
    File::
    C:\WINDOWS\system32\drivers\fvmarh.sys
    C:\WINDOWS\system32\drivers\ekjofpi.sys
    C:\WINDOWS\system32\drivers\ekjofpi.sys
    C:\WINDOWS\system32\drivers\fvmarh.sys
    
    Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
    edes .txt).

    Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)

    [​IMG]

    Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
    Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

    ***************************************************************

    * Vanha HOSTS tiedosto poistetaan. Käynnistä kone vikasietotilaan => OHJE
    Tämä C:\WINDOWS\system32\drivers\etc\HOSTS tiedosto pois
    * Käynnistä koneesi normaalitilaan.
    * Lataa HOSTS: Täältä Työpöydällesi.
    * Pura: hosts.zip C:\WINDOWS\system32\drivers\etc kansioon.


    Lopuksi Voit varmistaa, että siellä on HOSTS niminen tiedosto ilman tiedostopäätettä. Koko n.700 kt.
    Suoja activoituu seuraavan käynnistyksen yhteydessä.(ei kuormita muistia)

    Houstiin päivitykset: Täältä
    Mitä HOSTS tekee: Opas Täällä

    -----------------------------------------------------

    Lähetä =>
    (C:\ComboFix.txt)
    :)
     
  19. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    Ok, tein Scriptin ja kone sekosi. Comodo alkoi kyselemään, että hyväksy pev.exe, swreg.exe jne. C:\32788R22FWJFW tällainen kansio ilmestyi täynnä filuja. Mitä hittoa tapahtui? Aktivoituiko virukset? Painoin pari kertaa yes kun luulin että ne liittyvät combofixiin kun pyynnöt tuli samaan aikaan.

    edit: eihän se mitään seonnut, vaan Combofix teki sen. Palomuuri ja nettihän piti olla sammutettuna, en muistanut, kannattaa lisätä ohjeisiin? Meinas tulla paniikki kun alko tulla ilmotusta urakalla =)

    ComboFix 10-09-13.02 - Admin 16.09.2010 23:16:42.2.1 - FAT32x86
    Running from: c:\documents and settings\Admin\Desktop\Logiohjelmat\ComboFix.exe
    Command switches used :: c:\documents and settings\Admin\Desktop\Logiohjelmat\CFScript.txt
    * Created a new restore point

    FILE ::
    "c:\windows\system32\drivers\ekjofpi.sys"
    "c:\windows\system32\drivers\fvmarh.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\ekjofpi.sys
    c:\windows\system32\drivers\fvmarh.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ekjofpi
    -------\Legacy_fvmarh
    -------\Service_ekjofpi
    -------\Service_fvmarh


    ((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))
    .

    2010-09-16 19:45 . 2010-09-16 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2010-09-16 19:28 . 2010-09-14 08:01 -------- d-----r- C:\32788R22FWJFW
    2010-09-15 23:36 . 2010-09-15 23:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2010-09-15 23:34 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-15 23:34 . 2010-09-15 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-15 23:34 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-14 16:26 . 2010-09-14 16:26 -------- d-----w- C:\_OTM
    2010-09-14 10:50 . 2010-09-14 10:50 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-12 18:06 . 2010-09-12 18:06 -------- d-----w- c:\windows\Internet Logs
    2010-09-08 11:21 . 2010-09-08 11:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-09-07 23:28 . 2010-09-07 23:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PCHealth
    2010-09-07 22:52 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-09-07 22:40 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-09-03 14:13 . 2010-09-03 14:13 1266056 ----a-w- c:\temp\WindowsXP-KB927891-v3-x86-ENU.exe
    2010-09-03 14:12 . 2010-09-03 14:12 3038 ----a-w- c:\temp\fix_svchost.bat
    2010-09-03 14:12 . 2010-09-03 14:12 6216032 ----a-w- c:\temp\windowsupdateagent30-x86.exe
    2010-09-02 11:41 . 2010-09-02 11:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Opera
    2010-09-02 11:37 . 2010-09-02 11:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\ActiveSMART
    2010-09-01 12:26 . 2010-09-01 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-08-28 18:18 . 2010-08-28 18:18 -------- d-----w- C:\FOUND.000

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-30 10:41 . 2010-08-30 10:41 16 ----a-w- c:\documents and settings\NetworkService\Application Data\hngmfc.dat
    2010-06-30 12:31 . 1979-12-31 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 1979-12-31 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 1979-12-31 21:00 1851904 ------w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 1979-12-31 21:00 354304 ------w- c:\windows\system32\drivers\srv.sys
    2009-08-14 10:33 . 2009-08-14 10:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-12 20:05 . 2009-09-12 20:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-12 20:06 . 2009-09-12 20:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-09-12 20:06 . 2009-09-12 20:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-12 20:07 . 2009-09-12 20:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-12 20:06 . 2009-09-12 20:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-12 20:06 . 2009-09-12 20:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-12 20:06 . 2009-09-12 20:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-12 20:06 . 2009-09-12 20:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2009-09-12 20:06 . 2009-09-12 20:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    .

    ------- Sigcheck -------

    [-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    [-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
    [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
    [-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
    [-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
    [-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\rpcss.dll
    [7] 2008-04-13 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
    [-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
    [-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll

    [-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
    [-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
    [7] 2008-04-13 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe

    [-] 2008-07-07 19:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
    [-] 2008-07-07 19:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
    [-] 2008-07-07 19:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
    [-] 2008-07-07 19:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
    [7] 2008-04-13 23:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
    [-] 2005-07-26 03:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

    [-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
    [-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
    [-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
    [7] 2008-04-13 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
    [-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
    [-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
    [-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
    [-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll
    [-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
    [7] 2008-04-13 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll

    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\MsPMSNSv.dll
    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\dllcache\mspmsnsv.dll
    [-] 2005-01-28 10:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
    [7] 2004-08-04 02:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mobile Partner"="d:\program files\Mobile Partner\Mobile Partner.exe" [2008-01-29 110592]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
    "ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]
    "COMODO Firewall Pro"="d:\program files\Palomuuri\Comodo\Firewall\cfp.exe" [2010-04-15 1655552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2009-09-04 09:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 01:08 35696 ----a-w- d:\program files\Adobe\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
    2009-09-12 20:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epm-dm]
    2005-06-01 11:17 192512 ----a-w- c:\acer\ePM\epm-dm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
    2005-06-29 14:26 352256 ----a-w- c:\program files\acer\eRecovery\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
    2009-07-09 09:34 199264 ----a-w- c:\program files\F-Secure Internet Security\Common\FSM32.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
    2009-07-09 09:32 2349664 ----a-w- c:\program files\F-Secure Internet Security\FSGUI\tnbutil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2005-01-23 07:31 126976 ------w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-01-23 07:36 155648 ------w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 02:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
    2005-07-25 10:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
    2005-06-06 08:52 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
    2005-07-25 07:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
    2005-05-31 11:45 356352 ----a-w- c:\program files\F-Secure Internet Security\FSGUI\ispnews.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
    2002-08-30 12:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2007-04-16 12:28 577536 ----a-w- c:\windows\soundman.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 01:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2005-02-04 08:11 708698 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2005-02-04 08:12 102490 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
    2005-07-25 10:34 81920 ----a-w- c:\program files\Launch Manager\WButton.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "d:\\Program Files\\Opera\\opera.exe"=
    "d:\\Program Files\\BitTorrent\\bittorrent.exe"=

    S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-04-15 87056]
    S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-04-15 24208]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.fi/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
    Trusted Zone: microsoft.com\www.update
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\k8adl0js.default\
    FF - component: c:\program files\F-Secure Internet Security\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - plugin: d:\program files\Adobe\Reader\browser\nppdf32.dll
    FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
    FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
    FF - plugin: d:\program files\Picasa3\npPicasa3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-avgnt - d:\program files\Avira\AntiVir Desktop\avgnt.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-16 23:35
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3845734143-1002380211-3227636783-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:77,3d,25,f7,65,81,ed,6d,17,1b,13,58,01,7e,b0,9a,38,5a,c5,21,64,f5,71,
    be,03,7d,f8,f4,10,20,ed,21,b5,d0,5c,70,e1,e5,65,03,e3,76,0f,d4,a3,31,4a,08,\
    "??"=hex:50,7c,a2,1e,10,75,48,ba,d8,91,db,8e,f1,c0,17,b8
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(628)
    c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL

    - - - - - - - > 'explorer.exe'(3748)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\locator.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-16 23:41:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-16 20:41
    ComboFix2.txt 2010-09-14 10:06

    Pre-Run: 1 597 210 624 bytes free
    Post-Run: 1 917 353 984 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

    - - End Of File - - 50CE9099760BEEF9EC98E60B3516E694
     
    Viimeksi muokattu: 17.09.2010
  20. kalminen

    kalminen Regular member

    Liittynyt:
    04.05.2007
    Viestejä:
    3,915
    Kiitokset:
    0
    Pisteet:
    46
    .
    Totta puhut !!!
    Tuossa raahauksessa ei ollutkaan tätä =>

    * Sulje/ota pois päältä kaikki virustorjunta- ja haittaohjelmien poisto-ohjelmat, jotta ne eivät häiritse ComboFixin ajoa.

    -------------------------------------------------

    Nyt niitä pahalaisia ei näkynyt logilla !!!

    -----------------------------------------------------

    Toivotaan parasta:

    Lataa GMER ja tallenna se työpöydällesi:
    * Pura se työpöydälle ja tuplaklikkaa tiedostoa GMER.exe
    * Klikkaa rootkit-välilehteä ja sitten klikkaa scan.
    * Älä rastita "Show All" boksia skannauksen aikana!
    * Kun skannaus on valmis, klikkaa Copy.
    * Tämä kopioi lokin leikepöydälle (voit tallentaa lokin varmuuden vuoksi tekstitiedostoon).
    * Liitä loki sitten viestiketjuusi.
    * Sekä Uusi HJT logi.
    *
    :)
     
  21. Axu83

    Axu83 Member

    Liittynyt:
    19.11.2003
    Viestejä:
    30
    Kiitokset:
    0
    Pisteet:
    16
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-17 13:57:33
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\awrcqkog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xA6EE0C8C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xA6EE03C4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xA6EE08A0]
    SSDT BA7AD29E ZwCreateKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xA6EE0080]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xA6EE2084]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xA6EE0E72]
    SSDT BA7AD294 ZwCreateThread
    SSDT BA7AD2A3 ZwDeleteKey
    SSDT BA7AD2AD ZwDeleteValueKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xA6EDFB02]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xA6EE1D24]
    SSDT BA7AD2B2 ZwLoadKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xA6EE0AB0]
    SSDT BA7AD280 ZwOpenProcess
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xA6EE0744]
    SSDT BA7AD285 ZwOpenThread
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xA6EE17F2]
    SSDT BA7AD2BC ZwReplaceKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xA6EE0196]
    SSDT BA7AD2B7 ZwRestoreKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xA6EE1AE6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xA6EE1EC4]
    SSDT BA7AD2A8 ZwSetValueKey
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xA6EE05D2]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xA6EE0638]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0xA6EDFF4A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xA6EDFE18]

    Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!IoCreateDevice 8056AB48 5 Bytes JMP B9E02FFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENPNP NDIS.SYS!NdisRegisterProtocol B9E1217F 5 Bytes JMP B9E02E0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENPNP NDIS.SYS!NdisOpenAdapter B9E12399 5 Bytes JMP B9E03394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENPNP NDIS.SYS!NdisCloseAdapter B9E1C642 5 Bytes JMP B9E02F18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENPNP NDIS.SYS!NdisDeregisterProtocol B9E1C821 5 Bytes JMP B9E031B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDSP NDIS.SYS!NdisReturnPackets B9E1F810 5 Bytes JMP B9E03C0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDSP NDIS.SYS!NdisRequest B9E1F97B 5 Bytes JMP B9E035AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDSP NDIS.SYS!NdisSend B9E22986 5 Bytes JMP B9E0458C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDSP NDIS.SYS!NdisSendPackets B9E229A3 5 Bytes JMP B9E0465E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDSP NDIS.SYS!NdisTransferData B9E229BE 5 Bytes JMP B9E03D0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDCO NDIS.SYS!NdisCoCreateVc B9E29186 5 Bytes JMP B9E02E76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDCO NDIS.SYS!NdisCoDeleteVc B9E2A557 5 Bytes JMP B9E02EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
    PAGENDCO NDIS.SYS!NdisCoSendPackets B9E2AAF1 5 Bytes JMP B9E04376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\locator.exe[236] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\locator.exe[236] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\locator.exe[236] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[252] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00452480 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 004524E0 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00452370 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 004522C0 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00452440 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00452300 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 004523B0 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00452330 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004523F0 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text D:\Program Files\Mobile Partner\Mobile Partner.exe[260] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00452280 D:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text C:\WINDOWS\system32\wdfmgr.exe[364] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\wdfmgr.exe[364] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\wdfmgr.exe[364] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[416] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\winlogon.exe[552] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\winlogon.exe[552] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\services.exe[596] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[596] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\lsass.exe[608] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[608] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[764] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[860] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\svchost.exe[1012] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1012] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\System32\svchost.exe[1048] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[1048] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\svchost.exe[1284] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1284] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[1296] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\spoolsv.exe[1364] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1364] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1400] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\svchost.exe[1448] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1448] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00675060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00674F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00674960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00674AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00671860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00671230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 006713C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [75, 88] {JNZ 0xffffffffffffff8a}
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00674C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 006716D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe[1568] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00671550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe[1648] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\System32\svchost.exe[2044] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2044] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\System32\svchost.exe[2100] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\svchost.exe[2100] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\system32\dllhost.exe[2264] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\dllhost.exe[2264] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\WINDOWS\System32\alg.exe[2364] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\System32\alg.exe[2364] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\Admin\Desktop\gmer.exe[2764] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E38990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E38990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E38990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B9E38990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E38990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9E38950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9E38770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9E38710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

    Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

    Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

    Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0xC1 0x00 0x92 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xA3 0xFC 0x3E ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0x3A 0xAB 0x5D ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x96 0x47 0xC5 0x35 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0xC1 0x00 0x92 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xA3 0xFC 0x3E ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0x3A 0xAB 0x5D ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x96 0x47 0xC5 0x35 ...

    ---- EOF - GMER 1.0.15 ----

    LOPPU
    -
    -
    -
    -
    -
    -


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 13:58:40, on 17.9.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    D:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir Desktop\sched.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe
    D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    D:\Program Files\Mobile Partner\Mobile Partner.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Palomuuri\Comodo\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [Mobile Partner] "D:\Program Files\Mobile Partner\Mobile Partner.exe" (User '?')
    O4 - HKUS\S-1-5-21-3845734143-1002380211-3227636783-1005\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1257426773234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O17 - HKLM\System\CS1\Services\Tcpip\..\{117DD082-98E2-4B81-806F-972E32D209DC}: NameServer = 62.241.198.245 62.241.198.246
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Palomuuri\Comodo\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    --
    End of file - 6193 bytes

    Hyvä jos puhdasta!
     

Jaa tämä sivu