TaskManager.Hijack ei lähde pois. Hjt Logi

Luo poistolista:
• Avaa HiJackThis
• Klikkaa "Configure" valintaa oikealla alhaalla
• Klikkaa "Misc Tools"
• Klikkaa boxia joka sanoo "Uninstall Manager"
• Klikkaa valintaa "Save list"
• Kopioi ja liitä kyseinen lista muistiosta ketjuusi

 

Ad-Aware
Adobe Download Manager 2.2 (Poista ainoastaan)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.8 - Suomi
Aim For The Top! Gunbuster Screensaver
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.0
Beyond Divinity V1.0
BitComet 0.90
Canon MP150
CCleaner (remove only)
Combined Community Codec Pack 2008-09-21 16:18
Corel Painter IX
Diablo II
DivX Content Uploader
DivX Web Player
EasyCleaner
EPSON-tulostinohjelma
ESPR265_270 Käyttöopas
Fallout
Fish Passion v.2.0
Grand Theft Auto
Haali Media Splitter
HijackThis 2.0.2
HolicUSA
Ink
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
JTablet
Lame ACM MP3 Codec
LG Media Center
Logitech MouseWare 9.80
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Matroska Pack
Matroska Pack - Lazy Man's MKV 0.9.9
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (0.8.)
MPlugin
Nokia Connectivity Cable Driver
OpenOffice.org 2.3
Outcast
Panda ActiveScan 2.0
Pen Tablet
procreate(TM) Painter Classic(TM)
Project64 1.6
Päivitys Windows XP:lle (KB898461)
Päivitys Windows XP:lle (KB910437)
QuickTime
RagnarokOnline Patch
Shadow Warrior v1.2
Star Wars®: Knights of the Old Republic (TM)
Starcraft
Station Launcher
Suojauspäivitys Windows Media Player 8:lle (KB911565)
Suojauspäivitys Windows Media Player 8:lle (KB917734)
Suojauspäivitys Windows Media Playerille (KB911564)
Suojauspäivitys Windows XP:lle (KB890046)
Suojauspäivitys Windows XP:lle (KB893756)
Suojauspäivitys Windows XP:lle (KB896358)
Suojauspäivitys Windows XP:lle (KB896422)
Suojauspäivitys Windows XP:lle (KB896423)
Suojauspäivitys Windows XP:lle (KB896424)
Suojauspäivitys Windows XP:lle (KB896428)
Suojauspäivitys Windows XP:lle (KB899587)
Suojauspäivitys Windows XP:lle (KB899589)
Suojauspäivitys Windows XP:lle (KB899591)
Suojauspäivitys Windows XP:lle (KB900725)
Suojauspäivitys Windows XP:lle (KB901017)
Suojauspäivitys Windows XP:lle (KB901214)
Suojauspäivitys Windows XP:lle (KB902400)
Suojauspäivitys Windows XP:lle (KB904706)
Suojauspäivitys Windows XP:lle (KB905414)
Suojauspäivitys Windows XP:lle (KB905749)
Suojauspäivitys Windows XP:lle (KB908519)
Suojauspäivitys Windows XP:lle (KB908531)
Suojauspäivitys Windows XP:lle (KB911280)
Suojauspäivitys Windows XP:lle (KB911562)
Suojauspäivitys Windows XP:lle (KB911927)
Suojauspäivitys Windows XP:lle (KB912919)
Suojauspäivitys Windows XP:lle (KB913433)
Suojauspäivitys Windows XP:lle (KB913446)
Suojauspäivitys Windows XP:lle (KB913580)
Suojauspäivitys Windows XP:lle (KB914388)
Suojauspäivitys Windows XP:lle (KB914389)
Suojauspäivitys Windows XP:lle (KB917159)
Suojauspäivitys Windows XP:lle (KB917344)
Suojauspäivitys Windows XP:lle (KB917953)
Ventrilo Client
VeohTV BETA
Viewpoint Media Player
Winamp
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
Xvid 1.1.3 final uninstall

 

Poista lisää poista sovelutuksesta

Panda ActiveScan 2.0
Java(TM) 6 Update 7

Katso löytyykö kansiot poista

c:\program files\F-Secure
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

=============

Kirjoita Suorita luukkuun

Combofix /u

paina ok

============

Tyhjennä Malwarebytes' Anti-Malware karanteeni ja roskat

===========

Lataa OTMoveIt
OTMoveIt ja tallenna se työpöydällesi.

Tuplaklikkaa OTMoveIt.exe.
Klikkaa CleanUp!.
Valitse Yes kun kysytään "Begin cleanup Process?".
Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.

===========

otas koneelle uudempi versio firefoxsista

http://www.mozilla.fi/

 

Kaikki edellä mainittu tehty. Combofix hävisi ja moveit poisti itsensä. Ei mitään vaikutusta tosin. Alkaa vaikuttaa epätoivoiselta pikkuhiljaa. Mutta jos nyt onnistut jotenkin ratkasemaan tämän niin laitan vaikka paypalilla kaljarahaa tms :d

viimeisen jälkeinen logi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:33, on 5.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
E:\Program Files\adaware\aawservice.exe
C:\WINDOWS\system32\drivers\SYSMON.EXE
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\explore.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\explore.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [explore.exe] C:\WINDOWS\system32\drivers\explore.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 6284 bytes

 

Escan
Ohjeet tuolla sivulla.
http://koti.mbnet.fi/pattaya1/escanmwav.htm
lataa tuosta
http://www.spywareinfo.dk/download/mwav.exe
päivitä tuosta
http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat
laita täpit merkkauksien mukaan
http://koti.mbnet.fi/pattaya1/eScan6.jpg

scannaa

jos ala luukkuun tulee jotain niin kopioi se näin:
Käytä komentoa Ctrl+A.
Kopioi rivit komennolla Ctrl+C.
Liitä rivit komennolla Ctrl+V.

Laita virus log tänne.

 

Scan logikin on mutta se on aivan tajuttoman pitkä joten laitan nyt vain tämän. Voin kyllä upata sen vaikka johonkin jos siitä on mitään apua

File C:\WINDOWS\system32\drivers\explore.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Tiedostot\pamela\_aleste.exe infected by "Worm.Python.Lesta.a" Virus. Action Taken: File Deleted.
File C:\f8h3l5y5t8l1.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002296.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002297.exe infected by "Worm.Python.Lesta.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002298.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\vncviewer.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.j. No Action Taken.
File E:\PELIT\dosbox\c\nEGGEI\pno0001.exe infected by "Trojan.Win32.Pakes.yf" Virus. Action Taken: File Deleted.
File E:\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
File E:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002299.exe infected by "Trojan.Win32.Pakes.yf" Virus. Action Taken: File Deleted.

 

laita koko tajuttoman pitkä lista kokonaan

 

http://myfreefilehosting.com/f/4b034a2dc0_12.69MB

En saanut postattua niin piti upata : [

 

Siellä on 4 deletoitu
sitten on 4 nimetty uudeleen
parille ei ole tehty mitään
SmitfraudFix tälle ei ole tehty mitään eikä tarvii

===============

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

==============

scannaa uusi hjt:n loki

 

Asensin Zonealarmin koneeseen kun windowssin palomuuri ei toimi ja täytyy tuota konetta kuitenkin heittää netissä aina noiden ohjelmien päivitysten ajaksi.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:52, on 6.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
E:\Program Files\adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\SYSMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SYSMON.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6460 bytes

 

Otas tuo takasin koneelle scanna sillä loki

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

 

Keskeytyy puolivälissä. Poistaa kansioita:
H

Kohdetta %Windr%/system32/drivers/SYSMON.exe ei löydy.

Catchme.cfexe
Asema A ei ole valmiina, Aseman luukku voi olla avoinna. Tarkista asema a ja varmista että levyke on asemassa ja että aseman luukku on suljettuna.

|Peruuta||Yritä Uudelleen||Jatka->| minkä tahansa noista valitsee niin kestää 5 sekuntia ja error iskee uudestaan. Nyt olen vähän että mitäs teen kun en edes omista A: asemaa

//EDIT ilmeisesti ongelma tulee kun USB tikku on kiinni jolla kuljetan noita filuja tämän koneen ja tuon saastuneen koneen välillä. Otin pois ja combofix toimi.

 

ComboFix 08-12-05.06 - Jarezed 2008-12-06 20:30:43.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.422 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Microsoft\backup.ftp
.
---- Previous Run -------
.
c:\windows\system32\Microsoft\backup.ftp
H:\autorun.inf
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Rege.exe
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Regme.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-06 20:41 210,976 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:37 4,376 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:40 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:41 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 15:49 . 2008-12-06 15:49 0 --a------ C:\23990098.$$$
2008-12-06 12:37 . 2008-12-06 12:37 0 --a------ C:\v5t6q1h2q2.exe
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-05 23:18 . 2008-12-05 23:17 171,520 -r-hs---- c:\windows\system32\drivers\SYSMON.EXE
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 12:27 . 2008-12-01 00:14 171,520 --a------ c:\windows\system32\drivers\explore.exe.mwt
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:39 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 56 --sh--r c:\windows\system32\241FD2F4A6.sys
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [2008-12-05 171520]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 20:39:10
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
e:\program files\adaware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
e:\program files\javaa\bin\jqs.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-12-06 20:43:48 - kone käynnistettiin uudelleen [Jarezed]
ComboFix-quarantined-files.txt 2008-12-06 18:43:34

Ennen ajoa: 1,466,040,320 tavua vapaana
Ajon jälkeen: 1,466,023,936 tavua vapaana

210

 

Avaa Muistio ja kopioi/liitä lainauksen sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

 

Uskomatonta mutta totta- ongelma katosi taas. Rukoilen nyt tässä päälläni ettei se tule takaisin.

ComboFix 08-12-05.06 - Jarezed 2008-12-06 22:11:31.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.417 [GMT 2:00]
Running from: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Command switches used :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\241FD2F4A6.sys
c:\windows\system32\drivers\SYSMON.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\23990098.$$$\
c:\f8h3l5y5t8l1.exe.mwt\
c:\v5t6q1h2q2.exe\
c:\windows\system32\241FD2F4A6.sys
c:\windows\system32\drivers\SYSMON.EXE
c:\windows\system32\Microsoft\backup.ftp

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 22:09 . 2008-12-06 22:09 <KANSIO> d-------- C:\32788R22FWJFW
2008-12-06 17:26 . 2008-12-06 22:18 335,904 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 15:49 . 2008-12-06 15:49 0 --a------ C:\23990098.$$$
2008-12-06 12:37 . 2008-12-06 12:37 0 --a------ C:\v5t6q1h2q2.exe
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 12:27 . 2008-12-01 00:14 171,520 --a------ c:\windows\system32\drivers\explore.exe.mwt
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:48 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SYSMON.EXE - c:\windows\system32\drivers\SYSMON.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 22:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-06 22:20:47
ComboFix-quarantined-files.txt 2008-12-06 20:20:40
ComboFix2.txt 2008-12-06 18:44:06

Pre-Run: 1 453 051 904 tavua vapaana
Post-Run: 1,425,285,120 tavua vapaana

199

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

 

Ei pyydetty käynnistämään uudelleen : (

ComboFix 08-12-05.06 - Jarezed 2008-12-06 22:55:17.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.393 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
C:\23990098.$$$
C:\v5t6q1h2q2.exe
c:\windows\system32\drivers\explore.exe.mwt
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\23990098.$$$
C:\v5t6q1h2q2.exe
c:\windows\system32\drivers\explore.exe.mwt

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-06 23:01 407,584 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:48 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:00:50
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Valmistumisajankohta: 2008-12-06 23:03:44
ComboFix-quarantined-files.txt 2008-12-06 21:03:37
ComboFix2.txt 2008-12-06 20:20:56
ComboFix3.txt 2008-12-06 18:44:06

Ennen ajoa: 1 410 768 896 tavua vapaana
Ajon jälkeen: 1,388,277,760 tavua vapaana

192

 

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne

============

sammuta ja käynnistä
scannaa sitten vielä hjt:n loki uusi

 

ComboFix 08-12-05.06 - Jarezed 2008-12-06 23:20:59.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.378 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
C:\f8h3l5y5t8l1.exe.mwt
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\f8h3l5y5t8l1.exe.mwt
c:\windows\system32\Microsoft\backup.ftp

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 23:17 . 2008-12-05 23:17 171,520 -r-hs---- c:\windows\system32\drivers\SYSMON.EXE
2008-12-06 17:26 . 2008-12-06 23:27 477,216 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 21:17 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [2008-12-05 171520]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe %windir%\\system32\\drivers\\SYSMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:26:17
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Valmistumisajankohta: 2008-12-06 23:29:09
ComboFix-quarantined-files.txt 2008-12-06 21:29:02
ComboFix2.txt 2008-12-06 21:03:49
ComboFix3.txt 2008-12-06 20:20:56
ComboFix4.txt 2008-12-06 18:44:06

Ennen ajoa: 1 374 420 992 tavua vapaana
Ajon jälkeen: 1,360,867,328 tavua vapaana

199

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:02, on 6.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\hijack\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\drivers\SYSMON.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6295 bytes

 

c:\windows\system32\drivers\SYSMON.EXE
Mitä ohjelmaa käytät kun tämä on taas luotu koneelle.
onkos se tikku terve ookos sen tarkastanut virusohjelmalla.


Avaa Muistio ja kopioi/liitä lainauksen sisältö sinne:

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.


Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.