troijat kävi ja lähti - kone sekaisin edelleen

Combofix ei taaskaan pyytänyt missään vaiheessa painamaan mitään (1 ja enter), joten en näin tehnyt. Tässä loki:

ComboFix 09-02-18.01 - Järjestelmänvalvoja 2009-02-22 9:30:09.3 - NTFSx86
Sijainti: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\CFScript.txt

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
c:\windows\jrcahkys.exe
c:\windows\system32\36.tmp
c:\windows\system32\7F.tmp
c:\windows\system32\80.tmp
c:\windows\system32\82.tmp
c:\windows\system32\84.tmp
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\36.tmp
c:\windows\system32\7F.tmp
c:\windows\system32\80.tmp
c:\windows\system32\82.tmp
c:\windows\system32\84.tmp

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-01-22 to 2009-02-22 )))))))))))))))))
.

2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Downloads
2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Bases
2009-02-21 14:46 . 2009-02-21 14:47 <KANSIO> d-------- C:\Kaspersky
2009-02-20 16:42 . 2009-02-22 09:32 262,176 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-02-20 16:42 . 2009-02-21 18:40 3,548 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-02-20 16:40 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2009-02-20 16:39 . 2009-02-20 16:40 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2009-02-20 16:39 . 2009-02-20 16:39 <KANSIO> d-------- c:\program files\Zone Labs
2009-02-20 16:39 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2009-02-20 09:47 . 2009-02-20 09:47 579,072 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-20 08:51 . 2009-02-20 08:51 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 08:51 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 08:51 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 10:40 . 2009-02-19 10:40 <KANSIO> d-------- c:\program files\Sygate
2009-02-19 10:40 . 2009-02-19 10:40 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\SUPERAntiSpyware.com
2009-02-18 18:20 . 2009-02-18 18:20 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 16:04 . 2009-02-18 16:04 <KANSIO> d-------- C:\lexmark
2009-02-17 20:50 . 2009-02-17 20:50 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-02-17 20:50 . 2009-02-20 16:41 353,361 --a------ c:\windows\system32\vsconfig.xml
2009-02-17 20:50 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2009-02-17 20:50 . 2009-02-20 16:41 4,212 ---h----- c:\windows\system32\zllictbl.dat
2009-02-17 20:48 . 2009-02-21 11:38 <KANSIO> d-------- c:\windows\Internet Logs
2009-02-17 19:38 . 2009-02-17 19:38 137,760 --a------ c:\windows\system32\drivers\ethdrmld.sys
2009-02-17 19:28 . 2009-02-17 19:28 <KANSIO> d-------- C:\rsit
2009-02-17 18:40 . 2009-02-17 18:40 <KANSIO> d-------- c:\program files\Alwil Software
2009-02-17 18:40 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-17 18:40 . 2003-03-18 21:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-17 18:40 . 2003-02-21 05:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2009-02-17 16:11 . 2009-02-17 16:11 <KANSIO> d-------- c:\program files\CCleaner
2009-02-17 15:25 . 2009-02-17 15:25 <KANSIO> d-------- c:\windows\ERUNT
2009-02-17 15:11 . 2009-02-17 15:11 <KANSIO> d-------- c:\program files\Trend Micro
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Malwarebytes
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 13:28 . 2009-02-20 17:59 67 --a------ c:\windows\wininit.ini
2009-02-17 13:07 . 2009-02-17 13:07 128 --a------ c:\windows\adobe.bat
2009-02-17 09:57 . 2009-02-17 09:57 <KANSIO> d-------- c:\program files\Common Files\Webroot Shared
2009-02-17 09:39 . 2009-02-17 09:39 44 --a------ c:\windows\system32\Partizan.RRI
2009-02-17 09:30 . 2009-02-17 09:30 <KANSIO> d-------- c:\windows\RestoreSafeDeleted
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\program files\Greatis
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Regrun
2009-02-17 09:16 . 2009-02-17 09:34 <KANSIO> d-------- C:\backreg
2009-02-17 09:16 . 2003-09-06 15:55 57,556 --a------ c:\windows\guard.bmp
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\program files\Webroot
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Webroot
2009-02-16 20:12 . 2004-04-28 22:51 61,440 --a------ c:\windows\Unwash5.exe
2009-02-16 19:36 . 2009-02-16 19:48 137,408 --a------ c:\windows\system32\drivers\ETHXFUYA.del
2009-02-16 19:36 . 2009-02-17 13:04 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 19:36 . 2009-02-16 19:48 47,104 --a------ c:\windows\system32\READER_S.del
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark_HostCD
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark
2009-02-16 19:18 . 2009-02-06 09:07 20,152 --a------ c:\windows\system32\LMabpmui.chm
2009-02-16 19:18 . 2009-02-16 19:18 5,267 --a------ c:\windows\system32\LexFiles.ulf
2009-02-16 19:18 . 2008-01-15 11:31 1,976 --a------ c:\windows\system32\LMab.loc
2009-02-16 18:52 . 2009-02-16 18:52 <KANSIO> d-------- c:\windows\SHELLNEW(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- C:\MSOCache(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-14 10:39 . 2009-02-14 10:39 <KANSIO> dr-h----- c:\documents and settings\Järjestelmänvalvoja\Application Data\SecuROM
2009-02-14 10:39 . 2009-02-16 18:09 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Bioshock
2009-02-14 10:38 . 2009-02-14 10:38 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-14 10:27 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\program files\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ifolor
2009-02-13 19:28 . 2009-02-13 19:28 <KANSIO> d-------- c:\program files\URUSoft
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\MONOGRAM AMR SplitterDecoder
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\DScaler5
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\CD Audio Reader Filter
2009-02-13 19:24 . 2009-02-18 18:46 <KANSIO> d-------- c:\program files\AC3Filter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\SHOUTcast Source
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\RealMedia
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\OpenSource Flash Video Splitter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\Haali
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\ffdshow
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\DSP-worx
2009-02-13 19:22 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-13 19:22 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-13 19:21 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\DirectVobSub
2009-02-13 19:20 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\Zoom Player
2009-02-13 19:20 . 2009-02-13 19:40 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Zoom Player
2009-02-13 18:22 . 2009-02-13 18:22 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\Common Files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-13 18:06 . 2009-02-18 16:42 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\skypePM
2009-02-13 18:06 . 2009-02-13 18:06 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> dr------- c:\program files\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\program files\Common Files\Skype
2009-02-13 18:03 . 2009-02-18 18:35 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-02-13 15:31 . 2009-02-13 15:31 <KANSIO> d-------- c:\program files\Common Files\Adobe
2009-02-13 15:29 . 2009-02-13 21:00 <KANSIO> d-------- c:\program files\NOS
2009-02-13 15:29 . 2009-02-13 21:01 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-12 19:20 . 2003-03-16 00:15 110,592 --a------ c:\windows\unvise32.exe
2009-02-12 19:17 . 2009-02-18 17:04 <KANSIO> d-------- C:\Pelit
2009-02-12 19:14 . 2009-02-12 19:14 <KANSIO> d-------- c:\program files\DAEMON Tools
2009-02-12 19:12 . 2009-02-12 19:14 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-02-12 19:03 . 2009-02-12 19:03 664,064 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-12 19:03 . 2009-02-12 19:03 96,384 --a------ c:\windows\system32\drivers\SPTD4525.del
2009-02-12 09:30 . 2009-02-18 18:31 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\BitTorrent
2009-02-12 09:29 . 2009-02-12 10:17 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\DNA
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-11 12:48 . 2009-02-20 18:55 <KANSIO> d-------- C:\ati
2009-02-11 12:21 . 2009-02-11 12:21 0 --a------ c:\windows\nsreg.dat
2009-02-11 12:11 . 2009-02-11 12:11 33,408 --a------ c:\windows\system32\drivers\FSBTS.del
2009-02-11 12:05 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-11 12:05 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-11 11:06 . 2009-02-11 11:06 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ATI
2009-02-11 11:05 . 2009-02-11 11:05 <KANSIO> d-------- c:\program files\My Company Name
2009-02-11 11:05 . 2009-02-11 11:05 0 --a------ c:\windows\ativpsrm.bin
2009-02-11 11:01 . 2009-02-11 11:01 <KANSIO> d-------- c:\program files\Common Files\ATI Technologies
2009-02-11 10:59 . 2008-07-02 21:38 89,600 --a------ c:\windows\system32\drivers\AtiHdmi.sys
2009-02-11 10:59 . 2008-07-31 04:36 14,696 -ra------ c:\windows\atiogl.xml
2009-02-11 10:33 . 2009-02-17 20:23 <KANSIO> d-------- c:\program files\F-Secure
2009-02-11 10:33 . 2009-02-11 10:33 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\fssg
2009-02-11 10:33 . 2009-02-17 20:21 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\F-Secure
2009-02-11 10:32 . 2009-02-11 10:33 <KANSIO> d-------- C:\fsavcs8
2009-02-11 10:30 . 2009-02-11 10:30 <KANSIO> d-------- c:\program files\MadOnion.com
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-02 10:50 . 2009-02-18 18:26 94,208 --a------ c:\windows\DUMP4c2c.tmp
2009-02-02 10:50 . 2009-02-18 21:04 94,208 --a------ c:\windows\DUMP4b41.tmp
2009-02-02 10:50 . 2009-02-18 18:37 94,208 --a------ c:\windows\DUMP496c.tmp

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 07:03 879,947 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-11 09:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 08:50 --------- d-----w c:\program files\microsoft frontpage
2009-02-02 08:50 --------- d-----w c:\program files\Analog Devices
2009-02-02 08:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-31 03:14 466,944 ----a-w c:\windows\system32\softcoin.dll
2008-12-31 03:14 344,064 ----a-w c:\windows\system32\gencoin.dll
2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

2004-09-14 15:12 31744 c0a39b3d710e9dd2bb6c369f980d82ac c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 18:12 31232 05d083bc572ed94235ea20a7d29ff734 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 18:12 31232 093dfa46932a8d4e8f0a123e0187ce6d c:\windows\system32\svchost.exe

2008-04-14 18:12 1051136 46e58cae384a6eafe4e0b6b23f910154 c:\windows\explorer.exe
2007-06-13 15:10 1051136 4fed6a21f1509f1ba9c54b91f093a0b9 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 15:22 1050624 eae86f1b134b9752b9a752d59244a8ea c:\windows\$NtServicePackUninstall$\explorer.exe
2004-09-14 15:12 1050112 cd9d0e56f74a6da9b81f2c2854474876 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 18:12 1051648 e09b88ccb72d2f43dbb0644f49367b04 c:\windows\ServicePackFiles\i386\explorer.exe

2004-09-14 15:12 32768 9b43e5f441500a95b2abfd69d7feedfa c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 18:12 32768 1e3b7d716f2f755739f6ae914fb8392a c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 18:12 32256 081a9a4f70c023758717c7575c523bad c:\windows\system32\ctfmon.exe

2005-06-11 02:17 75264 beadaff85c162c82eda22ddb73d4073c c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 01:53 74752 c7f7e74ecaed0705d72e99b335874e12 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-09-14 15:12 74752 90a3bc3e4f9361a6e8c12667c5aa0210 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 18:12 74752 5b430e0f5a8d1f673241b7b230634c9f c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 18:12 74752 2d5a7e7d5c25fbdb2eda7fd67968695b c:\windows\system32\spoolsv.exe

2004-09-14 15:12 41984 e79f1e6bd4d7cdb9fd706f4a0870c3b3 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 18:12 43520 d07173764c118dd46a05081edf8d35cf c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 18:12 43520 3a40a91ca77533380562681126148637 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-20_ 9.33.19,03 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2008-08-07 13:27:04 184,320 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-07 13:27:04 183,808 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
- 2009-02-17 13:31:34 2,203,648 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-02-20 07:46:10 2,736,128 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2009-02-17 13:31:34 36,864 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-02-20 07:46:10 36,864 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2000-08-31 06:00:00 179,200 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 06:00:00 179,712 ----a-w c:\windows\SWREG.exe
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr
- 2009-02-20 06:46:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-20 06:46:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
+ 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
- 2009-02-20 06:46:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2007-07-19 13:10:28 127,768 ----a-w c:\windows\system32\drivers\klif.sys
+ 2007-09-06 14:13:58 796,048 ----a-w c:\windows\system32\libeay32_0.9.6l.dll
+ 2007-09-06 14:14:04 83,432 ----a-w c:\windows\system32\vsdata.dll
+ 2007-09-06 14:14:28 395,080 ----a-w c:\windows\system32\vsdatant.sys
+ 2007-09-06 14:14:04 157,160 ----a-w c:\windows\system32\vsinit.dll
+ 2007-09-06 14:14:04 103,912 ----a-w c:\windows\system32\vsmonapi.dll
+ 2007-09-06 14:14:04 275,944 ----a-w c:\windows\system32\vspubapi.dll
+ 2007-09-06 14:14:04 71,144 ----a-w c:\windows\system32\vsregexp.dll
+ 2007-09-06 14:14:06 472,552 ----a-w c:\windows\system32\vsutil.dll
+ 2007-09-06 14:14:06 46,568 ----a-w c:\windows\system32\vswmi.dll
+ 2007-09-06 14:14:06 99,816 ----a-w c:\windows\system32\vsxml.dll
+ 2007-09-06 14:14:06 83,432 ----a-w c:\windows\system32\zlcomm.dll
+ 2007-09-06 14:14:08 71,144 ----a-w c:\windows\system32\zlcommdb.dll
+ 2007-09-06 14:13:56 370,208 ----a-w c:\windows\system32\ZoneLabs\av.dll
+ 2007-05-30 22:03:30 65,248 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 12:47:36 21,568 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 22:03:30 1,628 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 22:03:16 77,824 ----a-w c:\windows\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 22:03:16 110,592 ----a-w c:\windows\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 22:03:16 331,776 ----a-w c:\windows\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 22:03:16 38,400 ----a-w c:\windows\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 13:10:32 110,360 ----a-w c:\windows\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 13:10:32 186,128 ----a-w c:\windows\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-30 22:03:48 110,360 ----a-w c:\windows\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 13:10:28 127,768 ----a-w c:\windows\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-30 22:03:50 65,536 ----a-w c:\windows\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-19 21:12:14 208,960 ----a-w c:\windows\system32\ZoneLabs\avsys\inv.dll
+ 2007-08-24 17:31:48 274,432 ----a-w c:\windows\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 16:13:52 1,093,632 ----a-w c:\windows\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 22:03:20 548,864 ----a-w c:\windows\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 22:03:20 626,688 ----a-w c:\windows\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 22:03:18 184,320 ----a-w c:\windows\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 22:03:22 90,112 ----a-w c:\windows\system32\ZoneLabs\avsys\prremote.dll
+ 2007-08-24 17:31:48 155,648 ----a-w c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 16:13:52 200,704 ----a-w c:\windows\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-09-06 14:13:56 99,816 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
+ 2004-01-30 10:35:08 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2007-09-06 14:13:58 128,480 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
+ 2007-09-06 14:13:58 38,376 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2007-09-06 14:13:58 321,016 ----a-w c:\windows\system32\ZoneLabs\imsecure.dll
+ 2007-09-06 14:14:30 288,144 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-09-06 14:14:30 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-08-15 13:45:42 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2007-08-15 13:45:44 787,936 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2007-09-06 14:14:00 173,544 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 09:12:08 2,432,259 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2007-08-15 13:45:44 1,500,640 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2007-06-11 10:44:10 50,416 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2007-09-06 14:14:02 456,168 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2006-09-04 18:59:14 503,875 ----a-w c:\windows\system32\ZoneLabs\upd_core.dll
+ 2007-08-01 04:30:04 833,248 ----a-w c:\windows\system32\ZoneLabs\updating.dll
+ 2007-09-06 14:14:18 149,032 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
+ 2007-01-11 15:31:06 286,787 ----a-w c:\windows\system32\ZoneLabs\updtrsdk.dll
+ 2007-09-06 14:14:04 108,008 ----a-w c:\windows\system32\ZoneLabs\vsavpro.dll
+ 2007-09-06 14:14:04 79,336 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
+ 2007-09-06 14:14:18 75,304 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
+ 2007-09-06 14:14:04 2,024,936 ----a-w c:\windows\system32\ZoneLabs\vsmondll.dll
+ 2007-09-06 14:14:06 1,345,000 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2007-09-06 14:14:06 239,080 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 09:12:08 2,432,259 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2007-09-06 14:14:08 177,640 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
+ 2007-09-06 14:14:08 79,344 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2007-09-06 14:14:08 382,440 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
+ 2007-09-06 14:14:08 120,296 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot nollattu tähän hetkeen --
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 32256]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1712640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 163840]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-13 151552]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 184320]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"High Definition Audio -ominaisuussivun pikakuvake"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection; [x]
R1 ethdrmld;ethdrmld;c:\windows\system32\drivers\ethdrmld.sys [2009-02-17 137760]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 hqkbogne;hqkbogne; [x]
R3 vahcxasd;vahcxasd; [x]
R3 yobdrdda;yobdrdda; [x]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600]


--- Muut muistissa olevat ajurit/palvelut ---

*Deregistered* - Aavmker4
*Deregistered* - aswMon2
*Deregistered* - aswUpdSv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - IntelIde
*Deregistered* - KLIF
*Deregistered* - KSecDD
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NdisTapi
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - RasAcd
*Deregistered* - RasMan
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - W32Time
*Deregistered* - VgaSave
*Deregistered* - winmgmt
*Deregistered* - VolSnap
*Deregistered* - wuauserv
.
- - - - POISTETUT JÄMÄRIVIT - - - -

Notify-AtiExtEvent - (no file)


.
------- Täydentävä tarkistus -------
.
FF - ProfilePath - c:\documents and settings\Järjestelmänvalvoja\Application Data\Mozilla\Firefox\Profiles\fajdbc2j.default\
FF - prefs.js: browser.startup.homepage - google.fi
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 09:32:23
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,3e,89,ba,9f,60,41,5b,91,dc,80,e1,ea,7f,f3,76,c1,ae,57,d7,08,7e,47,
de,67,2a,1e,5b,a1,35,09,0c,33,cc,33,a7,da,f6,d8,e3,d1,16,08,8a,27,2d,40,3f,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
Valmistumisajankohta: 2009-02-22 9:33:45
ComboFix-quarantined-files.txt 2009-02-22 07:33:41
ComboFix2.txt 2009-02-20 13:39:54
ComboFix3.txt 2009-02-20 07:33:59

Ennen ajoa: 52 357 709 824 tavua vapaana
Ajon jälkeen: 52,345,528,320 tavua vapaana

393 --- E O F --- 2009-02-12 07:09:45

 

laitas scannaten uusi hjt:n loki

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:28, on 22.2.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-3993185670-2011734097-2445771630-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3993185670-2011734097-2445771630-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233556276562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233556617562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4327 bytes

 

Nyt tuon alla olevan lainauksen sisällön Kopioit / liität Tyhjään muistioon
käynnistä nappi >apuohjelmat > muistio

Tallenna se nimellä CFScript.txt työpöydälle

Sitten raahaa CFScript ComboFix.exeen kuten alla.



Laita tuleva loki tänne.

Sammutat ja käynnistät koneen

===============

Lataa Tästä Ccleaner
CCleaner v 2.14.750.- Standard Build, ÄLÄ aseenna Yahoo toolbaria!
Asennuksessa poista merkki/rasti kohdasta "asenna Yahoo! toolbar/työkalupalkki".
Asennuksen jälkeen aukaise CCleaneri.
Valitse vasemmalta pystyrivistä Options.
Valitse viereisestä pystyrivistä Settings.
Language kohtaan valitse Suomi.

Puhdistaja
Valitse vasemmalta pystyrivistä Puhdistaja.
Paina alhaalta Tutki.
Nyt CCleaneri tutkii, mitä voidaan poistaa (tempit, cookiessit jne.).
Kun tutkiminen on valmis, paina Aja CCleaner.
Nyt CCleaneri poistaa löydetyt tempit, cookiessit jne.

Rekisterin virheiden korjaus
Valitse vasemmalta pystyrivistä Rekisteri.
Paina alhaalta Etsi rekisterin virheitä.
Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet.
Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä. Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon.
Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet.
Saat vielä varmistus kysymyksen, paina Ok.
Kun virheet on korjattu, paina Sulje.
Nyt voit sulkea CCleanerin painamalla oikealta ylhäältä punaista rastia.

 

ComboFix 09-02-18.01 - Järjestelmänvalvoja 2009-02-22 13:17:01.4 - NTFSx86
Sijainti: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\CFScript.txt

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-01-22 to 2009-02-22 )))))))))))))))))
.

2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Downloads
2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Bases
2009-02-21 14:46 . 2009-02-21 14:47 <KANSIO> d-------- C:\Kaspersky
2009-02-20 16:42 . 2009-02-22 13:19 337,952 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-02-20 16:42 . 2009-02-22 13:02 4,460 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-02-20 16:40 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2009-02-20 16:39 . 2009-02-20 16:40 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2009-02-20 16:39 . 2009-02-20 16:39 <KANSIO> d-------- c:\program files\Zone Labs
2009-02-20 16:39 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2009-02-20 09:47 . 2009-02-20 09:47 579,072 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-20 08:51 . 2009-02-20 08:51 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 08:51 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 08:51 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 10:40 . 2009-02-19 10:40 <KANSIO> d-------- c:\program files\Sygate
2009-02-19 10:40 . 2009-02-19 10:40 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\SUPERAntiSpyware.com
2009-02-18 18:20 . 2009-02-18 18:20 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 16:04 . 2009-02-18 16:04 <KANSIO> d-------- C:\lexmark
2009-02-17 20:50 . 2009-02-17 20:50 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-02-17 20:50 . 2009-02-20 16:41 353,361 --a------ c:\windows\system32\vsconfig.xml
2009-02-17 20:50 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2009-02-17 20:50 . 2009-02-20 16:41 4,212 ---h----- c:\windows\system32\zllictbl.dat
2009-02-17 20:48 . 2009-02-21 11:38 <KANSIO> d-------- c:\windows\Internet Logs
2009-02-17 19:38 . 2009-02-17 19:38 137,760 --a------ c:\windows\system32\drivers\ethdrmld.sys
2009-02-17 19:28 . 2009-02-17 19:28 <KANSIO> d-------- C:\rsit
2009-02-17 18:40 . 2009-02-17 18:40 <KANSIO> d-------- c:\program files\Alwil Software
2009-02-17 18:40 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-17 18:40 . 2003-03-18 21:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-17 18:40 . 2003-02-21 05:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2009-02-17 16:11 . 2009-02-17 16:11 <KANSIO> d-------- c:\program files\CCleaner
2009-02-17 15:25 . 2009-02-17 15:25 <KANSIO> d-------- c:\windows\ERUNT
2009-02-17 15:11 . 2009-02-17 15:11 <KANSIO> d-------- c:\program files\Trend Micro
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Malwarebytes
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 13:28 . 2009-02-20 17:59 67 --a------ c:\windows\wininit.ini
2009-02-17 13:07 . 2009-02-17 13:07 128 --a------ c:\windows\adobe.bat
2009-02-17 09:57 . 2009-02-17 09:57 <KANSIO> d-------- c:\program files\Common Files\Webroot Shared
2009-02-17 09:39 . 2009-02-17 09:39 44 --a------ c:\windows\system32\Partizan.RRI
2009-02-17 09:30 . 2009-02-17 09:30 <KANSIO> d-------- c:\windows\RestoreSafeDeleted
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\program files\Greatis
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Regrun
2009-02-17 09:16 . 2009-02-17 09:34 <KANSIO> d-------- C:\backreg
2009-02-17 09:16 . 2003-09-06 15:55 57,556 --a------ c:\windows\guard.bmp
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\program files\Webroot
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Webroot
2009-02-16 20:12 . 2004-04-28 22:51 61,440 --a------ c:\windows\Unwash5.exe
2009-02-16 19:36 . 2009-02-16 19:48 137,408 --a------ c:\windows\system32\drivers\ETHXFUYA.del
2009-02-16 19:36 . 2009-02-17 13:04 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 19:36 . 2009-02-16 19:48 47,104 --a------ c:\windows\system32\READER_S.del
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark_HostCD
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark
2009-02-16 19:18 . 2009-02-06 09:07 20,152 --a------ c:\windows\system32\LMabpmui.chm
2009-02-16 19:18 . 2009-02-16 19:18 5,267 --a------ c:\windows\system32\LexFiles.ulf
2009-02-16 19:18 . 2008-01-15 11:31 1,976 --a------ c:\windows\system32\LMab.loc
2009-02-16 18:52 . 2009-02-16 18:52 <KANSIO> d-------- c:\windows\SHELLNEW(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- C:\MSOCache(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-14 10:39 . 2009-02-14 10:39 <KANSIO> dr-h----- c:\documents and settings\Järjestelmänvalvoja\Application Data\SecuROM
2009-02-14 10:39 . 2009-02-16 18:09 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Bioshock
2009-02-14 10:38 . 2009-02-14 10:38 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-14 10:27 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\program files\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ifolor
2009-02-13 19:28 . 2009-02-13 19:28 <KANSIO> d-------- c:\program files\URUSoft
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\MONOGRAM AMR SplitterDecoder
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\DScaler5
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\CD Audio Reader Filter
2009-02-13 19:24 . 2009-02-18 18:46 <KANSIO> d-------- c:\program files\AC3Filter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\SHOUTcast Source
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\RealMedia
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\OpenSource Flash Video Splitter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\Haali
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\ffdshow
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\DSP-worx
2009-02-13 19:22 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-13 19:22 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-13 19:21 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\DirectVobSub
2009-02-13 19:20 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\Zoom Player
2009-02-13 19:20 . 2009-02-13 19:40 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Zoom Player
2009-02-13 18:22 . 2009-02-13 18:22 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\Common Files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-13 18:06 . 2009-02-18 16:42 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\skypePM
2009-02-13 18:06 . 2009-02-13 18:06 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> dr------- c:\program files\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\program files\Common Files\Skype
2009-02-13 18:03 . 2009-02-18 18:35 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-02-13 15:31 . 2009-02-13 15:31 <KANSIO> d-------- c:\program files\Common Files\Adobe
2009-02-13 15:29 . 2009-02-13 21:00 <KANSIO> d-------- c:\program files\NOS
2009-02-13 15:29 . 2009-02-13 21:01 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-12 19:20 . 2003-03-16 00:15 110,592 --a------ c:\windows\unvise32.exe
2009-02-12 19:17 . 2009-02-18 17:04 <KANSIO> d-------- C:\Pelit
2009-02-12 19:14 . 2009-02-12 19:14 <KANSIO> d-------- c:\program files\DAEMON Tools
2009-02-12 19:12 . 2009-02-12 19:14 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-02-12 19:03 . 2009-02-12 19:03 664,064 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-12 19:03 . 2009-02-12 19:03 96,384 --a------ c:\windows\system32\drivers\SPTD4525.del
2009-02-12 09:30 . 2009-02-18 18:31 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\BitTorrent
2009-02-12 09:29 . 2009-02-12 10:17 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\DNA
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-11 12:48 . 2009-02-20 18:55 <KANSIO> d-------- C:\ati
2009-02-11 12:21 . 2009-02-11 12:21 0 --a------ c:\windows\nsreg.dat
2009-02-11 12:11 . 2009-02-11 12:11 33,408 --a------ c:\windows\system32\drivers\FSBTS.del
2009-02-11 12:05 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-11 12:05 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-11 11:06 . 2009-02-11 11:06 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ATI
2009-02-11 11:05 . 2009-02-11 11:05 <KANSIO> d-------- c:\program files\My Company Name
2009-02-11 11:05 . 2009-02-11 11:05 0 --a------ c:\windows\ativpsrm.bin
2009-02-11 11:01 . 2009-02-11 11:01 <KANSIO> d-------- c:\program files\Common Files\ATI Technologies
2009-02-11 10:59 . 2008-07-02 21:38 89,600 --a------ c:\windows\system32\drivers\AtiHdmi.sys
2009-02-11 10:59 . 2008-07-31 04:36 14,696 -ra------ c:\windows\atiogl.xml
2009-02-11 10:33 . 2009-02-17 20:23 <KANSIO> d-------- c:\program files\F-Secure
2009-02-11 10:33 . 2009-02-11 10:33 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\fssg
2009-02-11 10:33 . 2009-02-17 20:21 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\F-Secure
2009-02-11 10:32 . 2009-02-11 10:33 <KANSIO> d-------- C:\fsavcs8
2009-02-11 10:30 . 2009-02-11 10:30 <KANSIO> d-------- c:\program files\MadOnion.com
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-02 10:50 . 2009-02-18 18:26 94,208 --a------ c:\windows\DUMP4c2c.tmp
2009-02-02 10:50 . 2009-02-18 21:04 94,208 --a------ c:\windows\DUMP4b41.tmp
2009-02-02 10:50 . 2009-02-18 18:37 94,208 --a------ c:\windows\DUMP496c.tmp

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 07:03 879,947 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-11 09:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 08:50 --------- d-----w c:\program files\microsoft frontpage
2009-02-02 08:50 --------- d-----w c:\program files\Analog Devices
2009-02-02 08:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-31 03:14 466,944 ----a-w c:\windows\system32\softcoin.dll
2008-12-31 03:14 344,064 ----a-w c:\windows\system32\gencoin.dll
2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

2004-09-14 15:12 31744 c0a39b3d710e9dd2bb6c369f980d82ac c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 18:12 31232 05d083bc572ed94235ea20a7d29ff734 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 18:12 31232 093dfa46932a8d4e8f0a123e0187ce6d c:\windows\system32\svchost.exe

2008-04-14 18:12 1051136 46e58cae384a6eafe4e0b6b23f910154 c:\windows\explorer.exe
2007-06-13 15:10 1051136 4fed6a21f1509f1ba9c54b91f093a0b9 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 15:22 1050624 eae86f1b134b9752b9a752d59244a8ea c:\windows\$NtServicePackUninstall$\explorer.exe
2004-09-14 15:12 1050112 cd9d0e56f74a6da9b81f2c2854474876 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 18:12 1051648 e09b88ccb72d2f43dbb0644f49367b04 c:\windows\ServicePackFiles\i386\explorer.exe

2004-09-14 15:12 32768 9b43e5f441500a95b2abfd69d7feedfa c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 18:12 32768 1e3b7d716f2f755739f6ae914fb8392a c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 18:12 32256 081a9a4f70c023758717c7575c523bad c:\windows\system32\ctfmon.exe

2005-06-11 02:17 75264 beadaff85c162c82eda22ddb73d4073c c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 01:53 74752 c7f7e74ecaed0705d72e99b335874e12 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-09-14 15:12 74752 90a3bc3e4f9361a6e8c12667c5aa0210 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 18:12 74752 5b430e0f5a8d1f673241b7b230634c9f c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 18:12 74752 2d5a7e7d5c25fbdb2eda7fd67968695b c:\windows\system32\spoolsv.exe

2004-09-14 15:12 41984 e79f1e6bd4d7cdb9fd706f4a0870c3b3 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 18:12 43520 d07173764c118dd46a05081edf8d35cf c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 18:12 43520 3a40a91ca77533380562681126148637 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-22_ 9.32.59,10 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 06:00:00 179,712 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 06:00:00 179,200 ----a-w c:\windows\SWREG.exe
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-22 11:11:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
+ 2009-02-22 11:11:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-22 11:11:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 32256]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1712640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 163840]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-13 151552]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 184320]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"High Definition Audio -ominaisuussivun pikakuvake"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection; [x]
R1 ethdrmld;ethdrmld;c:\windows\system32\drivers\ethdrmld.sys [2009-02-17 137760]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 hqkbogne;hqkbogne; [x]
R3 vahcxasd;vahcxasd; [x]
R3 yobdrdda;yobdrdda; [x]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600]


--- Muut muistissa olevat ajurit/palvelut ---

*Deregistered* - Aavmker4
*Deregistered* - aswMon2
*Deregistered* - aswUpdSv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - IntelIde
*Deregistered* - KLIF
*Deregistered* - KSecDD
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NdisTapi
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - RasAcd
*Deregistered* - RasMan
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - W32Time
*Deregistered* - VgaSave
*Deregistered* - winmgmt
*Deregistered* - VolSnap
*Deregistered* - wuauserv
.
.
------- Täydentävä tarkistus -------
.
FF - ProfilePath - c:\documents and settings\Järjestelmänvalvoja\Application Data\Mozilla\Firefox\Profiles\fajdbc2j.default\
FF - prefs.js: browser.startup.homepage - google.fi
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 13:19:15
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,3e,89,ba,9f,60,41,5b,91,dc,80,e1,ea,7f,f3,76,c1,ae,57,d7,08,7e,47,
de,67,2a,1e,5b,a1,35,09,0c,33,cc,33,a7,da,f6,d8,e3,d1,16,08,8a,27,2d,40,3f,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
Valmistumisajankohta: 2009-02-22 13:20:39
ComboFix-quarantined-files.txt 2009-02-22 11:20:36
ComboFix2.txt 2009-02-22 07:33:47
ComboFix3.txt 2009-02-20 13:39:54
ComboFix4.txt 2009-02-20 07:33:59

Ennen ajoa: 52 267 483 136 tavua vapaana
Ajon jälkeen: 52,251,783,168 tavua vapaana

296 --- E O F --- 2009-02-12 07:09:45

 

eipä ollut toivottua vaikutusta

Nyt tuon alla olevan lainauksen sisällön Kopioit / liität Tyhjään muistioon
käynnistä nappi >apuohjelmat > muistio

Tallenna se nimellä CFScript.txt työpöydälle

Tallennusmuoto: kaikki tiedostot

Sitten raahaa CFScript ComboFix.exeen kuten alla.



Laita tuleva loki tänne.

Sammutat ja käynnistät koneen

 

ComboFix 09-02-18.01 - Järjestelmänvalvoja 2009-02-22 14:35:47.5 - NTFSx86
Sijainti: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Järjestelmänvalvoja\Työpöytä\CFScript.txt

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\F-Secure
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_revoke_hq.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_root.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\cert\fsc (revoke hq).crl
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\DAAS2INS.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\Daas2Uni.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSFW\action.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSFW\alertlog.dat
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma_old.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\ORSPINST.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\OrspUnin.LOG
c:\program files\F-Secure
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fm4av.dll
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fpinor.dll
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fsepx32.dll
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fsgk32.exe
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fssm32.exe
c:\program files\F-Secure\Anti-Virus\dbbackup\fsgkhs\fsuss.dll
c:\program files\F-Secure\Anti-Virus\deleteme_pwr.log
c:\program files\F-Secure\Anti-Virus\fa_gem.log
c:\program files\F-Secure\Anti-Virus\fa_peg.log
c:\program files\F-Secure\Anti-Virus\fsbts.sys
c:\program files\F-Secure\Anti-Virus\FSGK32ST.del
c:\program files\F-Secure\Anti-Virus\fsgk32st_update.log
c:\program files\F-Secure\Anti-Virus\upd_fsgk.sys
c:\program files\F-Secure\Anti-Virus\upd_fsgk_x64.sys
c:\program files\F-Secure\common\daas2_cdsa.cr
c:\program files\Sygate
c:\program files\Sygate\SPF\debug.log

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-01-22 to 2009-02-22 )))))))))))))))))
.

2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Downloads
2009-02-21 14:53 . 2009-02-21 14:53 <KANSIO> d-------- C:\Bases
2009-02-21 14:46 . 2009-02-21 14:47 <KANSIO> d-------- C:\Kaspersky
2009-02-20 16:42 . 2009-02-22 14:38 403,488 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-02-20 16:42 . 2009-02-22 13:50 5,228 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-02-20 16:40 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2009-02-20 16:39 . 2009-02-20 16:40 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2009-02-20 16:39 . 2009-02-20 16:39 <KANSIO> d-------- c:\program files\Zone Labs
2009-02-20 16:39 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2009-02-20 09:47 . 2009-02-20 09:47 579,072 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-20 08:51 . 2009-02-20 08:51 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 08:51 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 08:51 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 10:40 . 2009-02-19 10:40 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 18:20 . 2009-02-19 08:38 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\SUPERAntiSpyware.com
2009-02-18 18:20 . 2009-02-18 18:20 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 16:04 . 2009-02-18 16:04 <KANSIO> d-------- C:\lexmark
2009-02-17 20:50 . 2009-02-17 20:50 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-02-17 20:50 . 2009-02-20 16:41 353,361 --a------ c:\windows\system32\vsconfig.xml
2009-02-17 20:50 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2009-02-17 20:50 . 2009-02-20 16:41 4,212 ---h----- c:\windows\system32\zllictbl.dat
2009-02-17 20:48 . 2009-02-21 11:38 <KANSIO> d-------- c:\windows\Internet Logs
2009-02-17 19:38 . 2009-02-17 19:38 137,760 --a------ c:\windows\system32\drivers\ethdrmld.sys
2009-02-17 19:28 . 2009-02-17 19:28 <KANSIO> d-------- C:\rsit
2009-02-17 18:40 . 2009-02-17 18:40 <KANSIO> d-------- c:\program files\Alwil Software
2009-02-17 18:40 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-17 18:40 . 2003-03-18 21:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-17 18:40 . 2003-02-21 05:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2009-02-17 16:11 . 2009-02-17 16:11 <KANSIO> d-------- c:\program files\CCleaner
2009-02-17 15:25 . 2009-02-17 15:25 <KANSIO> d-------- c:\windows\ERUNT
2009-02-17 15:11 . 2009-02-17 15:11 <KANSIO> d-------- c:\program files\Trend Micro
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Malwarebytes
2009-02-17 13:52 . 2009-02-17 13:52 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 13:28 . 2009-02-20 17:59 67 --a------ c:\windows\wininit.ini
2009-02-17 13:07 . 2009-02-17 13:07 128 --a------ c:\windows\adobe.bat
2009-02-17 09:57 . 2009-02-17 09:57 <KANSIO> d-------- c:\program files\Common Files\Webroot Shared
2009-02-17 09:39 . 2009-02-17 09:39 44 --a------ c:\windows\system32\Partizan.RRI
2009-02-17 09:30 . 2009-02-17 09:30 <KANSIO> d-------- c:\windows\RestoreSafeDeleted
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\program files\Greatis
2009-02-17 09:16 . 2009-02-17 09:16 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Regrun
2009-02-17 09:16 . 2009-02-17 09:34 <KANSIO> d-------- C:\backreg
2009-02-17 09:16 . 2003-09-06 15:55 57,556 --a------ c:\windows\guard.bmp
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\program files\Webroot
2009-02-16 20:13 . 2009-02-17 09:47 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Webroot
2009-02-16 20:12 . 2004-04-28 22:51 61,440 --a------ c:\windows\Unwash5.exe
2009-02-16 19:36 . 2009-02-16 19:48 137,408 --a------ c:\windows\system32\drivers\ETHXFUYA.del
2009-02-16 19:36 . 2009-02-17 13:04 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 19:36 . 2009-02-16 19:48 47,104 --a------ c:\windows\system32\READER_S.del
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark_HostCD
2009-02-16 19:18 . 2009-02-16 19:18 <KANSIO> d-------- c:\program files\Lexmark
2009-02-16 19:18 . 2009-02-06 09:07 20,152 --a------ c:\windows\system32\LMabpmui.chm
2009-02-16 19:18 . 2009-02-16 19:18 5,267 --a------ c:\windows\system32\LexFiles.ulf
2009-02-16 19:18 . 2008-01-15 11:31 1,976 --a------ c:\windows\system32\LMab.loc
2009-02-16 18:52 . 2009-02-16 18:52 <KANSIO> d-------- c:\windows\SHELLNEW(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- C:\MSOCache(2)
2009-02-16 18:38 . 2009-02-17 10:02 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-14 10:39 . 2009-02-14 10:39 <KANSIO> dr-h----- c:\documents and settings\Järjestelmänvalvoja\Application Data\SecuROM
2009-02-14 10:39 . 2009-02-16 18:09 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Bioshock
2009-02-14 10:38 . 2009-02-14 10:38 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-14 10:27 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\program files\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ifolor
2009-02-14 08:29 . 2009-02-14 08:29 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ifolor
2009-02-13 19:28 . 2009-02-13 19:28 <KANSIO> d-------- c:\program files\URUSoft
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\MONOGRAM AMR SplitterDecoder
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\DScaler5
2009-02-13 19:24 . 2009-02-13 19:24 <KANSIO> d-------- c:\program files\CD Audio Reader Filter
2009-02-13 19:24 . 2009-02-18 18:46 <KANSIO> d-------- c:\program files\AC3Filter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\SHOUTcast Source
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\RealMedia
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\OpenSource Flash Video Splitter
2009-02-13 19:23 . 2009-02-13 19:23 <KANSIO> d-------- c:\program files\Haali
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\ffdshow
2009-02-13 19:22 . 2009-02-13 19:22 <KANSIO> d-------- c:\program files\DSP-worx
2009-02-13 19:22 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-13 19:22 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-13 19:21 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\DirectVobSub
2009-02-13 19:20 . 2009-02-13 19:21 <KANSIO> d-------- c:\program files\Zoom Player
2009-02-13 19:20 . 2009-02-13 19:40 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Zoom Player
2009-02-13 18:22 . 2009-02-13 18:22 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\Common Files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\program files\ACD Systems
2009-02-13 18:21 . 2009-02-13 18:21 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-13 18:06 . 2009-02-18 16:42 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\skypePM
2009-02-13 18:06 . 2009-02-13 18:06 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> dr------- c:\program files\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\program files\Common Files\Skype
2009-02-13 18:03 . 2009-02-18 18:35 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\Skype
2009-02-13 18:03 . 2009-02-13 18:03 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-02-13 15:31 . 2009-02-13 15:31 <KANSIO> d-------- c:\program files\Common Files\Adobe
2009-02-13 15:29 . 2009-02-13 21:00 <KANSIO> d-------- c:\program files\NOS
2009-02-13 15:29 . 2009-02-13 21:01 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-12 19:20 . 2003-03-16 00:15 110,592 --a------ c:\windows\unvise32.exe
2009-02-12 19:17 . 2009-02-18 17:04 <KANSIO> d-------- C:\Pelit
2009-02-12 19:14 . 2009-02-12 19:14 <KANSIO> d-------- c:\program files\DAEMON Tools
2009-02-12 19:12 . 2009-02-12 19:14 223,128 --a------ c:\windows\system32\drivers\dtscsi.sys
2009-02-12 19:03 . 2009-02-12 19:03 664,064 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-12 19:03 . 2009-02-12 19:03 96,384 --a------ c:\windows\system32\drivers\SPTD4525.del
2009-02-12 09:30 . 2009-02-18 18:31 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\BitTorrent
2009-02-12 09:29 . 2009-02-12 10:17 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\DNA
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-11 19:07 . 2008-04-13 20:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-11 12:48 . 2009-02-20 18:55 <KANSIO> d-------- C:\ati
2009-02-11 12:21 . 2009-02-11 12:21 0 --a------ c:\windows\nsreg.dat
2009-02-11 12:11 . 2009-02-11 12:11 33,408 --a------ c:\windows\system32\drivers\FSBTS.del
2009-02-11 12:05 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-11 12:05 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-11 11:06 . 2009-02-11 11:06 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Application Data\ATI
2009-02-11 11:05 . 2009-02-11 11:05 <KANSIO> d-------- c:\program files\My Company Name
2009-02-11 11:05 . 2009-02-11 11:05 0 --a------ c:\windows\ativpsrm.bin
2009-02-11 11:01 . 2009-02-11 11:01 <KANSIO> d-------- c:\program files\Common Files\ATI Technologies
2009-02-11 10:59 . 2008-07-02 21:38 89,600 --a------ c:\windows\system32\drivers\AtiHdmi.sys
2009-02-11 10:59 . 2008-07-31 04:36 14,696 -ra------ c:\windows\atiogl.xml
2009-02-11 10:33 . 2009-02-11 10:33 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\fssg
2009-02-11 10:32 . 2009-02-11 10:33 <KANSIO> d-------- C:\fsavcs8
2009-02-11 10:30 . 2009-02-11 10:30 <KANSIO> d-------- c:\program files\MadOnion.com
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-11 10:27 . 2008-04-14 17:46 14,720 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-02 10:50 . 2009-02-18 18:26 94,208 --a------ c:\windows\DUMP4c2c.tmp
2009-02-02 10:50 . 2009-02-18 21:04 94,208 --a------ c:\windows\DUMP4b41.tmp
2009-02-02 10:50 . 2009-02-18 18:37 94,208 --a------ c:\windows\DUMP496c.tmp
2009-02-02 10:50 . 2009-02-18 16:49 94,208 --a------ c:\windows\DUMP47e6.tmp
2009-02-02 10:50 . 2009-02-17 15:32 90,112 --a------ c:\windows\DUMP43b0.tmp
2009-02-02 10:50 . 2009-02-17 15:27 90,112 --a------ c:\windows\DUMP4333.tmp

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 07:03 879,947 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-11 09:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 08:50 --------- d-----w c:\program files\microsoft frontpage
2009-02-02 08:50 --------- d-----w c:\program files\Analog Devices
2009-02-02 08:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-31 03:14 466,944 ----a-w c:\windows\system32\softcoin.dll
2008-12-31 03:14 344,064 ----a-w c:\windows\system32\gencoin.dll
2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

2004-09-14 15:12 31744 c0a39b3d710e9dd2bb6c369f980d82ac c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 18:12 31232 05d083bc572ed94235ea20a7d29ff734 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 18:12 31232 093dfa46932a8d4e8f0a123e0187ce6d c:\windows\system32\svchost.exe

2008-04-14 18:12 1051136 46e58cae384a6eafe4e0b6b23f910154 c:\windows\explorer.exe
2007-06-13 15:10 1051136 4fed6a21f1509f1ba9c54b91f093a0b9 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 15:22 1050624 eae86f1b134b9752b9a752d59244a8ea c:\windows\$NtServicePackUninstall$\explorer.exe
2004-09-14 15:12 1050112 cd9d0e56f74a6da9b81f2c2854474876 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 18:12 1051648 e09b88ccb72d2f43dbb0644f49367b04 c:\windows\ServicePackFiles\i386\explorer.exe

2004-09-14 15:12 32768 9b43e5f441500a95b2abfd69d7feedfa c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 18:12 32768 1e3b7d716f2f755739f6ae914fb8392a c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 18:12 32256 081a9a4f70c023758717c7575c523bad c:\windows\system32\ctfmon.exe

2005-06-11 02:17 75264 beadaff85c162c82eda22ddb73d4073c c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 01:53 74752 c7f7e74ecaed0705d72e99b335874e12 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-09-14 15:12 74752 90a3bc3e4f9361a6e8c12667c5aa0210 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 18:12 74752 5b430e0f5a8d1f673241b7b230634c9f c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 18:12 74752 2d5a7e7d5c25fbdb2eda7fd67968695b c:\windows\system32\spoolsv.exe

2004-09-14 15:12 41984 e79f1e6bd4d7cdb9fd706f4a0870c3b3 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 18:12 43520 d07173764c118dd46a05081edf8d35cf c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 18:12 43520 3a40a91ca77533380562681126148637 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-22_ 9.32.59,10 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 06:00:00 48,640 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 06:00:00 49,152 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 06:00:00 179,712 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 06:00:00 179,200 ----a-w c:\windows\SWREG.exe
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-22 12:32:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
+ 2009-02-22 12:32:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
- 2009-02-22 07:24:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-22 12:32:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 32256]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1712640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 163840]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-13 151552]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 184320]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"High Definition Audio -ominaisuussivun pikakuvake"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection; [x]
R1 ethdrmld;ethdrmld;c:\windows\system32\drivers\ethdrmld.sys [2009-02-17 137760]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 hqkbogne;hqkbogne; [x]
R3 vahcxasd;vahcxasd; [x]
R3 yobdrdda;yobdrdda; [x]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-02 89600]


--- Muut muistissa olevat ajurit/palvelut ---

*Deregistered* - Aavmker4
*Deregistered* - aswMon2
*Deregistered* - aswUpdSv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - IntelIde
*Deregistered* - KLIF
*Deregistered* - KSecDD
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NdisTapi
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - RasAcd
*Deregistered* - RasMan
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - W32Time
*Deregistered* - VgaSave
*Deregistered* - winmgmt
*Deregistered* - VolSnap
*Deregistered* - wuauserv
.
.
------- Täydentävä tarkistus -------
.
FF - ProfilePath - c:\documents and settings\Järjestelmänvalvoja\Application Data\Mozilla\Firefox\Profiles\fajdbc2j.default\
FF - prefs.js: browser.startup.homepage - google.fi
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 14:38:10
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:74,3e,89,ba,9f,60,41,5b,91,dc,80,e1,ea,7f,f3,76,c1,ae,57,d7,08,7e,47,
de,67,2a,1e,5b,a1,35,09,0c,33,cc,33,a7,da,f6,d8,e3,d1,16,08,8a,27,2d,40,3f,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
Valmistumisajankohta: 2009-02-22 14:39:34
ComboFix-quarantined-files.txt 2009-02-22 12:39:31
ComboFix2.txt 2009-02-22 11:20:41
ComboFix3.txt 2009-02-22 07:33:47
ComboFix4.txt 2009-02-20 13:39:54
ComboFix5.txt 2009-02-22 12:34:18

Ennen ajoa: 52 259 733 504 tavua vapaana
Ajon jälkeen: 52,242,444,288 tavua vapaana

332 --- E O F --- 2009-02-12 07:09:45

 

scannaa uusi hjt:n loki

========

Mikäs on koneen toiminta
Onko vieläkin sekaisin

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:27, on 23.2.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-3993185670-2011734097-2445771630-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3993185670-2011734097-2445771630-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233556276562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233556617562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4464 bytes


---------------------------------------------------------------------------


- näytönohjaimen ajurien asennus ei onnistu, error-ilmoitus tulee sinä vaiheessa, kun InstallShield yrittää käynnistyä

- ZoneAlarmia ei saa auki, f-secure näkyy taas oletussuojauksena tietoturvakeskuksessa, vaikka sitä ei ole enää koneella

- verkkoon en onnistu pääsemään, verkkoyhteyksissä ei näy mitään ja uutta yhteyttää en onnistu luomaan

Eli koneen toiminta on aika nollassa edelleen.

 

Avast herjaa vähän väliä scannauksen yhteydessä viruksesta win32: junkpoly -tiedostossa A0008566.exe ja A0008568.exe.

 

Puhdistaja

Valitse vasemmalta pystyrivistä Puhdistaja
Paina alhaalta Tutki
Nyt CCleaner tutkii, mitä voidaan poistaa (tempit, cookiessit jne.).
Kun tutkiminen on valmis, paina Aja CCleaner
Nyt CCleaner poistaa löydetyt tempit, cookiessit jne.

Rekisterin virheiden korjaus

Valitse vasemmalta pystyrivistä Rekisteri
Paina alhaalta Etsi rekisterin virheitä
Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet
Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä
Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon.
Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet
Saat vielä varmistus kysymyksen, paina Ok
Kun virheet on korjattu, paina Sulje
Nyt voit sulkea CCleanerin painamalla oikealta ylhäältä punaista rastia

===============

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

==============

Kirjoita suorita luukkuun

ComboFix /u

Klikkaa ok

=========

Lataa OTMoveIt
OTMoveIt ja tallenna se työpöydällesi.

Tuplaklikkaa OTMoveIt.exe.
Klikkaa CleanUp!.
Valitse Yes kun kysytään "Begin cleanup Process?".
Jos pyydetään, että saako koneen käynnistää uudeelleen, valitse Yes.OTMoveIt poistaa itsensä kun se on valmis, jos näin ei käy poista se itse.

HUOM: Jos palomuurisi tai joku muu tietoturvaohjelma varoittaa, että OTMoveIt yrittää päästä nettin, niin anna sen päästä sinne.

 

Ajoin tuon ohjelman ja käynnistin koneen uudelleen, kun ohjelma sitä halusi. Ohjelma myös poisti itsensä bootin jälkeen.

Koneen toimintaan tämä ei aiheuttanut muutosta.

 

aja tuo escan

 

Escanin purku onnistuu, mutta sen jälkeen tulee jälleen ilmoitus: "eScan Antivirus Toolkit Utility - Some of MWAV.EXE infected by virus!!! Try again..."

 

Mikäs noin väittää

==============

Päivitä SUPERAntiSpyware aja täysi scannaus

 

Kun yritän asentaa SUPERAntiSpywaren, Windows Installer ilmoittaa että sen käyttäminen ei onnistu ja että Windowsin vikasietotila tai Windows Installerin viallinen asennus saattaa estää sen käyttämisen.

 

Käyttöjärjesterlmän korjausasennus.

 

Jeps, täytyy tehdä tuo korjausasennus.

Onko muuten tietoa ilmoituksesta "win32: junkpoly [Cryp]"? Jossakin oli arveltu, että kyseessä on Avastin virhe-ilmoitus. Miksi Avast ilmoittaa lähes joka tarkistuksessa kyseisestä viruksesta? Toisaalta jossain englanninkielisessä sivustossa oli ohjeet tämän poistamiseen, että tekee skannauksen esim. Avastilla ja Anti-Malwarella silloin kun järjestelmänpalautus on poissa käytöstä. Koetin sitäkin, mutta ilmoitus palasi seuraavana päivänä.

 

no tuosta kyllä löytyy aika rankkaa tekstiä myös.

Mutta tuo ennemän tuossa tällä kertaa kiusaa kun ei ohjelmat toimi
tulee herjaa vain, myös tuo exe:n saastuminen.
Taitais olla paras pistää koko kone uudelleen asennukseen.

 

Kiitokset Hujolle ohjeista ja vaivannäöstä. Opin itsekin uutta ja tulihan tuossa tutustuttua muutamaan uuteen ohjelmaankin. Laitoin tässä xp:n uusiksi ja nyt on taas kone pystyssä.

Saattaa olla, että ongelmat olivat alunperin lähtöisin ulkoisesta kiintolevystä, josta löytyy kaksi virusta. Näitä viruksia ei f-secure saa poistettua, eikä kansioitakaan saa pois koska virusten sijainti on "system volume information". Virukset ovat:

virus.win32.virut.ce
packed.win32.krap.b

Mahtaakohan puhdistamiseen olla muuta keinoa kuin ulkoisen levyn alustus?