Terve, emäntä onnistui pari viikkoa sitten saamaan läppärilleni tuon uudemman suomenkielisellä viestillä leviävän MSN-viruksen. Oireina oli tiettyjen nettisivujen toimimattomuus, MSN Messengerin uudelleenasennuksen toimimattomuus, satunnaiset ilmoitukset Normanilta karanteeniin asetetusta viruksesta, koneen yleinen hitaus ym. Viruksesta koneelle tulleet, C-asemalle ilmestyneet .jpg:ksi naamioidut zipit poistin, ja koneella on ajettu sekä Norman, Avast, AVG, AdAware että SDFix. Jälkimmäisin tuntui vaikuttavan parhaiten - tuloksena kuitenkin vielä virheilmoitus toimimattomasta/puuttuvasta .dll-sovelluksesta aina buuttauksen yhteydessä, sekä satunnaiset Normanin ilmoitukset karanteeniin asetetusta Virtumondo-viruksesta. HijackThis-logi näyttää tältä: Äsken ajoin myös RegSeekerin joka poisti joitain rekisteritietoja. Kiitän avusta. -J EDIT: Käyttiksenä siis XP feat. SP2.
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa) Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {7F0DC01B-D52A-4393-A2F5-C7E5267AE814} - (no file) O4 - HKLM\..\Run: [Windows svchost] service.exe O4 - HKLM\..\Run: [BMd3c5c1cd] Rundll32.exe "C:\WINDOWS\system32\brhacohv.dll",s Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti * Whatpulsen voisit poistaa jos et sitä itse ole asentanut.
HJT-logi: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:22:32, on 19.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Norman\Npf\BIN\NPFSVICE.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Wireless 802.11g Monitor\XPFix.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\svchost.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\LaCie\Backup Software\LaCieBackup.exe C:\Program Files\WhatPulse\WhatPulse.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Npf\BIN\npfmsg2.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 7023 bytes --- ComboFix-raportti: ComboFix 08-06-16.5 - Jussi 2008-06-19 17:11:52.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.352 [GMT 3:00] Running from: C:\Documents and Settings\Jussi\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\Jussi\Työpöytä\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\service.exe C:\WINDOWS\system32\brhacohv.dll . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-19 to 2008-06-19 ))))))))))))))))) . 2008-06-19 15:23 . 2008-06-19 15:23 <KANSIO> d-------- C:\Program Files\Trend Micro 2008-06-19 15:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-11 16:17 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 16:17 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-04 22:29 . 2008-06-04 22:30 <KANSIO> d-------- C:\Program Files\MSN Messenger 2008-06-04 22:00 . 2008-06-04 22:00 <KANSIO> d-------- C:\Documents and Settings\Vieras\Application Data\Grisoft 2008-06-04 20:04 . 2008-06-04 20:04 <KANSIO> d-------- C:\Program Files\Alwil Software 2008-06-02 20:05 . 2008-06-02 20:06 <KANSIO> d-------- C:\WINDOWS\ERUNT 2008-05-30 20:36 . 2008-05-30 20:39 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-30 20:35 . 2008-05-30 20:35 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-30 19:12 . 2008-05-30 19:12 <KANSIO> d-------- C:\Documents and Settings\Jussi\Deer Hunter 2008-05-30 19:11 . 2008-05-30 19:11 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\Leadertech 2008-05-30 11:26 . 2008-05-30 17:43 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\gtk-2.0 2008-05-30 07:01 . 2008-05-30 23:47 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\.purple 2008-05-30 07:00 . 2008-05-30 17:35 <KANSIO> d-------- C:\Program Files\Pidgin 2008-05-30 06:59 . 2008-05-30 06:59 <KANSIO> d-------- C:\Program Files\Common Files\GTK 2008-05-29 22:47 . 2008-05-30 06:30 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-29 22:47 . 2008-05-29 22:48 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller 2008-05-27 20:15 . 2008-05-27 20:15 56,832 -r-hs---- C:\WINDOWS\winudspm.exe 2008-05-25 23:16 . 2008-05-30 19:06 <KANSIO> d-------- C:\Program Files\Atari . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-19 14:04 5 ----a-w C:\NPF_USER.DAT 2008-06-19 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2008-06-19 12:05 --------- d-----w C:\Program Files\Java 2008-06-04 18:00 --------- d-----w C:\Program Files\DAEMON Tools SearchBar 2008-05-30 17:56 --------- d-----w C:\Program Files\mIRC 2008-05-30 17:36 --------- d-----w C:\Program Files\Lavasoft 2008-05-26 15:18 --------- d-----w C:\Documents and Settings\Jussi\Application Data\Azureus 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-04 12:40 896 ----a-w C:\Documents and Settings\Jussi\Application Data\wklnhst.dat . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F0DC01B-D52A-4393-A2F5-C7E5267AE814}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352] "LaCie Backup"="C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 11:30 2596864] "WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [2006-08-21 20:48 665600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "XPFix"="C:\Program Files\Wireless 802.11g Monitor\XPFix.exe" [2004-08-12 19:51 135168] "SMSERIAL"="sm56hlpr.exe" [2005-07-06 04:47 544768 C:\WINDOWS\sm56hlpr.exe] "PowerManager"="C:\Program Files\Power Manager\PM.exe" [2005-12-14 11:08 159744] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58 183352] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 13:48 157592] "SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 77824 C:\WINDOWS\SOUNDMAN.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 10:05 217088] "Windows svchost"="service.exe" [] "BMd3c5c1cd"="C:\WINDOWS\system32\brhacohv.dll" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-17 21:49:48 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-21 18:21:06 692224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax "vidc.dvsd"= pdvcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-12-06 11:18] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] R1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\system32\drivers\tdi_rd.sys [2004-10-13 23:01] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-03-15 11:48] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 12:11] S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25] S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25] S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25] S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25] S3 StickCap;Digital TV DVB-T USB Stick adapter service;C:\WINDOWS\system32\Drivers\stickcap.sys [] S3 stickload;Digital TV stick firmware loader service;C:\WINDOWS\system32\DRIVERS\stickload.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Launcher.exe . 'Ajoitetut tehtävät'-kansion sisältö "2008-06-19 13:00:00 C:\WINDOWS\Tasks\AB033C399068B465.job" - c:\docume~1\jussi\applic~1\cashoo~1\settings gpl mags.exe "2008-05-30 18:22:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 17:14:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-19 17:15:20 ComboFix-quarantined-files.txt 2008-06-19 14:14:55 ComboFix2.txt 2008-06-19 14:08:09 Pre-Run: 22,885,675,008 tavua vapaana Post-Run: 22,896,951,296 tavua vapaana 140 --- E O F --- 2008-06-11 23:16:58
1. Lataa Combofix.exe työpöydällesi jommastakummasta linkistä: Combofix.exe Combofix.exe Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne: Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi edes .txt). Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa) Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen. Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne. Tyhjennä roskakori ja käynnistä koneesi uudelleen. Postita tänne seuraavat lokit: * Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta) * (C:\ComboFix.txt) raportti *
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:47:15, on 19.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Wireless 802.11g Monitor\XPFix.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Power Manager\PM.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Norman\Npf\BIN\NPFSVICE.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\LaCie\Backup Software\LaCieBackup.exe C:\Program Files\WhatPulse\WhatPulse.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Npf\BIN\npfmsg2.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 7137 bytes --- ComboFix 08-06-16.5 - Jussi 2008-06-19 17:36:14.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.351 [GMT 3:00] Running from: C:\Documents and Settings\Jussi\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\Jussi\Työpöytä\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-19 to 2008-06-19 ))))))))))))))))) . 2008-06-19 15:23 . 2008-06-19 15:23 <KANSIO> d-------- C:\Program Files\Trend Micro 2008-06-19 15:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-11 16:17 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 16:17 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-04 22:29 . 2008-06-04 22:30 <KANSIO> d-------- C:\Program Files\MSN Messenger 2008-06-04 22:00 . 2008-06-04 22:00 <KANSIO> d-------- C:\Documents and Settings\Vieras\Application Data\Grisoft 2008-06-04 20:04 . 2008-06-04 20:04 <KANSIO> d-------- C:\Program Files\Alwil Software 2008-06-02 20:05 . 2008-06-02 20:06 <KANSIO> d-------- C:\WINDOWS\ERUNT 2008-05-30 20:36 . 2008-05-30 20:39 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-30 20:35 . 2008-05-30 20:35 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-30 19:12 . 2008-05-30 19:12 <KANSIO> d-------- C:\Documents and Settings\Jussi\Deer Hunter 2008-05-30 19:11 . 2008-05-30 19:11 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\Leadertech 2008-05-30 11:26 . 2008-05-30 17:43 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\gtk-2.0 2008-05-30 07:01 . 2008-05-30 23:47 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\.purple 2008-05-30 07:00 . 2008-05-30 17:35 <KANSIO> d-------- C:\Program Files\Pidgin 2008-05-30 06:59 . 2008-05-30 06:59 <KANSIO> d-------- C:\Program Files\Common Files\GTK 2008-05-29 22:47 . 2008-05-30 06:30 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-29 22:47 . 2008-05-29 22:48 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller 2008-05-27 20:15 . 2008-05-27 20:15 56,832 -r-hs---- C:\WINDOWS\winudspm.exe 2008-05-25 23:16 . 2008-05-30 19:06 <KANSIO> d-------- C:\Program Files\Atari . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-19 14:20 5 ----a-w C:\NPF_USER.DAT 2008-06-19 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2008-06-19 12:05 --------- d-----w C:\Program Files\Java 2008-06-04 18:00 --------- d-----w C:\Program Files\DAEMON Tools SearchBar 2008-05-30 17:56 --------- d-----w C:\Program Files\mIRC 2008-05-30 17:36 --------- d-----w C:\Program Files\Lavasoft 2008-05-26 15:18 --------- d-----w C:\Documents and Settings\Jussi\Application Data\Azureus 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-04 12:40 896 ----a-w C:\Documents and Settings\Jussi\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((( snapshot@2008-06-19_17.07.34.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-19 14:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-19 14:19:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-19 14:19:42 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_734.dat . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352] "LaCie Backup"="C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 11:30 2596864] "WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [2006-08-21 20:48 665600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "XPFix"="C:\Program Files\Wireless 802.11g Monitor\XPFix.exe" [2004-08-12 19:51 135168] "SMSERIAL"="sm56hlpr.exe" [2005-07-06 04:47 544768 C:\WINDOWS\sm56hlpr.exe] "PowerManager"="C:\Program Files\Power Manager\PM.exe" [2005-12-14 11:08 159744] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58 183352] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 13:48 157592] "SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 77824 C:\WINDOWS\SOUNDMAN.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 10:05 217088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-17 21:49:48 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-21 18:21:06 692224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax "vidc.dvsd"= pdvcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-12-06 11:18] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] R1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\system32\drivers\tdi_rd.sys [2004-10-13 23:01] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-03-15 11:48] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 12:11] S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25] S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25] S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25] S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25] S3 StickCap;Digital TV DVB-T USB Stick adapter service;C:\WINDOWS\system32\Drivers\stickcap.sys [] S3 stickload;Digital TV stick firmware loader service;C:\WINDOWS\system32\DRIVERS\stickload.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Launcher.exe *Newly Created Service* - CATCHME . 'Ajoitetut tehtävät'-kansion sisältö "2008-06-19 13:00:00 C:\WINDOWS\Tasks\AB033C399068B465.job" - c:\docume~1\jussi\applic~1\cashoo~1\settings gpl mags.exe "2008-05-30 18:22:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 17:38:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-19 17:40:16 ComboFix-quarantined-files.txt 2008-06-19 14:40:05 ComboFix2.txt 2008-06-19 14:15:21 ComboFix3.txt 2008-06-19 14:08:09 Pre-Run: 22,883,516,416 tavua vapaana Post-Run: 22,873,280,512 tavua vapaana 142 --- E O F --- 2008-06-11 23:16:58
Aja combofix.exe vikasietotilassa edellisessä viestissä olevilla ohjeilla. Ohje vikasietotilaan. http://neko.1g.fi/ohje/vikasietotila.html
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:17:20, on 19.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 5374 bytes --- ComboFix 08-06-16.5 - Jussi 2008-06-19 18:03:52.4 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.724 [GMT 3:00] Running from: C:\Documents and Settings\Jussi\Työpöytä\ComboFix.exe Command switches used :: C:\Documents and Settings\Jussi\Työpöytä\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\winudspm.exe . (((((((((((((((((((((((((((((((((((((( Muut poistot )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\winudspm.exe . ((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-05-19 to 2008-06-19 ))))))))))))))))) . 2008-06-19 15:23 . 2008-06-19 15:23 <KANSIO> d-------- C:\Program Files\Trend Micro 2008-06-19 15:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-11 16:17 . 2008-04-14 18:52 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 16:17 . 2008-04-14 18:52 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-04 22:29 . 2008-06-04 22:30 <KANSIO> d-------- C:\Program Files\MSN Messenger 2008-06-04 22:00 . 2008-06-04 22:00 <KANSIO> d-------- C:\Documents and Settings\Vieras\Application Data\Grisoft 2008-06-04 20:04 . 2008-06-04 20:04 <KANSIO> d-------- C:\Program Files\Alwil Software 2008-06-02 20:05 . 2008-06-02 20:06 <KANSIO> d-------- C:\WINDOWS\ERUNT 2008-05-30 20:36 . 2008-05-30 20:39 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-30 20:35 . 2008-05-30 20:35 <KANSIO> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-30 19:12 . 2008-05-30 19:12 <KANSIO> d-------- C:\Documents and Settings\Jussi\Deer Hunter 2008-05-30 19:11 . 2008-05-30 19:11 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\Leadertech 2008-05-30 11:26 . 2008-05-30 17:43 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\gtk-2.0 2008-05-30 07:01 . 2008-05-30 23:47 <KANSIO> d-------- C:\Documents and Settings\Jussi\Application Data\.purple 2008-05-30 07:00 . 2008-05-30 17:35 <KANSIO> d-------- C:\Program Files\Pidgin 2008-05-30 06:59 . 2008-05-30 06:59 <KANSIO> d-------- C:\Program Files\Common Files\GTK 2008-05-29 22:47 . 2008-05-30 06:30 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-29 22:47 . 2008-05-29 22:48 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller 2008-05-25 23:16 . 2008-05-30 19:06 <KANSIO> d-------- C:\Program Files\Atari . (((((((((((((((((((((((((((((((((((( Find3M-raportti )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-19 14:43 5 ----a-w C:\NPF_USER.DAT 2008-06-19 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2008-06-19 12:05 --------- d-----w C:\Program Files\Java 2008-06-04 18:00 --------- d-----w C:\Program Files\DAEMON Tools SearchBar 2008-05-30 17:56 --------- d-----w C:\Program Files\mIRC 2008-05-30 17:36 --------- d-----w C:\Program Files\Lavasoft 2008-05-26 15:18 --------- d-----w C:\Documents and Settings\Jussi\Application Data\Azureus 2008-05-16 08:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:15 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-29 08:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 08:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 08:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-21 07:02 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-04 12:40 896 ----a-w C:\Documents and Settings\Jussi\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((( snapshot@2008-06-19_17.07.34.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-19 14:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-19 14:59:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat . (((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet ))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352] "LaCie Backup"="C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" [2006-07-06 11:30 2596864] "WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [2006-08-21 20:48 665600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "XPFix"="C:\Program Files\Wireless 802.11g Monitor\XPFix.exe" [2004-08-12 19:51 135168] "SMSERIAL"="sm56hlpr.exe" [2005-07-06 04:47 544768 C:\WINDOWS\sm56hlpr.exe] "PowerManager"="C:\Program Files\Power Manager\PM.exe" [2005-12-14 11:08 159744] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 13:58 183352] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 13:48 157592] "SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 77824 C:\WINDOWS\SOUNDMAN.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 10:05 217088] "MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-09-15 15:00 159232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360] C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-17 21:49:48 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-21 18:21:06 692224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax "vidc.dvsd"= pdvcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-12-06 11:18] S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20] S1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\system32\drivers\tdi_rd.sys [2004-10-13 23:01] S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16] S2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 12:11] S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25] S3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25] S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25] S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25] S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-03-15 11:48] S3 StickCap;Digital TV DVB-T USB Stick adapter service;C:\WINDOWS\system32\Drivers\stickcap.sys [] S3 stickload;Digital TV stick firmware loader service;C:\WINDOWS\system32\DRIVERS\stickload.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Launcher.exe . 'Ajoitetut tehtävät'-kansion sisältö "2008-06-19 13:00:00 C:\WINDOWS\Tasks\AB033C399068B465.job" - c:\docume~1\jussi\applic~1\cashoo~1\settings gpl mags.exe "2008-05-30 18:22:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 18:07:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-19 18:11:06 ComboFix-quarantined-files.txt 2008-06-19 15:10:07 ComboFix2.txt 2008-06-19 14:40:17 ComboFix3.txt 2008-06-19 14:15:21 ComboFix4.txt 2008-06-19 14:08:09 Pre-Run: 23,046,152,192 tavua vapaana Post-Run: 23,044,935,680 tavua vapaana 145 --- E O F --- 2008-06-11 23:16:58
No niin lähtihän se sieltä ****************************************** Kirjoita windowsin käynnistävalikon suorita-kenttään ComboFix.exe /u paina OK *************************************************************************** Lataa Malwarebytes' Anti-Malware työpöydällesi. * Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman. * Lopuksi varmistu, että seuraavat on valittu: Päivitä Malwarebytes' Anti-Malware ja Käynnistä Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Lopeta. * Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version. * Kun ohjelma on latautunut, valitse Suorita täysi tarkistus ja klikkaa Tarkista. * Kun skanni on valmis, klikkaa OK ja sitten Näytä tulokset nähdäksesi tulokset. * Varmistu, että kaikki on merkitty ja klikkaa Poista valitut. * Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt * Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
kaksi virustorjuntaa avast ja norman poista toinen =========== Lataa NoLop työpöydällesi yhdestä seuraavista linkeistä... Linkki1 Linkki2 Linkki3 1.Sulje kaikki ohjelmat, koska tämä vaihe vaatii uudelleenkäynnistyksen 2.Tuplaklikkaa NoLop.exe ajaaksesi sen 3.Klikkaa nappulaa "Search and Destroy" <<Tietokoneesi skannataan saastuneiden tiedostojen osalta>> 4, Kun skannaus on valmis, sinua pyydetään käynnistämään kone uudestaan, jos infektio löytyy. Klikkaa OK 5. Klikkaa "REBOOT"-painiketta. 6. NoLopin pitäisi antaa viesti. Jos ei, tuplaklikkaa ohjelmaa ja se valmistuu. Lähetä C:\NoLop.log-tiedoston sisältö uuden HijackThis-lokin kera. -- Jos saat seuraavan virheen, "mscomctl.ocx or one of its dependencies are not correctly registered," lataa mscomctl.ocx ja tallenna se system32-hakemistoosi (yleensä c:\Windows\system32). Tämän jälkeen aja ohjelma uudestaan.
yaht: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:18:14, on 19.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Norman\Npf\BIN\NPFSVICE.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Power Manager\PM.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\LaCie\Backup Software\LaCieBackup.exe C:\Program Files\WhatPulse\WhatPulse.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Norman\Npf\BIN\npfmsg2.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Norman\Nvc\bin\cclaw.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 6182 bytes --- Malwarebytes' Anti-Malware 1.17 Tietokantaversio: 869 19:17:38 19.6.2008 mbam-log-6-19-2008 (19-17-38).txt Tarkistustyyppi: Täysi tarkistus (C:\|) Tarkistetut kohteet: 94181 Kulunut aika: 46 minute(s), 49 second(s) Saastuneita muistiprosesseja: 0 Saastuneita muistimoduuleja: 0 Saastuneita rekisteriavaimia: 3 Saastuneita rekisteriarvoja: 0 Saastuneita rekisterikohteita: 0 Saastuneita hakemistoja: 0 Saastuneita tiedostoja: 1 Saastuneita muistiprosesseja: (Haitallisia kohteita ei löydetty) Saastuneita muistimoduuleja: (Haitallisia kohteita ei löydetty) Saastuneita rekisteriavaimia: HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully. Saastuneita rekisteriarvoja: (Haitallisia kohteita ei löydetty) Saastuneita rekisterikohteita: (Haitallisia kohteita ei löydetty) Saastuneita hakemistoja: (Haitallisia kohteita ei löydetty) Saastuneita tiedostoja: C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. Hujo: Linkit eivät tunnu toimivan. Ensimmäinen ei suostu tallentamaan, kaksi muuta eivät ole olemassa. EDIT: Nyt toimii. Tässä logit: NoLop! Log by Skate_Punk_21 Fix running from: C:\Program Files\Mozilla Firefox [19.6.2008] [19:24:18] ---Infection Files Found/Removed--- C:\WINDOWS\tasks\AB033C399068B465.job Beginning Removal... Rebooting... Removing Lop's Leftover Files/Folders... Editing Registry... **Fix Complete!** ---Listing AppData sub directories--- C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Apple Computer C:\Documents and Settings\All Users\Application Data\Autodesk C:\Documents and Settings\All Users\Application Data\Canonbj C:\Documents and Settings\All Users\Application Data\Grisoft C:\Documents and Settings\All Users\Application Data\Lavasoft C:\Documents and Settings\All Users\Application Data\Logishrd C:\Documents and Settings\All Users\Application Data\Logitech C:\Documents and Settings\All Users\Application Data\Malwarebytes C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Npf C:\Documents and Settings\All Users\Application Data\Roam Army Ref Bait C:\Documents and Settings\All Users\Application Data\Two Setup Mode Load -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar C:\Documents and Settings\All Users\Application Data\Windowsliveinstaller C:\Documents and Settings\All Users\Application Data\Wlinstaller C:\Documents and Settings\Default User\Application Data\Microsoft C:\Documents and Settings\Jussi\Application Data\.purple C:\Documents and Settings\Jussi\Application Data\Adobe C:\Documents and Settings\Jussi\Application Data\Adobeum C:\Documents and Settings\Jussi\Application Data\Apple Computer C:\Documents and Settings\Jussi\Application Data\Autodesk C:\Documents and Settings\Jussi\Application Data\Azureus C:\Documents and Settings\Jussi\Application Data\Bsplayer C:\Documents and Settings\Jussi\Application Data\Canon C:\Documents and Settings\Jussi\Application Data\Dvdcss C:\Documents and Settings\Jussi\Application Data\Google C:\Documents and Settings\Jussi\Application Data\Gtk-2.0 C:\Documents and Settings\Jussi\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Jussi\Application Data\Identities C:\Documents and Settings\Jussi\Application Data\Installshield C:\Documents and Settings\Jussi\Application Data\Lacie C:\Documents and Settings\Jussi\Application Data\Leadertech C:\Documents and Settings\Jussi\Application Data\Lego Company C:\Documents and Settings\Jussi\Application Data\Logitech C:\Documents and Settings\Jussi\Application Data\Macromedia C:\Documents and Settings\Jussi\Application Data\Malwarebytes C:\Documents and Settings\Jussi\Application Data\Microsoft C:\Documents and Settings\Jussi\Application Data\Mozilla C:\Documents and Settings\Jussi\Application Data\Screenshot Sender C:\Documents and Settings\Jussi\Application Data\Sun C:\Documents and Settings\Jussi\Application Data\Template C:\Documents and Settings\Jussi\Application Data\Vlc C:\Documents and Settings\Jussi\Application Data\Whenu C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Networkservice\Application Data\Microsoft C:\Documents and Settings\Ursula\Application Data\Mozilla C:\Documents and Settings\Vieras\Application Data\Apple Computer C:\Documents and Settings\Vieras\Application Data\Grisoft C:\Documents and Settings\Vieras\Application Data\Identities C:\Documents and Settings\Vieras\Application Data\Macromedia C:\Documents and Settings\Vieras\Application Data\Microsoft C:\Documents and Settings\Vieras\Application Data\Mozilla --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:29:33, on 19.6.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Norman\Npf\BIN\NPFSVICE.EXE C:\WINDOWS\system32\svchost.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Wireless 802.11g Monitor\XPFix.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Power Manager\PM.exe C:\Norman\Npm\bin\ZLH.EXE C:\Program Files\QuickTime\qttask.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Norman\Npf\BIN\npfmsg2.exe C:\Program Files\LaCie\Backup Software\LaCieBackup.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WhatPulse\WhatPulse.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE -- End of file - 6160 bytes
