Poistaminen iexplore.exe virus / hijack log

**xalice15x** · #1 10 marraskuu 2008, 18:14

Hei kaverit,
Um. Joka kerta, kun käynnistän tietokoneen, iexplore.exe (töiden manger) nousee aivan itsekseen. En koskaan käytä Internet Exploreria, käytän Firefox. mutta tämä tulee esiin omasta. Se on myös käyttävät suurimman osan mieleeni. Olen myös saada miljardia ponnahdusikkunat jonka olen valmis lyömään vetoa ovat tästä. kun Päätän prosessi se tulee takaisin ylös 3 tai 4 kertaa, niin yleensä se menee pois, kun 5. kun lopetan sen. mutta tämä on vain noin 5min sitten sen takaisin. Puhuuko joku tietää Mitä kuuluu? Olen Suorita virustarkistus Ad-Aware, Norton, jne., mutta he eivät ole löytäneet mitään.
Lisätiedot:
Minulla Windowsin XP
& & Lisäksi on ääniä fcoming alkaen mainoksia. Olen yrittänyt kaikkea. Kiitos jo etukäteen ^ __ ^

Olen eräänlainen uusi tässä. Siten erm. Voiko joku kertoa minulle, kuinka poistaa sen? Yksinkertaisella-ish tavalla? = S.

Logfile tehty HijackThis v1.99.1
Scan tallennettu 6:14:25 PM, on 11.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Käynnissä olevista prosesseista:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ System32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ Explorer.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ ehome \ ehtray.exe
C: \ windows \ system \ hpsysdrv.exe
C: \ Program Files \ HP \ Digital Imaging \ Poista \ hpqcmon.exe
C: \ WINDOWS \ System32 \ hphmon05.exe
C: \ HP \ kbd \ KBD.EXE
C: \ WINDOWS \ LTMSG.exe
C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe
C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe
C: \ WINDOWS \ ALCXMNTR.EXE
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe
C: \ Program Files \ Updates HP \ 137903 \ Program \ BackWeb-137903.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Photodex \ ProShowGold \ ScsiAccess.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Mozilla Firefox \ firefox.exe
C: \ WINDOWS \ system32 \ 0LFlxR4x.exe
C: \ Program Files \ Lavasoft \ Ad-Aware SE Professional \ Ad-Aware.exe
C: \ PROGRA ~ 1 \ WinZip \ winzip32.exe
C: \ DOCUME ~ 1 \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://srch-us10.hpwis.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU \ Software \ Microsoft \ Internet Connection Wizard, ShellNext = http://us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Asetukset, ProxyOverride = localhost
O2 - BHO: (no name) - (02478D38-C3F9-4efb-9B51-7695ECA05670) - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - (3615EE58-6F38-47BA-9DD9-C99BD611C6A6) - C: \ WINDOWS \ system32 \ efcdbxx.dll (file missing)
O2 - BHO: (no name) - (4715C8BC-0204-06D4-0A62-2E00BBB78BBD) - C: \ WINDOWS \ system32 \ izf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - (72853161-30C5-4D22-B7F9-0BBC1D38A37E) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ GRA8E1 ~ 1.DLL
O2 - BHO: (no name) - (843B515A-BBC4-4AF2-916D-69E9F7DD8F9D) - C: \ WINDOWS \ system32 \ vtsqo.dll (file missing)
O2 - BHO: (684a8728-dd11-3ef9-b3e4-ea3410654e7c) - (c7e45601-43ae-4e3b-9fe3-11dd8278a486) - C: \ WINDOWS \ system32 \ ikwijhuy.dll (file missing)
O3 - Toolbar: HP View - (B2847E28-5D7D-4DEB-8B67-05D28BCF79F5) - c: \ Program Files \ HP \ Digital Imaging \ bin \ hpdtlk02.dll
O4 - HKLM \ .. \ Run: [ehTray] C: \ WINDOWS \ ehome \ ehtray.exe
O4 - HKLM \ .. \ Run: [hpsysdrv] c: \ windows \ system \ hpsysdrv.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ System32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [CamMonitor] c: \ Program Files \ HP \ Digital Imaging \ Poista \ hpqcmon.exe
O4 - HKLM \ .. \ Run: [HPHUPD05] c: \ Program Files \ HP \ (45B6180B-DCAB-4093-8EE8-6164457517F0) \ hphupd05.exe
O4 - HKLM \ .. \ Run: [HPHmon05] C: \ WINDOWS \ System32 \ hphmon05.exe
O4 - HKLM \ .. \ Run: [kbd] C: \ HP \ kbd \ KBD.EXE
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKLM \ .. \ Run: [AutoTKit] C: \ hp \ bin \ AUTOTKIT.EXE
O4 - HKLM \ .. \ Run: [Recguard] C: \ WINDOWS \ SMINST \ RECGUARD.EXE
O4 - HKLM \ .. \ Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM \ .. \ Run: [LTMSG] LTMSG.exe 7
O4 - HKLM \ .. \ Run: [PS2] C: \ WINDOWS \ system32 \ ps2.exe
O4 - HKLM \ .. \ Run: [Sunkist2k] C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [RemoteControl] "C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe"
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [GrooveMonitor] "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe"
O4 - HKLM \ .. \ Run: [Adobe Reader Speed Launcher] "C: \ Program Files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe"
O4 - HKLM \ .. \ Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [ATIPTA] C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe
O4 - HKLM \ .. \ Run: [Index Washer] C: \ Program Files \ Webroot \ Washer \ WashIdx.exe "Administrator"
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [swg] C: \ Program Files \ Google \ GoogleToolbarNotifier \ 1.2.1128.5462 \ G oogleToolbarNotifier.exe
O4 - HKCU \ .. \ Run: [Window Aluslevy] C: \ Program Files \ Webroot \ Aluslevy \ wwDisp.exe
O4 - HKCU \ .. \ Run: [Index Washer] C: \ Program Files \ Webroot \ Washer \ WashIdx.exe "Administrator"
O4 - Global Startup: Adobe Gamma Loader.lnk = C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe
O4 - Global Startup: Quicken Ajoitettu Updates.lnk = C: \ Program Files \ Quicken \ bagent.exe
O4 - Global Startup: Päivityksiä HP.lnk = C: \ Program Files \ Updates HP \ 137903 \ Program \ BackWeb-137903.exe
O8 - Extra yhteydessä valikkotoimintoa: E & Vie Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S & loppu OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ ONBttnIE.dll
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ REFIEBAR.DLL
O9 - Extra button: MusicMatch MX Web Player - (d81ca86b-ef63-42af-bee3-4502d9a03c2d) -- http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @ xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O11 - Options group: [INTERNATIONAL] International *
O16 - DPF: (67DABFBF-D0AB-41FA-9C46-CC0F21721616) -- http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - (88FED34C-F0CA-4636-A375-3CB6248B04CD) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ GR99D3 ~ 1.DLL
O18 - Protocol: ms-help - (314111C7-A502-11D2-BBCA-00C04F8EC294) - C: \ Program Files \ Common Files \ Microsoft Shared \ Help \ hxds.dll
O18 - Filter kaappaus: text / xml - (807563E5-5146-11D5-A672-00B0D022E945) - C: \ PROGRA ~ 1 \ Common ~ 1 \ mikros ~ 1 \ Office12 \ MSOXMLMF.DL L
O20 - Winlogon Notify: dimsntfy -% SystemRoot% \ System32 \ dimsntfy.dll (file missing)
Ø20 - Winlogon Notify: efcdbxx - efcdbxx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C: \ WINDOWS \ SYSTEM32 \ igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C: \ WINDOWS \ system32 \ NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C: \ Program Files \ Common Files \ Adobe Systems Shared \ Service \ Adobelmsvc.exe
O23 - Service: Ati Pikanäppäin Poller - Unknown owner - C: \ WINDOWS \ System32 \ Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: PML Driver HPZ12 - HP - C: \ WINDOWS \ system32 \ HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C: \ Program Files \ Photodex \ ProShowGold \ ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe

**evilfantasy** · #2 10 marraskuu 2008, 20:23

Tervetuloa CJ.

Ole hyvä ja kirjoita näitä ohjeita, koska ne ovat tarpeen myöhemmin, kun Internet-yhteys ei ole käytettävissä.

Ladata SDFix jonka AndyManchesta ja tallenna se työpöydälle.

Kun käytät tätä työkalua, sinun on käytettävä Järjestelmänvalvojan tili tai tilin Järjestelmänvalvojan oikeudet

Kaksoisnapsauta SDFix.exe ja se purkaa tiedostoja% systemdrive%
(tämä on se asema, joka sisältää Windows Directory, yleensä C: \ SDFix).
Älä käytä sitä vielä.

Käynnistä tietokoneesi uudelleen vuonna Vikasietotila käyttäen F8 menetelmällä. Voit tehdä tämän, käynnistä tietokone uudelleen ja kuultuaan tietokone piippaa kerran käynnistyksen aikana (mutta ennen kuin Windows-kuvake näkyy) paina F8-näppäintä toistuvasti. A-valikossa näkyvät eri vaihtoehtoja. Nuolinäppäimillä liikkua ja valitse Windows in Safe Mode ".

Avaa SDFix-kansio ja kaksoisnapsauta RunThis.bat Käynnistä komentorivi.

Tyyppi Y aloittaa saneerausmenettelyn.
Se poistaa kaikki Troijan Servicesin tai rekisterimerkintöjä löytyi sitten sinua paina mitä tahansa näppäintä Uudelleenkäynnistä.
Paina mitä tahansa näppäintä ja se käynnistä tietokone.
Kun tietokone käynnistyy uudelleen, Fixtool ajaa uudelleen ja täydellisen poistamisen prosessi sitten näyttö PäättynytPaina mitä tahansa näppäintä varten käsikirjoituksen ja lataamaan työpöydän kuvakkeet.
Kun työpöydän kuvakkeet ladata SDFix raportti avoinna näytön ja myös tallentaa osaksi SDFix kansio Report.txt.
Kopioi ja liitä sisältö tulokset tiedosto Report.txt näkyy seuraavassa vastausta.

----------

Myös asentaa uusi versio HijackThis ja lähetä uusi loki sen Normaali käynnistys tilaan sdfix on valmis.

Ladata TrendMicro HijackThis.exe (HJT) muuttamisesta Desktop.

Kaksoisnapsauta HJTInstall.
Klikkaa Asenna painiketta.
Se automaattisesti HJT vuonna C: \ Program Files \ TrendMicro \ HijackThis \ HijackThis.exe.
Kun asentaa, HijackThis pitäisi avata sinulle.
Klikkaa Onko järjestelmä skannaa ja tallentaa lokitiedoston painiketta
HijackThis tarkistaa ja sen jälkeen loki avautuu muistioon.
Kopioi ja liitä koko sisältöä, kirjaudu blogitekstiisi.
Älä on HijackThis vahvistaa mitään vielä. Suurin osa siitä, mitä se havaitsee on harmittomia tai jopa vaaditaan.

**xalice15x** · #3 11 marraskuu 2008, 08:55

Sdfix Raportti

SDFix: Version 1.240
Run by Administrator Ti 11.11.2008 klo 08:39

Microsoft Windows XP [Version 5.1.2600]
Running From: C: \ SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Käynnistystä

Checking Files :

Trojan Files Found:

C: \ Program Files \ nvcoi \ mst.stt - Poistettu

Kansioon C: \ Program Files \ nvcoi - Kaukainen
Kansioon C: \ Program Files \ Temporary - Kaukainen
Kansioon C: \ Temp \ sanR24 - Kaukainen

Removing Temp Files

ADS Check :

Lopullinen Tarkista :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit / varkain haittaohjelmien detektori on Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 08:47:19
Windows 5.1.2600 Service Pack 3 NTFS

skannaus piilotettu prosessien ...

skannaus piilotettu services & järjestelmän pesäkuoriaisen ...

skannaus piilotettu rekisterimerkinnöistä ...

skannaus piilotetut tiedostot ...

scan loppuun onnistuneesti
piilotettu prosessit: 0
piilotettu palvelut: 0
piilotetut tiedostot: 0

Jäljellä olevat palvelut :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ palvelut es \ sharedaccess \ Parameters \ firewallpolicy \ profiilin \ authorizedapplications \ listalle]
"% windir% \ \ system32 \ \ sessmgr.exe" = "% windir% \ \ syste M32 \ \ sessmgr.exe: *: Enabled: @ xpsp2res.dll, -22019"
"C: \ Program Files \ \ Updates HP \ \ 137903 \ Program Files \ \ BackWeb-137903.exe" = "C: \ Program Files \ \ Updates HP \ \ 137903 \ Program Files \ \ BackWeb-137903 . exe: *: Disabled: BackWeb-137903 "
"C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Outlook.exe" = "C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Outlook.exe: *: Enabled: Microsoft Office Outlook"
"C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE" = "C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE: *: Enabled: Microsoft Office Groove"
"C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Onenote.exe" = "C: \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Onenote.exe: *: Enabled: Microsoft Office OneNote"
"C: \ Program Files \ \ Common Files \ \ AOL \ \ Loader \ \ aolload.exe" = "C: \ Program Files \ \ Common Files \ \ AOL \ \ Loader \ \ aolload.exe: *: Enabled : AOL Loader "
"C: \ Program Files \ \ AIM6 \ \ aim6.exe" = "C: \ Program Files \ \ AIM6 \ \ aim6.exe: *: Enabled: AIM"
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe: *: Enabled: @ xpsp3res.dll, -20000"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ palvelut es \ sharedaccess \ Parameters \ firewallpolicy \ domainpr ofile \ authorizedapplications \ listalle]
"% windir% \ \ system32 \ \ sessmgr.exe" = "% windir% \ \ syste M32 \ \ sessmgr.exe: *: Enabled: @ xpsp2res.dll, -22019"
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe: *: Enabled: @ xpsp3res.dll, -20000"

Jäljellä olevat tiedostot :

Tiedoston Varmuuskopiot: - C: \ SDFix \ backups \ backups.zip

Tiedostot, joiden Piilotettu Määritteet :

Ke 14 marraskuu 2007 204 A. SHR --- "C: \ BOOT.BAK"
Pe 22 elokuu 2008 635848 A.SH. --- "C: \ Program Files \ Internet Explorer \ iexplore.exe"
Thu 15 heinäkuu 2004 0 A.SH. --- "C: \ WINDOWS \ SMINST \ HPCD.SYS"
Thu 10 tammikuu 2008 4348 A.SH. --- "C: \ Documents and Settings \ All Users \ DRM \ DRMv1.bak"
Thu 10 tammikuu 2008 401 A.SH. --- "C: \ Documents and Settings \ All Users \ DRM \ DRMv19.bak"
Wed 29 Oct 2008 3.442 A.SH. --- "C: \ Documents and Settings \ All Users \ Documents \ Recorded TV \ TempRec \ TempSBE \ SBE3.tmp"

Finished!

------------------------------------------

HijackThis Log

Logfile ja Trend Micro HijackThis v2.0.2
Scan tallennettu klo 8:55:16 AM, on 11.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Käynnissä olevista prosesseista:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ System32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ Explorer.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Photodex \ ProShowGold \ ScsiAccess.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ WINDOWS \ ehome \ ehtray.exe
C: \ windows \ system \ hpsysdrv.exe
C: \ Program Files \ HP \ Digital Imaging \ Poista \ hpqcmon.exe
C: \ WINDOWS \ System32 \ hphmon05.exe
C: \ HP \ kbd \ KBD.EXE
C: \ WINDOWS \ LTMSG.exe
C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe
C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe
C: \ Program Files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe
C: \ WINDOWS \ ALCXMNTR.EXE
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program Files \ Webroot \ Aluslevy \ wwDisp.exe
C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe
C: \ Program Files \ Updates HP \ 137903 \ Program \ BackWeb-137903.exe
C: \ Program Files \ Mozilla Firefox \ firefox.exe
C: \ WINDOWS \ system32 \ notepad.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://srch-us10.hpwis.com/
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = noin: tyhjä
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU \ Software \ Microsoft \ Internet Connection Wizard, ShellNext = http://us10.hpwis.com/
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Asetukset, ProxyOverride = localhost
O2 - BHO: (no name) - (02478D38-C3F9-4efb-9B51-7695ECA05670) - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - (4715C8BC-0204-06D4-0A62-2E00BBB78BBD) - C: \ WINDOWS \ system32 \ izf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - (72853161-30C5-4D22-B7F9-0BBC1D38A37E) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ GRA8E1 ~ 1.DLL
O2 - BHO: (no name) - (843B515A-BBC4-4AF2-916D-69E9F7DD8F9D) - C: \ WINDOWS \ system32 \ vtsqo.dll (file missing)
O2 - BHO: (684a8728-dd11-3ef9-b3e4-ea3410654e7c) - (c7e45601-43ae-4e3b-9fe3-11dd8278a486) - C: \ WINDOWS \ system32 \ ikwijhuy.dll (file missing)
O3 - Toolbar: HP View - (B2847E28-5D7D-4DEB-8B67-05D28BCF79F5) - c: \ Program Files \ HP \ Digital Imaging \ bin \ hpdtlk02.dll
O4 - HKLM \ .. \ Run: [ehTray] C: \ WINDOWS \ ehome \ ehtray.exe
O4 - HKLM \ .. \ Run: [hpsysdrv] c: \ windows \ system \ hpsysdrv.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ System32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [CamMonitor] c: \ Program Files \ HP \ Digital Imaging \ Poista \ hpqcmon.exe
O4 - HKLM \ .. \ Run: [HPHUPD05] c: \ Program Files \ HP \ (45B6180B-DCAB-4093-8EE8-6164457517F0) \ hphupd05.exe
O4 - HKLM \ .. \ Run: [HPHmon05] C: \ WINDOWS \ System32 \ hphmon05.exe
O4 - HKLM \ .. \ Run: [kbd] C: \ HP \ kbd \ KBD.EXE
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKLM \ .. \ Run: [AutoTKit] C: \ hp \ bin \ AUTOTKIT.EXE
O4 - HKLM \ .. \ Run: [Recguard] C: \ WINDOWS \ SMINST \ RECGUARD.EXE
O4 - HKLM \ .. \ Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM \ .. \ Run: [LTMSG] LTMSG.exe 7
O4 - HKLM \ .. \ Run: [PS2] C: \ WINDOWS \ system32 \ ps2.exe
O4 - HKLM \ .. \ Run: [Sunkist2k] C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [RemoteControl] "C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe"
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [GrooveMonitor] "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe"
O4 - HKLM \ .. \ Run: [Adobe Reader Speed Launcher] "C: \ Program Files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe"
O4 - HKLM \ .. \ Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [ATIPTA] C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [swg] C: \ Program Files \ Google \ GoogleToolbarNotifier \ 1.2.1128.5462 \ G oogleToolbarNotifier.exe
O4 - HKCU \ .. \ Run: [Window Aluslevy] C: \ Program Files \ Webroot \ Aluslevy \ wwDisp.exe
O4 - HKUS \ S-1-5-18 \ .. \ Run: [AdobeUpdater] C: \ Program Files \ Common Files \ Adobe \ Updater5 \ AdobeUpdater.exe (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [AdobeUpdater] C: \ Program Files \ Common Files \ Adobe \ Updater5 \ AdobeUpdater.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe
O4 - Global Startup: Quicken Ajoitettu Updates.lnk = C: \ Program Files \ Quicken \ bagent.exe
O4 - Global Startup: Päivityksiä HP.lnk = C: \ Program Files \ Updates HP \ 137903 \ Program \ BackWeb-137903.exe
O8 - Extra yhteydessä valikkotoimintoa: E & Vie Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S & loppu OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ ONBttnIE.dll
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ REFIEBAR.DLL
O9 - Extra button: MusicMatch MX Web Player - (d81ca86b-ef63-42af-bee3-4502d9a03c2d) -- http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @ Xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (67DABFBF-D0AB-41FA-9C46-CC0F21721616) -- http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - (88FED34C-F0CA-4636-A375-3CB6248B04CD) - C: \ PROGRA ~ 1 \ MI1933 ~ 1 \ Office12 \ GR99D3 ~ 1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C: \ Program Files \ Common Files \ Adobe Systems Shared \ Service \ Adobelmsvc.exe
O23 - Service: Ati Pikanäppäin Poller - Unknown owner - C: \ WINDOWS \ System32 \ Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: PML Driver HPZ12 - HP - C: \ WINDOWS \ system32 \ HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C: \ Program Files \ Photodex \ ProShowGold \ ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe

--
End of file - 9268 bytes

**evilfantasy** · #4 11 marraskuu 2008, 11:07

Ladata Poista / Poista Windows Messenger sen Desktop poistaa Windows Messenger.

Älä sekoita Windows Messenger kanssa MSN Messenger koska ne eivät ole samat. Windows Messenger on usein syynä ponnahdusikkunat.

Unzip tiedosto työpöydällesi. Avaa MessengerDisable.exe ja valitse alhaalta box -- Uninstall Windows Messenger ja napsauta Päteä.

Poistu ulos MessengerDisable poista sitten kaksi tiedostoa, jotka on saatettu Desktop.

----------

Avaa HijackThis ja valitse Tee järjestelmän tarkistus vain.

Aseta valintamerkki vieressä seuraavista maininnoista: (jos on)

- O2 - BHO: (no name) - (02478D38-C3F9-4efb-9B51-7695ECA05670) - (no file)
- O2 - BHO: (no name) - (4715C8BC-0204-06D4-0A62-2E00BBB78BBD) - C: \ WINDOWS \ system32 \ izf.dll (file missing)
- O2 - BHO: (no name) - (843B515A-BBC4-4AF2-916D-69E9F7DD8F9D) - C: \ WINDOWS \ system32 \ vtsqo.dll (file missing)
- O2 - BHO: (684a8728-DD11-3ef9-b3e4-ea3410654e7c) - (c7e45601-43ae-4e3b-9fe3-11dd8278a486) - C: \ WINDOWS \ system32 \ ikwijhuy.dll (file missing)
- O4 - HKLM \ .. \ Run: [AlcxMonitor] ALCXMNTR.EXE

Tärkeää: Sulje kaikki ikkunat lukuun ottamatta HijackThis ja valitse sitten Korjaa tarkastetaan.

Poistu HijackThis.

----------

Huom: seuraavat ohjeet on luotu erityisesti tälle käyttäjälle. Jos et ole tämän käyttäjän, ÄLÄ noudattaa näitä ohjeita, koska ne saattavat vahingoittaa toimintaa järjestelmän

Siirry Käynnistä> Suorita ja tyyppi notepad.exe sitten OK

Kopioi ja liitä alla Muistioon ja tallenna fixme.reg Sinun Desktop

Code:

REGEDIT4 [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] "AlcxMonitor" =-

Etsi fixme.reg teidän Desktop ja kaksoisnapsauta sitä. Vastaus Kyllä kehotettaessa sulautumisesta rekisterille.

Varmista, että voit kertoa minulle, jos saat menestys viesti lisäämällä yllä rekisteriä. Jos et saa menestys viestin, se ei toimi.

Poista fixme.reg suoraan työpöydältäsi.

----------

Lataa ComboFix jonka Subs jonkin alle linkkejä. Olla varma alkuun tallentaa ne Desktop.

Linkki # 1
Linkki # 2

** Huomautus: On tärkeää, että se on tallennettu suoraan Desktopin

Sulje kaikki avoimet Internet-selaimissa. (Firefox, Internet Explorer jne.) ennen ComboFix.

Väliaikaisesti poistaa käytöstä sinun antivirus, Ja mikä tahansa AntiSpyware reaaliaikainen suoja ennen suorittamalla skannata. Valitse linkki nähdä luettelon tietoturvaohjelmia, että otetaan huomioon myös vammaisten ja miten poistaa ne käytöstä.

Kaksoisnapsauta combofix.exe ja seuraa ohjeita.

Windows XP Systems asentaa palautuskonsolin:

- Jos käytössäsi on Windows XP ja ei vielä ole palautuskonsolin asennettu, varmista, Internet-yhteys on aktiivinen (jos mahdollista) ja napsauta Kyllä.
- Jos jostain syystä Internet ei toimi napsauta Ei.
-- Jos et käytä Windows XP: n, sinun ei kehota.
- Kun kehotus hyväksyä käyttöoikeussopimus valitsemalla OK.
- Hyväksy Microsoftin EULA (Napsauta Kyllä).
- Kun sanotaan, että RC on asennettu oikein napsauta KYLLÄ jatkaa tarkistaisi haittaohjelmia.

Kun olet valmis ComboFix tuottaa lokin sinulle.
Postata ComboFix loki näkyy seuraavassa vastausta.

Tärkeää: Älä mouseclick ComboFix ikkunassa, kun se on käynnissä. Tämä saattaa aiheuttaa sen, pilttuu.

Muista uudelleen käyttöön virustentorjuntaohjelmasi ja antispyware suojelun ComboFix on valmis.

Lisäksi haluaisin tietää, miten tietokone on käynnissä nyt.

**xalice15x** · #5 11 marraskuu 2008, 11:55

ComboFix loki

ComboFix 08-11-10.01 - Administrator 2008-11-11 11:39:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.176 [GMT -7:00]
Running from: C: \ Documents and Settings \ Administrator \ Desktop \ ComboFix.exe
* Luonut uuden palautuspisteen
.

((((((((((((((((((((((((((((((((((((((( Muut Poistetut ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Documents and Settings \ Administrator \ My Documents \ TSKS ~ 1
C: \ Program Files \ Common Files \ racle ~ 1
C: \ Program Files \ stem32 ~ 1
C: \ Program Files \ wnsxs ~ 1
C: \ windows \ BMf3ec611b.txt
c: \ windows \ system32 \0LFlxR4x.exe.a_a
C: \ windows \ system32 \ epljwqgq.ini
C: \ windows \ system32 \ fj8wNOvc.exe.a_a
C: \ windows \ system32 \ icidbcft.ini
C: \ windows \ system32 \ iDlo01
C: \ windows \ system32 \ jrjvfibu.ini
C: \ windows \ system32 \ jryeuaqx.ini
C: \ windows \ system32 \ mcrh.tmp
C: \ windows \ system32 \ MSINET.oca
C: \ windows \ system32 \ mvmqocpc.ini
C: \ windows \ system32 \ oqstv.ini
C: \ windows \ system32 \ oqstv.ini2
D: \ Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))) ))))))))))))))))))))
.

2008-11-11 08:54. 2008-11-11 08:54 <KANSIO> d -------- C: \ Program Files \ Trend Micro
2008-11-11 08:38. 2008-11-11 08:38 578.560 - - c --- C: \ windows \ system32 \ dllcache \ user32.dll
2008-11-11 08:29. 2008-11-11 08:29 <KANSIO> d -------- C: \ windows \ ERUNT
2008-11-11 08:23. 2008-11-11 08:51 <KANSIO> d -------- C: \ sdfix
2008-11-02 09:12. 2008-11-10 14:10 41.474 - a ------ C: \ windows \ system32 \0LFlxR4x.exe_
2008-11-02 09:12. 2008-11-11 09:12 40.450 - a ------ C: \ windows \ system32 \0LFlxR4x.exe
2008-10-31 18:00. 2008-10-31 18:00 <KANSIO> d -------- C: \ Documents and Settings \ NetworkService \ Application Application Data \ Yahoo!:
2008-10-31 16:40. 2008-10-31 16:40 <KANSIO> d -------- C: \ Documents and Settings \ Administrator \ Application Application Data \ Yahoo!:
2008-10-31 16:39. 2008-11-10 17:27 <KANSIO> d -------- C: \ Program Files \ Yahoo!:
2008-10-29 17:23. 2008-10-29 17:23 <KANSIO> d -------- C: \ windows \ system32 \ CatRoot_bak
2008-10-29 17:23. 2008-09-08 03:41 333.824 ----- c --- C: \ windows \ system32 \ dllcache \ Srv.sys
2008-10-29 17:23. 2008-06-13 04:05 272.128 ----- c --- C: \ windows \ system32 \ dllcache \ bthport.sys
2008-10-29 17:23. 2008-08-14 03:04 138.496 ----- c --- C: \ windows \ system32 \ dllcache \ afd.sys
2008-10-29 17:22. 2008-08-14 03:11 2.189.184 ----- c --- C: \ windows \ system32 \ dllcache \ ntoskrnl.exe
2008-10-29 17:22. 2008-08-14 03:09 2.145.280 ----- c --- C: \ windows \ system32 \ dllcache \ Ntkrnlmp.exe
2008-10-29 17:22. 2008-08-14 02:33 2.066.048 ----- c --- C: \ windows \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-29 17:22. 2008-08-14 02:33 2.023.936 ----- c --- C: \ windows \ system32 \ dllcache \ Ntkrpamp.exe
2008-10-29 17:22. 2008-09-15 05:12 1.846.400 ----- c --- C: \ windows \ system32 \ dllcache \ Win32k.sys
2008-10-29 17:22. 2008-04-11 12:04 691.712 ----- c --- C: \ windows \ system32 \ dllcache \ Inetcomm.dll
2008-10-29 17:22. 2008-05-08 07:02 203.136 ----- c --- C: \ windows \ system32 \ dllcache \ rmcast.sys
2008-10-28 18:39. 2008-10-28 18:39 10 - a ------ C: \ Windows \ Wininit.ini
2008-10-23 14:45. 2008-10-15 09:34 337.408 ----- c --- C: \ windows \ system32 \ dllcache \ Netapi32.dll
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ scripting
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ FI
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ bits
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ l2schemas
2008-10-15 18:23. 2007-06-13 03:23 1.033.216 - a ------ C: \ windows \ SET25A.tmp
2008-10-15 18:22. 2008-08-14 03:09 2.145.280 - a ------ C: \ windows \ system32 \ ntoskrnl.exe
2008-10-15 16:09. 2008-10-15 16:09 <KANSIO> d -------- C: \ Documents and Settings \ Administrator \ Application Application Data \ Motive
2008-10-12 17:26. 2008-10-12 17:25 30.272 - a ------ C: \ windows \ system32 \ fj8wNOvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 18:38 --------- d ----- WC: \ Program Files \ Symantec AntiVirus
2008-11-10 22:05 --------- d ----- WC: \ Program Files \ DivX
2008-11-10 22:03 --------- d ----- WC: \ Program Files \ Java
2008-11-10 01:37 --------- d ----- WC: \ Program Files \ Microsoft Plus!: Digital Media Edition
2008-11-10 01:35 --------- d ----- WC: \ Program Files \ Microsoft Works
2008-11-08 02:37 90.112 ---- aw C: \ windows \ DUMP3a98.tmp
2008-11-08 01:26 30 ---- aw C: \ Documents and Settings \ Administrator \ jagex_runescape_preferences. Dat
2008-10-29 22:21 77.824 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ FDIWrapper.dll
2008-10-29 22:21 69.632 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ msxmlwrapper.dll
2008-10-29 22:21 5.632 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ GUI.dll
2008-10-29 22:21 49.152 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ PCHI18N.dll
2008-10-29 22:21 32.768 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ pchapi.dll
2008-10-29 22:21 26.572 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ INV16.dll
2008-10-29 22:21 213.089 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ motive.zip
2008-10-29 22:21 139.264 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ ContentUpdater.exe
2008-10-29 22:21 114.688 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ ZipLib.dll
2008-10-29 22:21 114.688 ---- aw C: \ windows \ PCHealth \ HelpCtr \ Vendors \ CN = Hewlett-Packard, L = Cupertino, S = Ca, C = US \ Pavilion \ XPENABP4EN \ plugin \ bin \ jsharpde \ asst_ui.dll
2008-10-29 22:11 --------- d - h - WC: \ Program Files \ InstallShield Installation Information
2008-10-29 22:11 --------- d ----- WC: \ Program Files \ ATI Technologies
2008-10-25 01:16 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ Move Networks
2008-10-16 22:05 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ Viewpoint
2008-10-16 01:06 --------- d ----- WC: \ Program Files \ Google
2008-09-28 22:59 --------- d ----- WC: \ Program Files \ Common Files \ AOL
2008-09-22 21:29 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ AOL OCP
2008-09-22 21:29 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ acccore
2008-09-22 21:27 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ AOL
2008-09-17 01:24 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ VSO
2008-09-15 12:12 1.846.400 ---- aw C: \ Windows \ system32 \ Win32k.sys
2008-08-26 07:24 826.368 ---- aw C: \ windows \ system32 \ Wininet.dll
2008-08-14 09:33 2.023.936 ---- aw C: \ windows \ system32 \ ntkrnlpa.exe
2007-12-28 00:53 79.738 ---- aw C: \ Documents and Settings \ Fonts \ broken_ghost.zip
2007-11-23 01:25 81.920 ---- aw C: \ Documents and Settings \ Administrator \ Application Data \ ezpinst.exe
2007-11-23 01:25 47.360 ---- aw C: \ Documents and Settings \ Administrator \ Application Data \ pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default merkinnät eivät näy
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "c: \ windows \ system32 \ Ctfmon.exe" [2008-04-13 15360]
"Window Washer" = "C: \ Program Files \ Webroot \ Washer \ wwDisp.exe" [2005-03-08 910336]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ curr entVersion \ Run]
"ehTray" = "C: \ Windows \ ehome \ ehtray.exe" [2004-08-04 50176]
"hpsysdrv" = "C: \ windows \ system \ hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds" = "C: \ Windows \ System32 \ NvCpl.dll, NvStartup" [2003-10-02 118784]
"CamMonitor" = "C: \ Program Files \ HP \ Digital Imaging \ Unload \ hpqcmon.exe" [2002-10-07 90112]
"HPHmon05" = "C: \ Windows \ System32 \ hphmon05.exe" [2003-05-23 483328]
"KBD" = "C: \ HP \ KBD \ KBD.EXE" [2003-02-11 61440]
"SunJavaUpdateSched" = "C: \ Program Files \ Common Files \ Real \ qttask.exe" [2003-12-17 151597]
"Recguard" = "C: \ Windows \ SMINST \ RECGUARD.EXE" [2002-09-13 212992]
"PS2" = "C: \ WINDOWS \ system32 \ ps2.exe" [2002-10-16 81920]
"Sunkist2k" = "C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe" [2003-08-14 139264]
"SunJavaUpdateSched" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2005-06-02 48752]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2005-06-23 85696]
"PCSuiteTrayApplication" = "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck" = "c: \ windows \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"GrooveMonitor" = "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher" = "C: \ Program Files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2007-10-10 39792]
"Cmaudio" = "Ati2mdxx.exe" [2001-09-05 C: \ WINDOWS \ system32 \ Ati2mdxx.exe]
"LTMSG" = "LTMSG.exe" [2003-07-14 C: \ windows \ ltmsg.exe]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"AdobeUpdater" = "C: \ Program Files \ Common Files \ Adobe \ Updater5 \ AdobeUpdater.exe" [2007-03-01 2321600]

C: \ Documents and settings \ All Users \ Start Menu \ Programs \ Startup \
Adobe Gamma Loader.lnk - C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe [2007-11-22 113664]
HP Digital Imaging Monitor.lnk - C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Updates HP \ \ 137903 \ Program Files \ \ BackWeb-137903.exe" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Outlook.exe" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ ONENOTE.EXE" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =

R2 CX88XBAR; Conexant 2388x Crossbar Dual Input c: \ windows \ system32 \ drivers \ CX88XBARDUAL.sys [2003-12-10 7040]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ Explorer \ mountpoints2 \ D]
\ Shell \ AutoRun \ command - D: \ Info.exe Folder.htt 480 480

* Newly Created Service * - PROCEXP90
.
Contents of the 'Scheduled Tasks-kansioon

2008-10-30 C: \ Windows \ Tasks \ At1.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 C: \ Windows \ Tasks \ At10.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 C: \ Windows \ Tasks \ At100.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At101.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At102.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At103.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At104.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At105.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 C: \ Windows \ Tasks \ At106.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 C: \ Windows \ Tasks \ At107.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At108.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At109.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 C: \ Windows \ Tasks \ At11.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 C: \ Windows \ Tasks \ At110.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-10 C: \ Windows \ Tasks \ At111.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-10 C: \ Windows \ Tasks \ At112.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-06 C: \ Windows \ Tasks \ At113.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At114.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 C: \ Windows \ Tasks \ At115.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 C: \ Windows \ Tasks \ At116.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At117.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At118.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At119.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At12.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 C: \ Windows \ Tasks \ At120.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 C: \ Windows \ Tasks \ At13.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 C: \ Windows \ Tasks \ At14.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-10 C: \ Windows \ Tasks \ At15.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-10 C: \ Windows \ Tasks \ At16.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-06 C: \ Windows \ Tasks \ At17.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 C: \ Windows \ Tasks \ At18.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 C: \ Windows \ Tasks \ At19.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At2.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 C: \ Windows \ Tasks \ At20.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 C: \ Windows \ Tasks \ At21.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At22.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At23.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At24.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At3.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At4.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At5.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At6.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-31 C: \ Windows \ Tasks \ At7.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 C: \ Windows \ Tasks \ At8.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-01 C: \ Windows \ Tasks \ At9.job
- C: \ windows \ system32 \ fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 C: \ Windows \ Tasks \ At97.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At98.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 C: \ Windows \ Tasks \ At99.job
- C: \ windows \ system32 \0LFlxR4x.exe [2008-11-11 09:12]
.
- - - - Orvolla poistettu - - - --

HKLM-Run-SWG - C: \ Program Files \ Google \ GoogleToolbarNotifier \ 1.2.1128.5462 \ G oogleToolbarNotifier.exe
HKLM-Run-RecordNow! - (No file)
HKLM-Run-HPHUPD05 - C: \ Program Files \ HP \ (45B6180B-DCAB-4093-8EE8-6164457517F0) \ hphupd05.exe
HKLM-Run-AutoTKit - C: \ hp \ bin \ AUTOTKIT.EXE
HKLM-Run-UpdateManager - C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe
HKLM-Run-ATIPTA - C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C: \ Documents and Settings \ Administrator \ Application Data \ Mozilla \ Firefox \ Profiles \0rews22y.default \
FireFox -: prefs.js - STARTUP.HOMEPAGE - noin: tyhjä
FF -: plugin - C: \ Documents and Settings \ Administrator \ Application Data \ Mozilla \ Firefox \ Profiles \0rews22y.default \ Extensions \ moveplayer @ movenetworks. com \ Platform \ WINNT_x86-MSVC \ Plugins \ npmnqmp07076007.dll
FF -: plugin - C: \ Documents and Settings \ Administrator \ Application Data \ Mozilla \ Plugins \ npPxPlay.dll
FF -: plugin - C: \ Program Files \ Mozilla Firefox \ plugins \ npmozax.dll
FF -: plugin - C: \ Program Files \ Mozilla Firefox \ plugins \ npsnapfish.dll
FF -: plugin - C: \ Program Files \ Real \ RealOne Player \ Netscape6 \ nppl3260.dll
FF -: plugin - C: \ Program Files \ Real \ RealOne Player \ Netscape6 \ nprjplug.dll
FF -: plugin - C: \ Program Files \ Real \ RealOne Player \ Netscape6 \ nprpjplug.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit / varkain haittaohjelmien detektori on Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 11:44:13
Windows 5.1.2600 Service Pack 3 NTFS

skannaus piilotettu prosessien ...

skannaus piilotettu Autostart merkinnät ...

skannaus piilotetut tiedostot ...

************************************************** ************************
.
Täydennys aika: 2008-11-11 11:47:43
ComboFix-karanteenissa-files.txt 2008-11-11 18:46:39

Pre-Run: 89004101632 tavua vapaana
Post-Run: 89081098240 tavua vapaana

272 --- EOF --- 2008-10-30 03:01:59

~
Toistaiseksi iexplore.exe hasn't piipahti ^ _ ^
Onko kuitenkin varmistaa, että 'se on mennyt?
& & Onko kunnossa, jos poistan ne asiat, jotka voin ladata?

**evilfantasy** · #6 11 marraskuu 2008, 12:04

Teemme puhdasta kaiken ennen olemme tehneet. On vielä paljon tehtävää, mutta minun täytyy kestää jonkin aikaa. Takaisin myöhemmin.

**xalice15x** · #7 11 marraskuu 2008, 12:19

Lisää toimia? Luulin, että olimme tehneet D:
Nopea kysymys, Onko tästä mitään tule vaikuttaa ohjelmiin, jotka on asennettu tietokoneeseen?
Alrightie, minun täytyy mennä vähän samoin xP

**xalice15x** · #8 11 marraskuu 2008, 13:07

iexplore.exe on yhä täällä, -;

**evilfantasy** · #9 11 marraskuu 2008, 16:28

O emme ole tehneet. Minä annan kaikille selvää, kun se on ohi

Huom: seuraavat ohjeet on luotu erityisesti tälle käyttäjälle. Jos et ole tämän käyttäjän, ÄLÄ noudattaa näitä ohjeita, koska ne saattavat vahingoittaa toimintaa järjestelmän

Poista nämä tiedostot / kansiot, seuraavasti:

1. Siirry Alku > Juosta > Tyyppi Notepad.exe ja napsauta OK Avaa Muistio.
Se täytyä on Muistiossa ei Wordpad.
2. Kopioi teksti jäljempänä koodi ruutuun korostamalla kaiken tekstin ja painamalla Ctrl + C

Code:

3. Go to Notepadia ikkunasta ja napsauta Muokkaa > Liitä
4. Valitse sitten Tiedosto > Tallentaa
5. Nimeä tiedosto CFScript.txt - Tallenna tiedosto Desktop
6. Vedä CFScript (Pidä vasenta hiiren painiketta, kun vetämällä tiedosto) ja pudottaa sen (vapauta hiiren vasen painike) osaksi ComboFix.exe kuten näette kuvakaappaus alla. Tärkeää: Tehdään tämä ohje huolellisesti!

ComboFix alkaa toteuttaa, seuraa ohjeita.
After reboot (jos se kysyy käynnistää), se tuottaa lokin sinulle.
Post että log (Combofix.txt) näkyy seuraavassa vastausta.

Huom: Älä mouseclick ComboFix ikkunassa, kun se on käynnissä. Tämä voi aiheuttaa järjestelmän jäätyä

**xalice15x** · #10 11 marraskuu 2008, 17:36

Okei ^ __ ^

Combofix Kirjaudu

ComboFix 08-11-10.01 - Administrator 2008-11-11 17:21:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.153 [GMT -7:00]
Running from: C: \ Documents and Settings \ Administrator \ Desktop \ ComboFix.exe
Command kytkimiä käytetään:: C: \ Documents and Settings \ Administrator \ Desktop \ CFScript.txt
* Luonut uuden palautuspisteen

FILE::
C: \ windows \ SET25A.tmp
c: \ windows \ system32 \0LFlxR4x.exe
c: \ windows \ system32 \0LFlxR4x.exe_
C: \ windows \ system32 \ fj8wNOvc.exe
c: \ windows \ Tasks \ At1.job
C: \ Windows \ Tasks \ At10.job
C: \ Windows \ Tasks \ At100.job
C: \ Windows \ Tasks \ At101.job
C: \ Windows \ Tasks \ At102.job
C: \ Windows \ Tasks \ At103.job
C: \ Windows \ Tasks \ At104.job
C: \ Windows \ Tasks \ At105.job
C: \ Windows \ Tasks \ At106.job
C: \ Windows \ Tasks \ At107.job
C: \ Windows \ Tasks \ At108.job
C: \ Windows \ Tasks \ At109.job
C: \ Windows \ Tasks \ At11.job
C: \ Windows \ Tasks \ At110.job
C: \ Windows \ Tasks \ At111.job
C: \ Windows \ Tasks \ At112.job
C: \ Windows \ Tasks \ At113.job
C: \ Windows \ Tasks \ At114.job
C: \ Windows \ Tasks \ At115.job
C: \ Windows \ Tasks \ At116.job
C: \ Windows \ Tasks \ At117.job
C: \ Windows \ Tasks \ At118.job
C: \ Windows \ Tasks \ At119.job
C: \ Windows \ Tasks \ At12.job
C: \ Windows \ Tasks \ At120.job
C: \ Windows \ Tasks \ At13.job
C: \ Windows \ Tasks \ At14.job
C: \ Windows \ Tasks \ At15.job
C: \ Windows \ Tasks \ At16.job
C: \ Windows \ Tasks \ At17.job
C: \ Windows \ Tasks \ At18.job
C: \ Windows \ Tasks \ At19.job
C: \ Windows \ Tasks \ At2.job
C: \ Windows \ Tasks \ At20.job
C: \ Windows \ Tasks \ At21.job
C: \ Windows \ Tasks \ At22.job
C: \ Windows \ Tasks \ At23.job
C: \ Windows \ Tasks \ At24.job
C: \ Windows \ Tasks \ At3.job
C: \ Windows \ Tasks \ At4.job
C: \ Windows \ Tasks \ At5.job
C: \ Windows \ Tasks \ At6.job
C: \ Windows \ Tasks \ At7.job
C: \ Windows \ Tasks \ At8.job
C: \ Windows \ Tasks \ At9.job
C: \ Windows \ Tasks \ At97.job
C: \ Windows \ Tasks \ At98.job
C: \ Windows \ Tasks \ At99.job
.

((((((((((((((((((((((((((((((((((((((( Muut Poistetut ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ windows \ SET25A.tmp
c: \ windows \ system32 \0LFlxR4x.exe
c: \ windows \ system32 \0LFlxR4x.exe.a_a
C: \ windows \ system32 \ fj8wNOvc.exe
c: \ windows \ Tasks \ At1.job
C: \ Windows \ Tasks \ At10.job
C: \ Windows \ Tasks \ At100.job
C: \ Windows \ Tasks \ At101.job
C: \ Windows \ Tasks \ At102.job
C: \ Windows \ Tasks \ At103.job
C: \ Windows \ Tasks \ At104.job
C: \ Windows \ Tasks \ At105.job
C: \ Windows \ Tasks \ At106.job
C: \ Windows \ Tasks \ At107.job
C: \ Windows \ Tasks \ At108.job
C: \ Windows \ Tasks \ At109.job
C: \ Windows \ Tasks \ At11.job
C: \ Windows \ Tasks \ At110.job
C: \ Windows \ Tasks \ At111.job
C: \ Windows \ Tasks \ At112.job
C: \ Windows \ Tasks \ At113.job
C: \ Windows \ Tasks \ At114.job
C: \ Windows \ Tasks \ At115.job
C: \ Windows \ Tasks \ At116.job
C: \ Windows \ Tasks \ At117.job
C: \ Windows \ Tasks \ At118.job
C: \ Windows \ Tasks \ At119.job
C: \ Windows \ Tasks \ At12.job
C: \ Windows \ Tasks \ At120.job
C: \ Windows \ Tasks \ At13.job
C: \ Windows \ Tasks \ At14.job
C: \ Windows \ Tasks \ At15.job
C: \ Windows \ Tasks \ At16.job
C: \ Windows \ Tasks \ At17.job
C: \ Windows \ Tasks \ At18.job
C: \ Windows \ Tasks \ At19.job
C: \ Windows \ Tasks \ At2.job
C: \ Windows \ Tasks \ At20.job
C: \ Windows \ Tasks \ At21.job
C: \ Windows \ Tasks \ At22.job
C: \ Windows \ Tasks \ At23.job
C: \ Windows \ Tasks \ At24.job
C: \ Windows \ Tasks \ At3.job
C: \ Windows \ Tasks \ At4.job
C: \ Windows \ Tasks \ At5.job
C: \ Windows \ Tasks \ At6.job
C: \ Windows \ Tasks \ At7.job
C: \ Windows \ Tasks \ At8.job
C: \ Windows \ Tasks \ At9.job
C: \ Windows \ Tasks \ At97.job
C: \ Windows \ Tasks \ At98.job
C: \ Windows \ Tasks \ At99.job

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 ))))))))))) ))))))))))))))))))))
.

2008-11-11 08:54. 2008-11-11 08:54 <KANSIO> d -------- C: \ Program Files \ Trend Micro
2008-11-11 08:38. 2008-11-11 08:38 578.560 - - c --- C: \ windows \ system32 \ dllcache \ user32.dll
2008-11-11 08:29. 2008-11-11 08:29 <KANSIO> d -------- C: \ windows \ ERUNT
2008-11-11 08:23. 2008-11-11 08:51 <KANSIO> d -------- C: \ sdfix
2008-10-31 18:00. 2008-10-31 18:00 <KANSIO> d -------- C: \ Documents and Settings \ NetworkService \ Application Application Data \ Yahoo!:
2008-10-31 16:40. 2008-10-31 16:40 <KANSIO> d -------- C: \ Documents and Settings \ Administrator \ Application Application Data \ Yahoo!:
2008-10-31 16:39. 2008-11-10 17:27 <KANSIO> d -------- C: \ Program Files \ Yahoo!:
2008-10-29 17:23. 2008-10-29 17:23 <KANSIO> d -------- C: \ windows \ system32 \ CatRoot_bak
2008-10-29 17:23. 2008-09-08 03:41 333.824 ----- c --- C: \ windows \ system32 \ dllcache \ Srv.sys
2008-10-29 17:23. 2008-06-13 04:05 272.128 ----- c --- C: \ windows \ system32 \ dllcache \ bthport.sys
2008-10-29 17:23. 2008-08-14 03:04 138.496 ----- c --- C: \ windows \ system32 \ dllcache \ afd.sys
2008-10-29 17:22. 2008-08-14 03:11 2.189.184 ----- c --- C: \ windows \ system32 \ dllcache \ ntoskrnl.exe
2008-10-29 17:22. 2008-08-14 03:09 2.145.280 ----- c --- C: \ windows \ system32 \ dllcache \ Ntkrnlmp.exe
2008-10-29 17:22. 2008-08-14 02:33 2.066.048 ----- c --- C: \ windows \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-29 17:22. 2008-08-14 02:33 2.023.936 ----- c --- C: \ windows \ system32 \ dllcache \ Ntkrpamp.exe
2008-10-29 17:22. 2008-09-15 05:12 1.846.400 ----- c --- C: \ windows \ system32 \ dllcache \ Win32k.sys
2008-10-29 17:22. 2008-04-11 12:04 691.712 ----- c --- C: \ windows \ system32 \ dllcache \ Inetcomm.dll
2008-10-29 17:22. 2008-05-08 07:02 203.136 ----- c --- C: \ windows \ system32 \ dllcache \ rmcast.sys
2008-10-28 18:39. 2008-10-28 18:39 10 - a ------ C: \ Windows \ Wininit.ini
2008-10-23 14:45. 2008-10-15 09:34 337.408 ----- c --- C: \ windows \ system32 \ dllcache \ Netapi32.dll
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ scripting
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ FI
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ system32 \ bits
2008-10-15 18:38. 2008-10-29 15:26 <KANSIO> d -------- C: \ windows \ l2schemas
2008-10-15 18:23. 2006-09-23 14:12 1.022.976 - a ------ C: \ windows \ system32 \ SETA0B.tmp
2008-10-15 18:22. 2008-08-14 03:09 2.145.280 - a ------ C: \ windows \ system32 \ ntoskrnl.exe
2008-10-15 16:09. 2008-10-15 16:09 <KANSIO> d -------- C: \ Documents and Settings \ Administrator \ Application Application Data \ Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 00:29 --------- d ----- WC: \ Program Files \ Symantec AntiVirus
2008-11-10 22:05 --------- d ----- WC: \ Program Files \ DivX
2008-11-10 22:03 --------- d ----- WC: \ Program Files \ Java
2008-11-10 01:37 --------- d ----- WC: \ Program Files \ Microsoft Plus!: Digital Media Edition
2008-11-10 01:35 --------- d ----- WC: \ Program Files \ Microsoft Works
2008-11-08 02:37 90.112 ---- aw C: \ windows \ DUMP3a98.tmp
2008-11-08 01:26 30 ---- aw C: \ Documents and Settings \ Administrator \ jagex_runescape_preferences. Dat
2008-10-29 22:11 --------- d - h - WC: \ Program Files \ InstallShield Installation Information
2008-10-29 22:11 --------- d ----- WC: \ Program Files \ ATI Technologies
2008-10-25 01:16 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ Move Networks
2008-10-16 22:05 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ Viewpoint
2008-10-16 01:06 --------- d ----- WC: \ Program Files \ Google
2008-09-28 22:59 --------- d ----- WC: \ Program Files \ Common Files \ AOL
2008-09-22 21:29 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ AOL OCP
2008-09-22 21:29 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ acccore
2008-09-22 21:27 --------- d ----- WC: \ Documents and Settings \ All Users \ Application Application Data \ AOL
2008-09-17 01:24 --------- d ----- WC: \ Documents and Settings \ Administrator \ Application Application Data \ VSO
2007-12-28 00:53 79.738 ---- aw C: \ Documents and Settings \ Fonts \ broken_ghost.zip
2007-11-23 01:25 81.920 ---- aw C: \ Documents and Settings \ Administrator \ Application Data \ ezpinst.exe
2007-11-23 01:25 47.360 ---- aw C: \ Documents and Settings \ Administrator \ Application Data \ pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default merkinnät eivät näy
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "c: \ windows \ system32 \ Ctfmon.exe" [2008-04-13 15360]
"Window Washer" = "C: \ Program Files \ Webroot \ Washer \ wwDisp.exe" [2005-03-08 910336]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ curr entVersion \ Run]
"ehTray" = "C: \ Windows \ ehome \ ehtray.exe" [2004-08-04 50176]
"hpsysdrv" = "C: \ windows \ system \ hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds" = "C: \ Windows \ System32 \ NvCpl.dll, NvStartup" [2003-10-02 118784]
"CamMonitor" = "C: \ Program Files \ HP \ Digital Imaging \ Unload \ hpqcmon.exe" [2002-10-07 90112]
"HPHmon05" = "C: \ Windows \ System32 \ hphmon05.exe" [2003-05-23 483328]
"KBD" = "C: \ HP \ KBD \ KBD.EXE" [2003-02-11 61440]
"SunJavaUpdateSched" = "C: \ Program Files \ Common Files \ Real \ qttask.exe" [2003-12-17 151597]
"Recguard" = "C: \ Windows \ SMINST \ RECGUARD.EXE" [2002-09-13 212992]
"PS2" = "C: \ WINDOWS \ system32 \ ps2.exe" [2002-10-16 81920]
"Sunkist2k" = "C: \ Program Files \ Multimedia Card Reader \ shwicon2k.exe" [2003-08-14 139264]
"SunJavaUpdateSched" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2005-06-02 48752]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2005-06-23 85696]
"PCSuiteTrayApplication" = "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck" = "c: \ windows \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"GrooveMonitor" = "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher" = "C: \ Program Files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2007-10-10 39792]
"Cmaudio" = "Ati2mdxx.exe" [2001-09-05 C: \ WINDOWS \ system32 \ Ati2mdxx.exe]
"LTMSG" = "LTMSG.exe" [2003-07-14 C: \ windows \ ltmsg.exe]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"AdobeUpdater" = "C: \ Program Files \ Common Files \ Adobe \ Updater5 \ AdobeUpdater.exe" [2007-03-01 2321600]

C: \ Documents and settings \ All Users \ Start Menu \ Programs \ Startup \
Adobe Gamma Loader.lnk - C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe [2007-11-22 113664]
HP Digital Imaging Monitor.lnk - C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Updates HP \ \ 137903 \ Program Files \ \ BackWeb-137903.exe" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ Outlook.exe" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE" =
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ ONENOTE.EXE" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =

R2 CX88XBAR; Conexant 2388x Crossbar Dual Input c: \ windows \ system32 \ drivers \ CX88XBARDUAL.sys [2003-12-10 7040]
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit / varkain haittaohjelmien detektori on Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 17:26:59
Windows 5.1.2600 Service Pack 3 NTFS

skannaus piilotettu prosessien ...

skannaus piilotettu Autostart merkinnät ...

skannaus piilotetut tiedostot ...

scan loppuun onnistuneesti
piilotetut tiedostot: 0

************************************************** ************************
.
------------------------ Other Running Processes ----------------------- --
.
c: \ windows \ system32 \ ati2evxx.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Photodex \ ProShowGold \ scsiaccess.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Updates HP \ 137903 \ Program \ BackWeb-137903.exe
C: \ windows \ system32 \ hpzipm12.exe
.
************************************************** ************************
.
Täydennys aika: 2008-11-11 17:34:29 - kone käynnistettiin uudelleen
ComboFix-karanteenissa-files.txt 2008-11-12 00:34:22
ComboFix2.txt 2008-11-11 18:47:44

Pre-Run: 89064681472 tavua vapaana
Post-Run: 89055629312 tavua vapaana

239 --- EOF --- 2008-10-30 03:01:59

Thread Tools
Näytä Tulostettava versio Lähetä tämä sivu