The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Can't install avg (setup closes), browser closes when certain texts appear on page

Posted 1/28/2009 2:05 PM
#71743
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
Hello.

I had an infection last autumn which I managed to remove manually, following other persons removal thread at some anti-malware forum.
I got my machine up full running, except for the small pretty annoying things:
When I try to run setup for AVG, the setup closes in less than a second. It happened with some other setup programs as well, but can't remember which.
Also, my web browser (mozilla firefox) closes, when some certain text appears on page. I managed to pass this by using google translate to view some pages about the manual removal during my intial removal process. I know some words that cause this, but won't write them here, cause i'm not sure if i will see this page ever again!
Also I have noticed that files "autorun.inf" and "m.exe" appears on my portable usb flash drive and microsd memory card. When trying to delete them, the files get instantly cloned. I luckily got them once removed from usb-flash drive when I was using another computer with AVG already installed that removed them. But they came back again when inserted the flash drive to my computer.

I downloaded the fix programs package and run the first 3, but hijackthis install wouldn't startl. It closes just like AVG install.

Here are the logs:

I had both the usb-flash drive and memorycard reader plugged in while running the scans.

*************************

Malwarebytes' Anti-Malware 1.33
Tietokantaversio: 1701
Windows 5.1.2600 Service Pack 2

28.1.2009 15:22:42
mbam-log-2009-01-28 (15-22-32).txt

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|P:\|)
Tarkistetut kohteet: 146137
Kulunut aika: 1 hour(s), 15 minute(s), 27 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 13
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 1
Saastuneita tiedostoja: 3

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
HKEY_CLASSES_ROOT\ddsme.kl (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{52cde0e4-d73b-11dd-9b90-fcc056d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{624f9012-d73b-11dd-95af-61c156d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\ddsme.kl.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\orb.ta (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\orb.ta.1 (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> No action taken.

Saastuneita tiedostoja:
C:\WINDOWS\system32\vumer.dll (Trojan.BHO) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken.

***************************

^
I did delete all files that were listed...


***************************

ComboFix 09-01-21.04 - KerDaNauer 2009-01-28 15:25:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.2046.1576 [GMT 2:00]
Sijainti: c:\documents and settings\KerDaNauer\Työpöytä\FIX\ComboFix.exe
FW: ZoneAlarm Firewall *enabled*
* Uusi palautuspiste luotu
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\log.udt
L:\autorun.inf
O:\autorun.inf

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-12-28 to 2009-01-28 )))))))))))))))))
.

2009-01-28 10:45 . 2009-01-28 10:45 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 10:45 . 2009-01-28 10:45 d-------- c:\documents and settings\KerDaNauer\Application Data\Malwarebytes
2009-01-28 10:45 . 2009-01-28 10:45 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 10:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 10:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 10:36 . 2009-01-28 10:44 d-------- c:\program files\CCleaner
2009-01-27 20:18 . 2009-01-27 20:22 d-------- c:\program files\Windows Live Safety Center
2009-01-27 19:52 . 2009-01-27 20:04 d-------- c:\program files\EsetOnlineScanner
2009-01-27 19:27 . 2009-01-27 19:27 d-------- C:\fsaua.data
2009-01-24 17:53 . 2009-01-24 17:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-24 17:53 . 2009-01-24 17:53 1,409 --a------ c:\windows\QTFont.for
2009-01-24 11:28 . 2009-01-24 11:42 5,115,511 --a------ C:\kauhea2.jpg
2009-01-24 11:27 . 2009-01-24 11:39 5,298,318 --a------ C:\kauhea.jpg
2009-01-22 16:47 . 2003-12-31 10:20 94,208 --a------ c:\windows\system32\DS232.dll
2009-01-11 13:40 . 2009-01-11 13:40 0 --a------ C:\tmp___
2009-01-06 01:20 . 2009-01-06 01:20 768 --a------ c:\windows\system32\d3d8caps.dat
2009-01-02 19:57 . 2009-01-02 19:57 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 13:28 24,987,680 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-28 08:46 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\OpenOffice.org2
2009-01-28 08:41 --------- d-----w c:\program files\MPEG-AVI 2 GIF 1
2009-01-28 08:40 --------- d-----w c:\program files\ASMT
2009-01-28 08:00 301,052 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-27 17:39 --------- d-----w c:\program files\mIRC
2009-01-26 20:27 --------- d-----w c:\program files\DVBViewer
2009-01-24 10:46 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\gtk-2.0
2009-01-18 11:14 --------- d-----w c:\program files\schism
2009-01-17 08:49 11,796,265 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-15 21:03 --------- d-----w c:\program files\FlashFXP
2009-01-10 01:10 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Audacity
2009-01-02 18:44 --------- d-----w c:\program files\Winamp
2009-01-02 17:57 --------- d-----w c:\program files\Java
2008-12-12 01:02 32,768 ----a-w c:\windows\system32\drivers\ati2psxx.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 09:57 --------- d-----w c:\program files\trend micro
2008-12-07 07:58 119,808 ----a-w C:\VundoFix.exe
2008-12-06 16:28 170 ----a-w C:\ComboFix.txt.bat
2008-12-06 13:01 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-06 12:06 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-06 12:06 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 11:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 11:18 --------- d-----w c:\program files\Lavasoft
2008-12-06 11:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_ 9.52.31.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-03 10:01:04 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP2QFE\strmdll.dll
+ 2008-10-03 10:03:58 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3GDR\strmdll.dll
+ 2008-10-03 09:50:35 247,326 ----a-w c:\windows\$hf_mig$\KB954600\SP3QFE\strmdll.dll
+ 2007-11-30 12:39:27 17,272 ----a-w c:\windows\$hf_mig$\KB954600\spmsg.dll
+ 2007-11-30 12:39:27 232,824 ----a-w c:\windows\$hf_mig$\KB954600\spuninst.exe
+ 2007-11-30 12:39:27 26,488 ----a-w c:\windows\$hf_mig$\KB954600\update\spcustom.dll
+ 2007-11-30 12:39:27 757,112 ----a-w c:\windows\$hf_mig$\KB954600\update\update.exe
+ 2007-11-30 12:39:28 392,056 ----a-w c:\windows\$hf_mig$\KB954600\update\updspapi.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:27 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:27 232,824 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:27 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:27 757,112 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:28 392,056 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:52:09 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:38:22 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:44:16 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:03:23 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:03:24 232,824 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:03:23 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:39:53 757,112 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:40:02 392,056 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2008-10-16 10:23:47 1,024,000 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\browseui.dll
+ 2008-10-16 10:23:42 151,552 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\cdfview.dll
+ 2008-10-16 10:23:43 1,055,232 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\danim.dll
+ 2008-10-16 10:23:43 357,888 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\dxtmsft.dll
+ 2008-10-16 10:23:43 205,312 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\dxtrans.dll
+ 2008-10-16 10:23:43 55,808 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\extmgr.dll
+ 2008-10-15 14:18:21 18,432 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\iedw.exe
+ 2008-10-16 10:23:44 251,392 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\iepeers.dll
+ 2008-10-16 10:23:44 96,256 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\inseng.dll
+ 2008-10-16 10:23:46 16,384 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\jsproxy.dll
+ 2008-10-16 10:23:49 3,088,384 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\mshtml.dll
+ 2008-10-16 10:23:46 449,024 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\mshtmled.dll
+ 2008-10-16 10:23:44 146,432 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\msrating.dll
+ 2008-10-16 10:23:44 532,480 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\mstime.dll
+ 2008-10-16 10:23:44 39,424 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\pngfilt.dll
+ 2008-10-16 10:23:45 1,498,624 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\shdocvw.dll
+ 2008-10-16 10:23:47 474,112 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\shlwapi.dll
+ 2008-10-15 18:05:26 357,888 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\spru040b.dll
+ 2008-10-16 10:23:47 619,520 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\urlmon.dll
+ 2008-10-16 10:23:46 667,648 ----a-w c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
+ 2008-10-16 01:01:58 3,088,896 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
+ 2008-10-16 01:01:57 1,498,624 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\shdocvw.dll
+ 2008-10-16 01:01:57 619,008 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\urlmon.dll
+ 2008-10-16 01:01:57 666,112 ----a-w c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
+ 2008-10-16 04:35:32 3,088,896 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
+ 2008-10-16 01:05:30 1,498,624 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\shdocvw.dll
+ 2008-10-16 01:05:30 619,520 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\urlmon.dll
+ 2008-10-16 01:05:30 667,136 ----a-w c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
+ 2007-11-30 12:39:27 17,272 ----a-w c:\windows\$hf_mig$\KB958215\spmsg.dll
+ 2007-11-30 12:39:27 232,824 ----a-w c:\windows\$hf_mig$\KB958215\spuninst.exe
+ 2007-11-30 12:39:27 26,488 ----a-w c:\windows\$hf_mig$\KB958215\update\spcustom.dll
+ 2007-11-30 11:19:03 757,112 ----a-w c:\windows\$hf_mig$\KB958215\update\update.exe
+ 2008-07-09 07:40:02 392,056 ----a-w c:\windows\$hf_mig$\KB958215\update\updspapi.dll
+ 2008-12-12 17:29:52 3,088,384 ----a-w c:\windows\$hf_mig$\KB960714\SP2QFE\mshtml.dll
+ 2008-12-12 17:03:17 3,088,896 ----a-w c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
+ 2008-12-12 17:15:32 3,088,896 ----a-w c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
+ 2007-11-30 12:39:27 17,272 ----a-w c:\windows\$hf_mig$\KB960714\spmsg.dll
+ 2007-11-30 12:39:27 232,824 ----a-w c:\windows\$hf_mig$\KB960714\spuninst.exe
+ 2007-11-30 12:39:27 26,488 ----a-w c:\windows\$hf_mig$\KB960714\update\spcustom.dll
+ 2008-07-09 07:39:53 757,112 ----a-w c:\windows\$hf_mig$\KB960714\update\update.exe
+ 2007-11-30 12:39:28 392,056 ----a-w c:\windows\$hf_mig$\KB960714\update\updspapi.dll
+ 2005-01-28 11:44:28 96,768 -c----w c:\windows\$NtUninstallKB952069_WM9$\logagent.exe
+ 2007-07-27 05:28:28 232,824 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe
+ 2007-07-27 07:41:48 382,840 -c----w c:\windows\$NtUninstallKB952069_WM9$\spuninst\updspapi.dll
+ 2005-01-28 11:44:28 1,027,072 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmnetmgr.dll
+ 2006-12-07 05:29:34 2,374,472 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmvcore.dll
+ 2007-11-30 12:39:27 232,824 -c----w c:\windows\$NtUninstallKB954600$\spuninst\spuninst.exe
+ 2007-11-30 12:39:28 392,056 -c----w c:\windows\$NtUninstallKB954600$\spuninst\updspapi.dll
+ 2006-08-24 11:19:40 246,814 -c----w c:\windows\$NtUninstallKB954600$\strmdll.dll
+ 2007-11-30 12:39:27 232,824 -c----w c:\windows\$NtUninstallKB955839$\spuninst\spuninst.exe
+ 2007-11-30 12:39:28 392,056 -c----w c:\windows\$NtUninstallKB955839$\spuninst\updspapi.dll
+ 2008-07-14 11:09:18 62,976 -c----w c:\windows\$NtUninstallKB955839$\tzchange.exe
+ 2008-02-20 06:51:32 282,624 -c----w c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2008-07-08 13:03:24 232,824 -c----w c:\windows\$NtUninstallKB956802$\spuninst\spuninst.exe
+ 2008-07-09 07:40:02 392,056 -c----w c:\windows\$NtUninstallKB956802$\spuninst\updspapi.dll
+ 2008-08-20 05:37:27 1,023,488 -c----w c:\windows\$NtUninstallKB958215$\browseui.dll
+ 2008-08-20 05:37:18 151,552 -c----w c:\windows\$NtUninstallKB958215$\cdfview.dll
+ 2008-08-20 05:37:19 1,055,232 -c----w c:\windows\$NtUninstallKB958215$\danim.dll
+ 2008-08-20 05:37:20 357,888 -c----w c:\windows\$NtUninstallKB958215$\dxtmsft.dll
+ 2008-08-20 05:37:20 205,312 -c----w c:\windows\$NtUninstallKB958215$\dxtrans.dll
+ 2008-08-20 05:37:20 55,808 -c----w c:\windows\$NtUninstallKB958215$\extmgr.dll
+ 2008-08-19 09:30:39 18,432 -c----w c:\windows\$NtUninstallKB958215$\iedw.exe
+ 2008-08-20 05:37:20 250,880 -c----w c:\windows\$NtUninstallKB958215$\iepeers.dll
+ 2008-08-20 05:37:20 96,256 -c----w c:\windows\$NtUninstallKB958215$\inseng.dll
+ 2008-08-20 05:37:25 16,384 -c----w c:\windows\$NtUninstallKB958215$\jsproxy.dll
+ 2008-08-20 05:37:30 3,081,216 -c----w c:\windows\$NtUninstallKB958215$\mshtml.dll
+ 2008-08-20 05:37:25 449,024 -c----w c:\windows\$NtUninstallKB958215$\mshtmled.dll
+ 2008-08-20 05:37:21 146,432 -c----w c:\windows\$NtUninstallKB958215$\msrating.dll
+ 2008-08-20 05:37:21 532,480 -c----w c:\windows\$NtUninstallKB958215$\mstime.dll
+ 2008-08-20 05:37:21 39,424 -c----w c:\windows\$NtUninstallKB958215$\pngfilt.dll
+ 2008-08-20 05:37:23 1,494,016 -c----w c:\windows\$NtUninstallKB958215$\shdocvw.dll
+ 2008-08-20 05:37:26 474,112 -c----w c:\windows\$NtUninstallKB958215$\shlwapi.dll
+ 2007-11-30 12:39:27 232,824 -c----w c:\windows\$NtUninstallKB958215$\spuninst\spuninst.exe
+ 2008-07-09 07:40:02 392,056 -c----w c:\windows\$NtUninstallKB958215$\spuninst\updspapi.dll
+ 2008-08-20 05:37:27 616,448 -c----w c:\windows\$NtUninstallKB958215$\urlmon.dll
+ 2008-08-20 05:37:24 659,456 -c----w c:\windows\$NtUninstallKB958215$\wininet.dll
+ 2008-08-19 09:51:37 357,888 -c----w c:\windows\$NtUninstallKB958215$\xpsp3res.dll
+ 2008-10-16 10:38:47 3,080,704 -c----w c:\windows\$NtUninstallKB960714$\mshtml.dll
+ 2007-11-30 12:39:27 232,824 -c----w c:\windows\$NtUninstallKB960714$\spuninst\spuninst.exe
+ 2007-11-30 12:39:28 392,056 -c----w c:\windows\$NtUninstallKB960714$\spuninst\updspapi.dll
+ 2008-12-07 08:41:54 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2008-12-07 08:41:54 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2008-12-07 08:41:55 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2008-12-07 08:41:57 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 13:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-12-07 08:41:58 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2008-12-07 08:41:55 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-02-27 13:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-01-09 13:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-02-27 13:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 14:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 13:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2008-10-28 14:25:00 453,512 ----a-w c:\windows\Downloaded Program Files\wlscBase.dll
- 2000-08-31 06:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 06:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-20 05:37:27 1,023,488 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:38:46 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2008-08-20 05:37:18 151,552 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:38:43 151,552 ----a-w c:\windows\system32\cdfview.dll
- 2008-12-06 18:36:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-07 08:34:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-06 18:36:01 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
+ 2008-12-07 08:34:42 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\index.dat
+ 2008-12-07 08:34:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Sivuhistoria\History.IE5\MSHist012008120720081208\index.dat
- 2008-12-06 18:36:01 311,296 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 08:34:42 65,536 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 05:37:19 1,055,232 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:38:43 1,055,232 ----a-w c:\windows\system32\danim.dll
- 2008-12-06 13:31:11 313,871 ----a-w c:\windows\system32\ddbaecafdf.dll
+ 2006-05-18 01:27:58 313,871 ------w c:\windows\system32\ddbaecafdf.dll
- 2008-08-20 05:37:27 1,023,488 ----a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:38:46 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2008-08-20 05:37:18 151,552 ----a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:38:43 151,552 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2008-08-20 05:37:19 1,055,232 ----a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:38:43 1,055,232 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2008-08-20 05:37:20 357,888 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:38:43 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-20 05:37:20 205,312 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:38:43 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-20 05:37:20 55,808 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:38:43 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-02-20 06:51:32 282,624 ----a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:00:00 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-19 09:30:39 18,432 ----a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2008-08-20 05:37:20 250,880 ----a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:38:43 250,880 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-20 05:37:20 96,256 ----a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:38:43 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2008-08-20 05:37:25 16,384 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:38:45 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2005-01-28 11:44:28 96,768 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 03:52:04 96,768 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:37:30 3,081,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:36:26 3,081,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:37:25 449,024 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:38:45 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-20 05:37:21 146,432 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:38:43 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-20 05:37:21 532,480 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:38:44 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-20 05:37:21 39,424 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:38:44 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-20 05:37:23 1,494,016 ----a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:38:44 1,494,016 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:37:26 474,112 ----a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:38:45 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2006-08-24 11:19:40 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:17:02 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:37:27 616,448 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:38:46 616,448 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:37:24 659,456 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:38:45 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2005-01-28 11:44:28 1,027,072 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-10 04:28:36 1,028,096 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-10 05:07:24 2,376,760 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-20 05:37:20 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:38:43 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-20 05:37:20 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:38:43 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-20 05:37:20 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:38:43 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-02-20 06:51:32 282,624 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:00:00 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-20 05:37:20 250,880 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:38:43 250,880 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-20 05:37:20 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:38:43 96,256 ----a-w c:\windows\system32\inseng.dll
- 2008-06-09 22:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-02 17:57:07 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-09 22:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-02 17:57:07 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-09 23:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-02 17:57:07 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-08-20 05:37:25 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:38:45 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2007-07-27 12:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 12:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-05 17:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 10:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
- 2005-01-28 11:44:28 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 03:52:04 96,768 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:37:30 3,081,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:36:26 3,081,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:37:25 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:38:45 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-20 05:37:21 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:38:43 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-20 05:37:21 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:38:44 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-02-11 07:39:26 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 07:39:18 237,568 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 11:53:46 110,592 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 06:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
- 2008-08-20 05:37:21 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:38:44 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-08-20 05:37:23 1,494,016 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:38:44 1,494,016 ----a-w c:\windows\system32\shdocvw.dll
- 2008-08-20 05:37:26 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:38:45 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2008-07-08 13:03:23 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:27 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-08-24 11:19:40 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:17:02 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-07-14 11:09:18 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2004-12-07 08:11:34 258,352 ----a-w c:\windows\system32\unicows.dll
- 2008-08-20 05:37:27 616,448 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:38:46 616,448 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:37:24 659,456 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:38:45 659,456 ----a-w c:\windows\system32\wininet.dll
- 2005-01-28 11:44:28 1,027,072 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-10 04:28:36 1,028,096 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-10 05:07:24 2,376,760 ----a-w c:\windows\system32\WMVCore.dll
- 2008-08-19 09:51:37 357,888 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 18:05:26 357,888 ----a-w c:\windows\system32\xpsp3res.dll
+ 2009-01-28 08:05:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1c8.dat
.
-- Snapshot nollattu tähän hetkeen --
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-15 15360]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"JulaPan"="JulaPan.Exe" [2005-07-05 c:\windows\system32\JulaPan.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-02 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-09-19 3907328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\KerDaNauer\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-03-16 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddbaecafdf]
2006-05-18 03:27 313871 c:\windows\system32\ddbaecafdf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sibrpu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XVID"= xvid.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2psxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2007-03-22 46080]
R3 JULA_01;Service for Juli@ 1;c:\windows\system32\drivers\JulaWdm.sys [2007-03-22 22880]
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);c:\windows\system32\drivers\Jula.sys [2007-03-22 29472]
R4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2008-09-19 1262336]
R4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2008-09-19 343296]
R4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-07-18 157000]
S0 ati2psxx;ati2psxx;c:\windows\system32\drivers\ati2psxx.sys [2008-12-06 32768]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-08-11 77312]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2007-06-08 1888]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2008-10-21 5533]
S4 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys --> c:\windows\system32\Drivers\cdenable.sys [?]
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.dnainternet.fi/
FF - ProfilePath - c:\documents and settings\KerDaNauer\Application Data\Mozilla\Firefox\Profiles\zpi1g8iq.default\
FF - prefs.js: browser.search.selectedEngine - Ilmainen Sanakirja
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-01-28 15:28:34
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys 36864 bytes executable
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir 36864 bytes executable

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f16ccc987a73d99c3cab8d86438d296]
"ImagePath"="system32\0f16ccc987a73d99c3cab8d86438d296.sys"
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\ddbaecafdf.dll
.
Valmistumisajankohta: 2009-01-28 15:29:54
ComboFix-quarantined-files.txt 2009-01-28 13:29:52
ComboFix2.txt 2008-12-07 08:23:31

Ennen ajoa: 3 043 561 472 tavua vapaana
Ajon jälkeen: 3,167,547,392 tavua vapaana

428 --- E O F --- 2009-01-14 07:35:35


*********************************************


So there they are.
Any info how to remove some stuff and proceed to running hijackthis would be hugely appreciated.
My final aim is to get avg installed and running, to start tracking malware on my own.

-VW
Posted 1/29/2009 4:43 AM
#71755
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:





Open notepad and copy/paste the text in the quotebox below into it:




Quote:



[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652][2]Killall::[/2]

[2] [/2]

[2]Snapshot::[/2]



File::

c:\windows\system32\ddbaecafdf.dll

C:\tmp___



Folder::

C:\tmp___



Hosts::


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddbaecafdf]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f16ccc987a73d99c3cab8d86438d296]
"ImagePath"=-



[/td][/tr][/table]

Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix log.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 1/29/2009 7:11 AM
#71758
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
Thank you for your reply!


Firstly, there was some improvements after the initial malwarebytes and combofix scans. I was allowed to browse my usb-flash drive, which I was unable to before. There still exists m.exe though...

Sorry, didn't notice that my logs were in finnish... Will try to choose the language with more thought next time!



By the way, when trying to upgrade to SP3 via windows update, it goes all way to 98% or so, and then fails. All security patches are updated fine. Maybe it has something to do with this?



Here is the combofix log after CFScript:



ComboFix 09-01-21.04 - KerDaNauer 2009-01-29 8:53:53.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.2046.1653 [GMT 2:00]
Sijainti: c:\documents and settings\KerDaNauer\Työpöytä\FIX\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\KerDaNauer\Työpöytä\FIX\CFScript.txt
FW: ZoneAlarm Firewall *enabled*
* Uusi palautuspiste luotu

FILE ::
C:\tmp___
c:\windows\system32\ddbaecafdf.dll
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\tmp___
c:\windows\system32\ddbaecafdf.dll

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-12-28 to 2009-01-29 )))))))))))))))))
.

2009-01-28 10:45 . 2009-01-28 10:45 <KANSIO> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 10:45 . 2009-01-28 10:45 <KANSIO> d-------- c:\documents and settings\KerDaNauer\Application Data\Malwarebytes
2009-01-28 10:45 . 2009-01-28 10:45 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 10:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 10:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 10:36 . 2009-01-28 10:44 <KANSIO> d-------- c:\program files\CCleaner
2009-01-27 20:18 . 2009-01-27 20:22 <KANSIO> d-------- c:\program files\Windows Live Safety Center
2009-01-27 19:52 . 2009-01-27 20:04 <KANSIO> d-------- c:\program files\EsetOnlineScanner
2009-01-27 19:27 . 2009-01-27 19:27 <KANSIO> d-------- C:\fsaua.data
2009-01-24 17:53 . 2009-01-24 17:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-24 17:53 . 2009-01-24 17:53 1,409 --a------ c:\windows\QTFont.for
2009-01-24 11:28 . 2009-01-24 11:42 5,115,511 --a------ C:\kauhea2.jpg
2009-01-24 11:27 . 2009-01-24 11:39 5,298,318 --a------ C:\kauhea.jpg
2009-01-22 16:47 . 2003-12-31 10:20 94,208 --a------ c:\windows\system32\DS232.dll
2009-01-06 01:20 . 2009-01-06 01:20 768 --a------ c:\windows\system32\d3d8caps.dat
2009-01-02 19:57 . 2009-01-02 19:57 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 06:58 25,194,528 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-29 06:58 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\OpenOffice.org2
2009-01-29 06:56 304,556 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-28 21:39 --------- d-----w c:\program files\trend micro
2009-01-28 18:23 --------- d-----w c:\program files\DVBViewer
2009-01-28 08:41 --------- d-----w c:\program files\MPEG-AVI 2 GIF 1
2009-01-28 08:40 --------- d-----w c:\program files\ASMT
2009-01-27 17:39 --------- d-----w c:\program files\mIRC
2009-01-24 10:46 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\gtk-2.0
2009-01-18 11:14 --------- d-----w c:\program files\schism
2009-01-15 21:03 --------- d-----w c:\program files\FlashFXP
2009-01-10 01:10 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Audacity
2009-01-02 18:44 --------- d-----w c:\program files\Winamp
2009-01-02 17:57 --------- d-----w c:\program files\Java
2008-12-12 01:02 32,768 ----a-w c:\windows\system32\drivers\ati2psxx.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 10:04 --------- d-----w c:\program files\Sonic Foundry
2008-12-07 07:58 119,808 ----a-w C:\VundoFix.exe
2008-12-06 16:28 170 ----a-w C:\ComboFix.txt.bat
2008-12-06 12:06 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-06 12:06 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 11:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 11:18 --------- d-----w c:\program files\Lavasoft
2008-12-06 11:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-15 15360]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"JulaPan"="JulaPan.Exe" [2005-07-05 c:\windows\system32\JulaPan.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-02 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-09-19 3907328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\KerDaNauer\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-03-16 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XVID"= xvid.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2psxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2007-03-22 46080]
R3 JULA_01;Service for Juli@ 1;c:\windows\system32\drivers\JulaWdm.sys [2007-03-22 22880]
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);c:\windows\system32\drivers\Jula.sys [2007-03-22 29472]
R4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2008-09-19 1262336]
R4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2008-09-19 343296]
R4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-07-18 157000]
S0 ati2psxx;ati2psxx;c:\windows\system32\drivers\ati2psxx.sys [2008-12-06 32768]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-08-11 77312]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2007-06-08 1888]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2008-10-21 5533]
S4 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys --> c:\windows\system32\Drivers\cdenable.sys [?]
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.dnainternet.fi/
FF - ProfilePath - c:\documents and settings\KerDaNauer\Application Data\Mozilla\Firefox\Profiles\zpi1g8iq.default\
FF - prefs.js: browser.search.selectedEngine - Ilmainen Sanakirja
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-01-29 08:57:47
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys 36864 bytes executable
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir 36864 bytes executable

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f16ccc987a73d99c3cab8d86438d296]
"ImagePath"="system32\0f16ccc987a73d99c3cab8d86438d296.sys"
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\windows\system32\mgabg.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Valmistumisajankohta: 2009-01-29 9:00:51 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2009-01-29 07:00:48
ComboFix2.txt 2009-01-28 13:29:56
ComboFix3.txt 2008-12-07 08:23:31

Ennen ajoa: 3 131 543 552 tavua vapaana
Ajon jälkeen: 3,111,370,752 tavua vapaana

178 --- E O F --- 2009-01-14 07:35:35
Posted 1/29/2009 12:33 PM
#71768
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please download <!--coloro:blue--><!--/coloro-->Flash_Disinfector.exe<!--colorc--><!--/colorc--> by sUBs and save it to your desktop


  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then download and scan your flash drive with "<!--coloro:blue--><!--/coloro-->ClamWin Portable Antivirus<!--colorc--><!--/colorc-->".


Let Me know how things goes





[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 1/29/2009 3:15 PM
#71771
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
Whee, that wasn't too hard!



AVG is now installed, updated and up full running. I did a full scan and couple of more threats were found and removed. AVG got also rid of the m.exe in both flash-drive and microsd-card.

How can I ever be thankful enough for this non-profit, voluntary support that was given?

If I ever encounter any such problems I don't need to consider twice which place to turn to.
Posted 1/29/2009 6:37 PM
#71776
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s good news :smilewinkgrin:





Now your computer problems are solved, it is time for the clean-up procedure. Download this file and save it on desktop as FIX_removal.exe

https://www.ctrlaltdel.dk/FIX_removal.exe

Double click FIX_removal.exe and follow the instructions - this will remove the programs that you have used during the cleaning process. Once the program is finished, reboot your computer to finalise the clean-up procedure.



I also suggest you read Tony Klein´s article :

So how did I get infected in the first place.





If you have any comments or questions, feel free to post back


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 3/17/2009 11:44 AM
#72970
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
First I apologise for annoying you a little bit more, but

... the problem came back!

I encountered some minor problems after the previous fix. Every time I booted my system, AVG reports a new threat, with an option to heal it. I remember it had something to do with explorer.exe, but not sure what. Otherwise my system was fine, so I didn't pay much attention to it.
Until today things got worse - after reboot I noticed that AVG system tray icon was missing, as well as the threat report.
And which was worst, AVG wouldn't start at all and I couldn't browse this thread without my browser instantly closing itself.

I downloaded the fix programs package again and run the first steps, CCCleaner, Anti-malware and combofix. Hijackthis wouldn't start.
While running combofix it reports that AVG is still running. I tried closing avg*.exe from system tray without much success. Either I got some kind of message that the program couldn't be closed, or the same .exe reappeared a few seconds after closing it.
So I decided to run combofix anyway...

I really wish someone would help me with this problem!
Here are the anti-malware and combofix logs:


---------------------------------------


Malwarebytes' Anti-Malware 1.34
Database version: 1857
Windows 5.1.2600 Service Pack 2

17.3.2009 12:55:15
mbam-log-2009-03-17 (12-55-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 178165
Time elapsed: 57 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ddsme.kl (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{52cde0e4-d73b-11dd-9b90-fcc056d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{624f9012-d73b-11dd-95af-61c156d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\ddsme.kl.1 (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vumer.dll (Trojan.BHO) -> No action taken.

------------------------------------------


--------------------------------------------

ComboFix 09-03-15.01 - KerDaNauer 2009-03-17 13:13:41.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.2046.1606 [GMT 2:00]
Sijainti: c:\documents and settings\KerDaNauer\Työpöytä\FIX\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Uusi palautuspiste luotu
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_004383_.tmp.dll
c:\windows\system32\_004384_.tmp.dll
c:\windows\system32\_004385_.tmp.dll
c:\windows\system32\_004386_.tmp.dll
c:\windows\system32\_004392_.tmp.dll
c:\windows\system32\_004393_.tmp.dll
c:\windows\system32\_004394_.tmp.dll
c:\windows\system32\_004395_.tmp.dll
c:\windows\system32\_004396_.tmp.dll
c:\windows\system32\_004397_.tmp.dll
c:\windows\system32\_004398_.tmp.dll
c:\windows\system32\_004399_.tmp.dll
c:\windows\system32\_004400_.tmp.dll
c:\windows\system32\_004401_.tmp.dll
c:\windows\system32\_004402_.tmp.dll
c:\windows\system32\_004403_.tmp.dll
c:\windows\system32\_004404_.tmp.dll
c:\windows\system32\_004405_.tmp.dll
c:\windows\system32\_004406_.tmp.dll
c:\windows\system32\_004407_.tmp.dll
c:\windows\system32\_004408_.tmp.dll
c:\windows\system32\_004409_.tmp.dll
c:\windows\system32\_004410_.tmp.dll
c:\windows\system32\_004411_.tmp.dll
c:\windows\system32\_004412_.tmp.dll
c:\windows\system32\_004415_.tmp.dll
c:\windows\system32\_004416_.tmp.dll
c:\windows\system32\_004417_.tmp.dll
c:\windows\system32\_004418_.tmp.dll
c:\windows\system32\_004419_.tmp.dll
c:\windows\system32\_004421_.tmp.dll
c:\windows\system32\_004422_.tmp.dll
c:\windows\system32\_004423_.tmp.dll
c:\windows\system32\_004424_.tmp.dll
c:\windows\system32\_004425_.tmp.dll
c:\windows\system32\_004426_.tmp.dll
c:\windows\system32\_004427_.tmp.dll
c:\windows\system32\_004430_.tmp.dll
c:\windows\system32\_004431_.tmp.dll
c:\windows\system32\_004432_.tmp.dll
c:\windows\system32\_004433_.tmp.dll
c:\windows\system32\_004434_.tmp.dll
c:\windows\system32\_004435_.tmp.dll
c:\windows\system32\_004436_.tmp.dll
c:\windows\system32\_004438_.tmp.dll
c:\windows\system32\_004439_.tmp.dll
c:\windows\system32\_004440_.tmp.dll
c:\windows\system32\_004441_.tmp.dll
c:\windows\system32\_004442_.tmp.dll
c:\windows\system32\_004443_.tmp.dll
c:\windows\system32\_004444_.tmp.dll
c:\windows\system32\_004445_.tmp.dll
c:\windows\system32\_004446_.tmp.dll
c:\windows\system32\_004447_.tmp.dll
c:\windows\system32\_004449_.tmp.dll
c:\windows\system32\_004450_.tmp.dll
c:\windows\system32\_004452_.tmp.dll
c:\windows\system32\_004454_.tmp.dll
c:\windows\system32\_004455_.tmp.dll
c:\windows\system32\_004456_.tmp.dll
c:\windows\system32\_004457_.tmp.dll
c:\windows\system32\_004459_.tmp.dll
c:\windows\system32\_004460_.tmp.dll
c:\windows\system32\_004461_.tmp.dll
c:\windows\system32\_004462_.tmp.dll
c:\windows\system32\_004464_.tmp.dll
c:\windows\system32\_004465_.tmp.dll
c:\windows\system32\_004466_.tmp.dll
c:\windows\system32\_004467_.tmp.dll
c:\windows\system32\_004468_.tmp.dll
c:\windows\system32\_004469_.tmp.dll
c:\windows\system32\_004470_.tmp.dll
c:\windows\system32\_004472_.tmp.dll
c:\windows\system32\_004474_.tmp.dll
c:\windows\system32\_004475_.tmp.dll
c:\windows\system32\_004476_.tmp.dll
c:\windows\system32\_004477_.tmp.dll
c:\windows\system32\_004478_.tmp.dll
c:\windows\system32\_004483_.tmp.dll
c:\windows\system32\_004485_.tmp.dll
c:\windows\system32\_004488_.tmp.dll
c:\windows\system32\_004490_.tmp.dll
c:\windows\system32\_004491_.tmp.dll
c:\windows\system32\_004492_.tmp.dll
c:\windows\system32\_004493_.tmp.dll
c:\windows\system32\_004496_.tmp.dll
c:\windows\system32\_004497_.tmp.dll
c:\windows\system32\_004498_.tmp.dll
c:\windows\system32\_004499_.tmp.dll
c:\windows\system32\_004500_.tmp.dll
c:\windows\system32\_004505_.tmp.dll
c:\windows\system32\_004507_.tmp.dll

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-02-17 to 2009-03-17 )))))))))))))))))
.

2009-03-17 11:41 . 2009-03-17 11:41 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-17 11:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 11:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-17 11:17 . 2009-03-17 11:17 d-------- c:\program files\AFMG
2009-03-17 11:16 . 2009-03-17 11:16 d-------- c:\documents and settings\All Users\Application Data\AFMG
2009-03-17 09:23 . 2009-03-17 09:23 184,848 --a------ c:\windows\3828736E1AE7F9CD6622E6C9592DB2AF.exe
2009-03-12 15:18 . 2009-03-12 15:18 454,656 --a------ c:\windows\putty.exe
2009-03-07 10:15 . 2009-03-07 10:15 d-------- c:\program files\CRON-O-METER
2009-03-07 10:15 . 2009-03-07 10:16 d-------- c:\documents and settings\KerDaNauer\Application Data\cronometer
2009-02-21 00:18 . 2009-02-21 00:18 d-------- c:\documents and settings\KerDaNauer\Application Data\STOIK
2009-02-21 00:18 . 2009-02-21 00:18 d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 00:17 . 2009-02-21 00:17 d-------- c:\program files\STOIK Imaging
2009-02-21 00:17 . 2009-02-21 00:17 d-------- c:\program files\Common Files\ST System Shared
2009-02-17 12:15 . 2009-02-17 12:15 d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-17 12:14 . 2009-02-17 12:14 d-------- c:\program files\NCH Software
2009-02-17 12:14 . 2009-02-17 12:14 d-------- c:\documents and settings\KerDaNauer\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 11:19 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\OpenOffice.org2
2009-03-17 09:19 --------- d-----w c:\program files\mIRC
2009-03-17 09:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-16 14:13 --------- d-----w c:\program files\DVBViewer
2009-03-11 05:57 --------- d-----w c:\program files\Winamp
2009-03-07 15:01 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\gtk-2.0
2009-03-01 11:49 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Audacity
2009-02-27 13:19 --------- d-----w c:\program files\FlashFXP
2009-02-23 20:11 --------- d-----w c:\program files\schism
2009-02-20 22:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 18:28 --------- d-----w c:\program files\ESX_Wave_Organizer_v0.1.8
2009-02-05 13:37 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\vlc
2009-02-05 13:35 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\dvdcss
2009-02-05 13:31 --------- d-----w c:\program files\VideoLAN
2009-01-29 22:49 --------- d-----w c:\program files\Windows Resource Kits
2009-01-29 13:20 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 13:20 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-29 13:20 --------- d-----w c:\program files\AVG
2009-01-29 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-29 12:42 --------- d-----w c:\program files\ClamWinPortable
2009-01-29 12:39 12,564,505 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-28 21:39 --------- d-----w c:\program files\trend micro
2009-01-28 08:45 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Malwarebytes
2009-01-28 08:45 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 08:44 --------- d-----w c:\program files\CCleaner
2009-01-28 08:41 --------- d-----w c:\program files\MPEG-AVI 2 GIF 1
2009-01-28 08:40 --------- d-----w c:\program files\ASMT
2009-01-27 18:22 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-27 18:04 --------- d-----w c:\program files\EsetOnlineScanner
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-15 15360]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"JulaPan"="JulaPan.Exe" [2005-07-05 c:\windows\system32\JulaPan.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-02 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-09-19 3907328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\KerDaNauer\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-03-16 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fabbeabbbdfcfcbfa]
2006-05-07 05:17 312847 c:\windows\system32\fabbeabbbdfcfcbfa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 15:20 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XVID"= xvid.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2psxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-29 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2008-09-19 1262336]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2008-09-19 343296]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-07-18 157000]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2007-03-22 46080]
R3 JULA_01;Service for Juli@ 1;c:\windows\system32\drivers\JulaWdm.sys [2007-03-22 22880]
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);c:\windows\system32\drivers\Jula.sys [2007-03-22 29472]
S0 ati2psxx;ati2psxx;c:\windows\system32\Drivers\ati2psxx.sys --> c:\windows\system32\Drivers\ati2psxx.sys [?]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-08-11 77312]
S2 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys --> c:\windows\system32\Drivers\cdenable.sys [?]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2007-06-08 1888]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2008-10-21 5533]
.
- - - - POISTETUT JÄMÄRIVIT - - - -

Notify-dimsntfy - (no file)


.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.dnainternet.fi/
FF - ProfilePath - c:\documents and settings\KerDaNauer\Application Data\Mozilla\Firefox\Profiles\zpi1g8iq.default\
FF - prefs.js: browser.search.selectedEngine - Ilmainen Sanakirja
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-03-17 13:18:42
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys 36864 bytes executable
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir 36864 bytes executable

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f16ccc987a73d99c3cab8d86438d296]
"ImagePath"="system32\0f16ccc987a73d99c3cab8d86438d296.sys"
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\fabbeabbbdfcfcbfa.dll
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mgabg.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
.
**************************************************************************
.
Valmistumisajankohta: 2009-03-17 13:22:10 - kone käynnistettiin uudelleen [KerDaNauer]
ComboFix-quarantined-files.txt 2009-03-17 11:22:06

Ennen ajoa: 1 416 851 456 tavua vapaana
Ajon jälkeen: 1,317,519,360 tavua vapaana

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,5
285 --- E O F --- 2009-03-17 01:01:59


----------------------------------------------
Posted 3/17/2009 1:29 PM
#72984
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quotebox below into it:




Quote:



[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652][2]Killall::[/2]

[2] [/2]

[2]Snapshot::[/2]

[2] [/2]

File::

c:\windows\system32\fabbeabbbdfcfcbfa.dll

c:\windows\system32\Drivers\ati2psxx.sys

c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir






Driver::

ati2psxx





Hosts::


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fabbeabbbdfcfcbfa]


[/td][/tr][/table]

Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix log.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 3/17/2009 2:16 PM
#72986
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
Thanks!

I can now see AVG back in system tray.

Here's the fresh Combofix log:

-----------------------------------

ComboFix 09-03-15.01 - KerDaNauer 2009-03-17 16:03:01.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.2046.1593 [GMT 2:00]
Sijainti: c:\documents and settings\KerDaNauer\Työpöytä\FIX\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\KerDaNauer\Työpöytä\FIX\CFScript
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Uusi palautuspiste luotu

FILE ::
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir
c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys
c:\windows\system32\Drivers\ati2psxx.sys
c:\windows\system32\fabbeabbbdfcfcbfa.dll
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fabbeabbbdfcfcbfa.dll

.
((((((((((((((((((((((((((((((((((((((( Ajurit/Palvelut )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI2PSXX
-------\Service_ati2psxx


((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-02-17 to 2009-03-17 )))))))))))))))))
.

2009-03-17 11:41 . 2009-03-17 11:41 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-17 11:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 11:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-17 11:17 . 2009-03-17 11:17 d-------- c:\program files\AFMG
2009-03-17 11:16 . 2009-03-17 11:16 d-------- c:\documents and settings\All Users\Application Data\AFMG
2009-03-17 09:23 . 2009-03-17 09:23 184,848 --a------ c:\windows\3828736E1AE7F9CD6622E6C9592DB2AF.exe
2009-03-12 15:18 . 2009-03-12 15:18 454,656 --a------ c:\windows\putty.exe
2009-03-07 10:15 . 2009-03-07 10:15 d-------- c:\program files\CRON-O-METER
2009-03-07 10:15 . 2009-03-07 10:16 d-------- c:\documents and settings\KerDaNauer\Application Data\cronometer
2009-02-21 00:18 . 2009-02-21 00:18 d-------- c:\documents and settings\KerDaNauer\Application Data\STOIK
2009-02-21 00:18 . 2009-02-21 00:18 d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 00:17 . 2009-02-21 00:17 d-------- c:\program files\STOIK Imaging
2009-02-21 00:17 . 2009-02-21 00:17 d-------- c:\program files\Common Files\ST System Shared
2009-02-17 12:15 . 2009-02-17 12:15 d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-17 12:14 . 2009-02-17 12:14 d-------- c:\program files\NCH Software
2009-02-17 12:14 . 2009-02-17 12:14 d-------- c:\documents and settings\KerDaNauer\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 14:08 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\OpenOffice.org2
2009-03-17 09:19 --------- d-----w c:\program files\mIRC
2009-03-17 09:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-16 14:13 --------- d-----w c:\program files\DVBViewer
2009-03-11 05:57 --------- d-----w c:\program files\Winamp
2009-03-07 15:01 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\gtk-2.0
2009-03-01 11:49 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Audacity
2009-02-27 13:19 --------- d-----w c:\program files\FlashFXP
2009-02-23 20:11 --------- d-----w c:\program files\schism
2009-02-20 22:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 18:28 --------- d-----w c:\program files\ESX_Wave_Organizer_v0.1.8
2009-02-05 13:37 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\vlc
2009-02-05 13:35 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\dvdcss
2009-02-05 13:31 --------- d-----w c:\program files\VideoLAN
2009-01-29 22:49 --------- d-----w c:\program files\Windows Resource Kits
2009-01-29 13:20 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 13:20 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-29 13:20 --------- d-----w c:\program files\AVG
2009-01-29 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-29 12:42 --------- d-----w c:\program files\ClamWinPortable
2009-01-28 21:39 --------- d-----w c:\program files\trend micro
2009-01-28 08:45 --------- d-----w c:\documents and settings\KerDaNauer\Application Data\Malwarebytes
2009-01-28 08:45 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 08:44 --------- d-----w c:\program files\CCleaner
2009-01-28 08:41 --------- d-----w c:\program files\MPEG-AVI 2 GIF 1
2009-01-28 08:40 --------- d-----w c:\program files\ASMT
2009-01-27 18:22 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-27 18:04 --------- d-----w c:\program files\EsetOnlineScanner
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-15 15360]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"JulaPan"="JulaPan.Exe" [2005-07-05 c:\windows\system32\JulaPan.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-02 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-09-19 3907328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-15 15360]

c:\documents and settings\KerDaNauer\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-03-16 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 15:20 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XVID"= xvid.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-29 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2008-09-19 1262336]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2008-09-19 343296]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-07-18 157000]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2007-03-22 46080]
R3 JULA_01;Service for Juli@ 1;c:\windows\system32\drivers\JulaWdm.sys [2007-03-22 22880]
R3 JULA_AA;Service for Juli@ Audio Driver (EWDM);c:\windows\system32\drivers\Jula.sys [2007-03-22 29472]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-08-11 77312]
S2 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys --> c:\windows\system32\Drivers\cdenable.sys [?]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2007-06-08 1888]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2008-10-21 5533]
.
- - - - POISTETUT JÄMÄRIVIT - - - -

SafeBoot-ati2psxx.sys


.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.dnainternet.fi/
FF - ProfilePath - c:\documents and settings\KerDaNauer\Application Data\Mozilla\Firefox\Profiles\zpi1g8iq.default\
FF - prefs.js: browser.search.selectedEngine - Ilmainen Sanakirja
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-03-17 16:07:54
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...


c:\windows\system32\0f16ccc987a73d99c3cab8d86438d296.sys 36864 bytes executable
c:\windows\system32\_0f16ccc987a73d99c3cab8d86438d296.sys_.vir 36864 bytes executable

tarkistus on valmis
piilotetut tiedostot: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f16ccc987a73d99c3cab8d86438d296]
"ImagePath"="system32\0f16ccc987a73d99c3cab8d86438d296.sys"
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\windows\system32\mgabg.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Valmistumisajankohta: 2009-03-17 16:11:10 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2009-03-17 14:11:07
ComboFix2.txt 2009-03-17 11:22:12

Ennen ajoa: 1 268 330 496 tavua vapaana
Ajon jälkeen: 1,245,143,040 tavua vapaana

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,5
195 --- E O F --- 2009-03-17 01:01:59

-------------------------------------------------
Posted 3/18/2009 6:40 AM
#72993
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 3/19/2009 10:58 AM
#73002
User avatar

veiwaus Member

Date Joined Nov 2016
Total Posts: 6
Thank you for another thousand times.

Everything seems perfectly fine, I think I got rid of the threat alert which appeared each time when rebooting too!

If I ever encounter any more problems I surely know where to get help!
Posted 3/19/2009 1:19 PM
#73003
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s good news :smile:






  • We will now clear your existing system restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.







Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.



I also suggest you read Tony Klein´s article :



So how did I get infected in the first place.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, July 4, 2022, 7:48 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
41 Guest(s), 0 Registered Member(s) are currently online.