Damm! My computer is Very infected by spyware. I scanned my computer super anti-antispyware. It found 7 trojan downloader, some adwares and tracking cookies and unclassiefied.Oreans32
ComboFix 08-02-21 - Antti 2008-02-21 20:33:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.556 [GMT 2:00]
Running from: C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\ComboFix.exe
- Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MWHTMLMU.DLL
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\1.bin\MYPOPSWT.DLL
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\Cache[u]0[/u]1137F77.bin
C:\Program Files\MyWay\myBar\Cache[u]0[/u]11383EB.bin
C:\Program Files\MyWay\myBar\Cache[u]0[/u]1138D13.bin
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\Cache[u]0[/u]113213A
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\MyWay\SrchAstt\Settings\prevcfg.htm
----- BITS: Possible infected sites -----
hxxp://au.downlo
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-01-21 to 2008-02-21 )))))))))))))))))
.
2008-02-21 15:27 . 2008-02-21 15:29 226 --a------ C:\Gunner3.ini
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\soundtrack
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\rock
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\reggae
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\newage
2008-02-20 16:17 . 2008-02-20 16:21 d-------- C:\Documents and Settings\Antti\misc
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\jazz
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\folk
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\data
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\country
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\classical
2008-02-20 16:17 . 2008-02-20 16:17 d-------- C:\Documents and Settings\Antti\blues
2008-02-20 16:09 . 2008-02-20 16:31 d-------- C:\Documents and Settings\Antti\Status
2008-02-16 16:07 . 2008-02-16 16:07 d-------- C:\Program Files\Common Files\Motion Playground Inc
2008-02-16 14:51 . 2008-02-16 14:51 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-13 16:48 . 2008-02-15 20:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-11 21:22 . 2008-02-11 21:22 d-------- C:\Program Files\Niels Bauer Software Design
2008-02-10 13:40 . 2008-02-10 13:40 d-------- C:\Sierra
2008-02-09 23:11 . 2008-02-09 23:11 d-------- C:\Documents and Settings\Antti.PERHEKONE\Application Data\GRETECH
2008-02-09 22:35 . 2008-02-09 22:35 d-------- C:\Program Files\GRETECH
2008-02-09 21:37 . 2008-02-09 21:47 5,382 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-09 21:05 . 2008-02-09 21:47 72,074 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-02-09 21:04 . 2008-02-09 21:46 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-02-09 20:53 . 2008-02-09 21:36 d-------- C:\WINDOWS\BricoPacks
2008-02-08 16:52 . 2008-02-08 16:52 335,872 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-02-07 09:06 . 2008-02-07 09:06 d-------- C:\Program Files\eidos Interactive
2008-02-06 11:20 . 2008-02-06 11:20 d-------- C:\Program Files\3DO
2008-02-06 10:39 . 2008-02-06 10:39 d-------- C:\Documents and Settings\All Users\Application Data\Chat Republic Games
2008-02-05 21:29 . 2008-02-05 21:29 31,361 --a------ C:\WINDOWS\3DSTATE_logo.jpg
2008-02-05 21:09 . 2008-02-07 12:55 d-------- C:\Program Files\StarportGE
2008-02-05 21:08 . 2008-02-18 21:57 d-------- C:\Program Files\My Worst Day WW2
2008-02-05 16:19 . 2008-02-05 16:19 d-------- C:\Program Files\Infogrames
2008-01-31 19:15 . 2008-01-31 19:21 d-------- C:\Documents and Settings\pommi tommi\Application Data\Mount&Blade
2008-01-30 13:21 . 2008-01-30 13:21 d-------- C:\Program Files\D-Tools
2008-01-30 13:21 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-01-30 13:21 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-01-28 22:13 . 2008-01-28 22:16 d-------- C:\Documents and Settings\Antti.PERHEKONE\Application Data\Mount&Blade
2008-01-27 16:28 . 2008-02-21 20:59 5,042,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-27 16:28 . 2008-02-21 16:16 59,852 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-27 16:20 . 2008-01-27 16:20 d-------- C:\Program Files\ZoneAlarmSB
2008-01-27 16:17 . 2008-01-27 16:17 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-27 16:17 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-27 16:17 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-27 16:17 . 2008-01-27 16:20 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-27 16:16 . 2008-01-27 16:16 d-------- C:\Program Files\Zone Labs
2008-01-27 16:15 . 2008-02-21 20:53 d-------- C:\WINDOWS\Internet Logs
2008-01-21 14:02 . 2008-02-09 17:39 84,729 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 13:30 4,120 ----a-w C:\Documents and Settings\Antti.PERHEKONE\Application Data\wklnhst.dat
2008-02-20 18:07 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\LimeWire
2008-02-17 18:45 24,008 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\wklnhst.dat
2008-02-17 17:28 --------- d-----w C:\Program Files\ExtraFilm Kotona
2008-02-16 12:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 20:53 168,960 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-15 20:53 1,619,456 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-15 17:05 --------- d-----w C:\Program Files\Mount&Blade
2008-02-14 18:08 1,613,312 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-14 09:00 1,481 —ha-w C:\Documents and Settings\SALME NEUVONEN\hpothb07.dat
2008-02-11 20:34 273,920 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-11 20:34 1,590,784 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-10 11:45 --------- d-----w C:\Program Files\Sierra On-Line
2008-02-10 09:26 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\uTorrent
2008-02-09 19:05 219,136 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-02-09 18:58 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\MSN6
2008-02-08 11:47 --------- d-----w C:\Program Files\ProPilkki2
2008-02-08 06:12 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\LimeWire
2008-02-06 13:23 --------- d-----w C:\Program Files\KotiMikron Hakemisto
2008-02-06 10:55 499,200 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-06 08:55 --------- d-----w C:\Program Files\CoolBasic
2008-02-06 08:53 --------- d-----w C:\Program Files\Jollygood Games
2008-02-06 08:52 --------- d-----w C:\Program Files\Beamer
2008-02-06 06:56 1,469,440 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 11:08 --------- d-----w C:\Program Files\Jets’n’Guns Demo
2008-01-29 13:08 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\wsInspector
2008-01-28 14:21 --------- d-----w C:\Program Files\Deadhunt Demo
2008-01-26 17:42 --------- d-----w C:\Program Files\EA Games
2008-01-26 17:10 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-26 10:59 --------- d-----w C:\Documents and Settings\SALME NEUVONEN\Application Data\wsInspector
2008-01-25 19:43 --------- d-----w C:\Program Files\LEGO Media
2008-01-21 10:57 --------- d-----w C:\Program Files\eMule
2008-01-19 21:16 --------- d-----w C:\Program Files\LimeWire
2008-01-18 21:24 --------- d-----w C:\Program Files\Paint.NET
2008-01-18 16:34 --------- d-----w C:\Program Files\Microsoft Games
2008-01-18 11:41 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\InterVideo
2008-01-17 16:47 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\LEGO Media
2008-01-17 16:43 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\eMule
2008-01-17 14:31 --------- d-----w C:\Documents and Settings\SALME NEUVONEN\Application Data\Grisoft
2008-01-17 12:13 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\LEGO Media
2008-01-17 11:59 720,896 -c–a-w C:\WINDOWS\iun6002.exe
2008-01-17 11:37 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\Grisoft
2008-01-16 18:58 --------- d-----w C:\Documents and Settings\Pekka\Application Data\Grisoft
2008-01-16 15:09 --------- d-----w C:\Program Files\Freeciv-2.1.0-gtk2
2008-01-16 14:28 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\Grisoft
2008-01-16 11:29 --------- d-----w C:\Program Files\EndlessOnline
2008-01-14 05:22 --------- d-----w C:\Program Files\AGEIA Technologies
2008-01-13 18:31 --------- d-----w C:\Program Files\XMoto
2008-01-13 13:35 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-13 08:01 --------- d-----w C:\Program Files\Elävät Kirjat
2008-01-13 06:47 162 ----a-w C:\Documents and Settings\Pekka\Application Data\wklnhst.dat
2008-01-11 18:06 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\Microsoft Games
2008-01-11 11:01 --------- d-----w C:\Program Files\TuxPaint
2008-01-08 20:48 --------- d-----w C:\Program Files\Eraser
2008-01-08 12:57 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\Skype
2008-01-06 15:10 --------- d-----w C:\Program Files\Google
2008-01-06 14:32 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\AdobeUM
2008-01-06 13:57 0 ----a-w C:\Documents and Settings\pommi tommi\Application Data\wklnhst.dat
2008-01-05 11:57 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-04 12:20 --------- d-----w C:\Documents and Settings\Pekka\Application Data\Hewlett-Packard
2008-01-04 12:19 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-03 16:28 110,648 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\GDIPFONTCACHEV1.DAT
2008-01-02 13:14 --------- d-----w C:\Program Files\Elma
2008-01-02 12:27 --------- d-----w C:\Program Files\Skype
2008-01-02 12:27 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-02 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-01 19:37 110,648 ----a-w C:\Documents and Settings\Antti.PERHEKONE\Application Data\GDIPFONTCACHEV1.DAT
2007-12-31 12:50 19,456 ----a-w C:\WINDOWS\system32\drivers\cryskmuh.dat
2007-12-30 10:32 --------- d-----w C:\Program Files\Nstorm
2007-12-22 10:31 --------- d-----w C:\Program Files\Everest Poker
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-22 13:40 21,840 -c–atw C:\WINDOWS\system32\SIntfNT.dll
2007-11-22 13:40 17,212 -c–atw C:\WINDOWS\system32\SIntf32.dll
2007-11-22 13:40 12,067 -c–atw C:\WINDOWS\system32\SIntf16.dll
2007-11-21 11:21 40,731 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
2007-09-16 10:49 22 ----a-w C:\Program Files\Uusi WinRAR ZIP-arkisto.zip
2006-11-23 14:08 8,704 --sha-w C:\Program Files\Thumbs.db
2006-02-21 18:57 348 ----a-w C:\Program Files\HitListe.dat
2006-01-13 12:57 3,418 ----a-w C:\Program Files\INSTALL.LOG
2004-12-17 15:35 2,755 ----a-w C:\Program Files\Uninst.isu
2004-12-01 11:50 524,300 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\position.bin
2004-10-22 15:54 561 —ha-w C:\Documents and Settings\SALME NEUVONEN\Application Data\hpothb07.dat
2004-10-01 12:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-09-27 09:24 18,762 ----a-w C:\Program Files\gametext.txt
2002-10-29 19:31 589,824 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\book.bin
1998-03-19 10:58 8,962 ----a-w C:\Program Files\Terning.wav
1998-03-03 09:29 176 ----a-w C:\Program Files\Pop.wav
1998-03-03 09:29 1,078 ----a-w C:\Program Files\Face03.ico
1997-02-12 21:17 19,426 -c----w C:\Program Files\Applaus.wav
1995-01-01 00:51 44 ----a-w C:\Program Files\Track14.cda
.
------- Sigcheck -------
“C:\WINDOWS\explorer.exe”
----a-w 975,872 2007-06-13 13:22:06 C:\WINDOWS\explorer.exe
----a-w 1,033,728 2007-06-13 13:10:34 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,004,544 2002-09-16 12:00:00 C:\WINDOWS$NtServicePackUninstall$\explorer.exe
-c----w 1,032,704 2004-09-14 13:12:04 C:\WINDOWS$NtUninstallKB938828$\explorer.exe
----a-w 975,872 2007-06-13 13:22:06 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
-c----w 1,033,728 2007-06-13 13:22:06 C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Huom Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{4A60DCFC-6B26-427E-9B62-86A38966BBF9}]
2004-09-14 15:11 84992 --a------ C:\WINDOWS\system32\cryptsv.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 16:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{C11483F7-D7D8-4804-98D8-6055470BB989}
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-27 16:20 262144]
[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-15 20:16 68856]
“VisualTaskTips”=“C:\Program Files\VisualTaskTips\VisualTaskTips.exe” [2006-07-31 13:33 36864]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-09-14 15:12 15360]
“VMCL”=“C:\Program Files\vodafone\vmclite\DongleEnumerator.exe” [2007-04-16 11:56 131072]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 11:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Wizard”=“”
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2004-07-01 12:02 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2004-07-01 11:58 118784]
“Microsoft Works Update Detection”=“C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe” [2003-06-10 02:11 50688]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50 155648]
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-07-25 12:01 1397760]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 15:00 79224]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-11-14 16:05 919016]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25 6731312]
“DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05 81920]
“ExtraFilmHemmaAgent”=“C:\Program Files\ExtraFilm Kotona\Agent.exe” [2004-05-21 13:16 290816]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-09-14 15:12 15360]
“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2007-10-23 23:18 443968]
C:\Documents and Settings\SALME NEUVONEN\K„ynnist„-valikko\Ohjelmat\K„ynnistys
Uusi InterActual Skin.iti [2007-04-17 15:44:03 0]
C:\Documents and Settings\Antti.PERHEKONE\K„ynnist„-valikko\Ohjelmat\K„ynnistys
PowerReg Scheduler V3.exe [2007-09-19 17:51:39 225280]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]
Y’z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]
C:\Documents and Settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-05 17:47:46 113664]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 21:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“UIHost”=“LogonUI.EXE”
R0 wblhobme;wblhobme;C:\WINDOWS\system32\drivers\cryskmuh.dat
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-10-05 14:33]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2005-09-05 13:10]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 13:45]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Antti\LOCALS~1\Temp\iMSPCLOj.sys
S3 Webcam Corp. Service Starter;Webcam Corp. Service Starter;C:\Program Files\Webcam\Webcam123\dogsvc.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3796bfba-7cd2-11dc-b68e-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe
.
‘Ajoitetut tehtävät’-kansion sisältö
“2008-02-14 12:20:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1199449175.job”
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
“2008-02-21 18:26:00 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job” - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
“2008-02-21 12:20:00 C:\WINDOWS\Tasks\WebReg 20080214142048.job” - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exeQ/TaskName 20080214142048 /N
.
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 20:58:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
.
Completion time: 2008-02-21 21:01:46
ComboFix-quarantined-files.txt 2008-02-21 19:01:39
.
2008-02-15 18:06:02 — E O F —
That combofix log is 2 months old. Please delete combofix.exe from your desktop and download a new one. Please follow the instructions. A new HJT log will also be required after you run combofix.
Please download ComboFix from Here or Here to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
sorry! My bad. There is my latest combofix .
ComboFix 08-04-24.1 - Antti 2008-04-25 17:45:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.602 [GMT 3:00]
Running from: C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\Lataukset\ComboFix.exe
- Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Antti.PERHEKONE\Application Data\urlredir.cfg
C:\Documents and Settings\pommi tommi\Application Data\urlredir.cfg
C:\WINDOWS\system32\el32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XPROTECTOR
-------\Service_XPROTECTOR
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-03-25 to 2008-04-25 )))))))))))))))))
.
2008-04-25 15:55 . 2008-04-25 15:55 d-------- C:\Program Files\Windows Live
2008-04-25 15:55 . 2008-04-25 16:03 d–hsc— C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 15:54 . 2008-04-25 15:54 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-23 16:56 . 2008-04-24 18:38 d-------- C:\Program Files\DC++
2008-04-22 19:10 . 2008-04-22 19:12 d-------- C:\Program Files\Defcon
2008-04-22 16:59 . 2008-04-24 15:59 d-------- C:\Program Files\eMule
2008-04-21 19:51 . 2008-04-21 19:51 d-------- C:\Program Files\kiihdytys
2008-04-19 12:01 . 2008-04-19 12:20 d-------- C:\Documents and Settings\Antti.PERHEKONE\Application Data\gtk-2.0
2008-04-19 12:00 . 2008-04-19 12:00 d-------- C:\Documents and Settings\Antti.PERHEKONE.thumbnails
2008-04-19 11:56 . 2008-04-19 22:47 d-------- C:\Documents and Settings\Antti.PERHEKONE.gimp-2.4
2008-04-19 11:50 . 2008-04-19 11:50 d-------- C:\Program Files\GIMP-2.0
2008-04-18 17:09 . 2008-04-18 17:09 d-------- C:\Program Files\M&BMapEditor
2008-04-14 16:02 . 2008-04-14 16:03 d-------- C:\58cf48308acbc95a35
2008-04-10 22:30 . 2008-04-10 22:30 d-------- C:\Harry Potter and The Chamber of the secret
2008-04-10 19:18 . 2007-08-24 19:45 101,120 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-04-10 19:18 . 2007-08-24 19:45 24,448 -ra------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-04-10 19:17 . 2008-04-10 19:19 d-------- C:\Program Files\Mobile Partner
2008-04-10 17:24 . 2008-04-10 17:24 d-------- C:\GENIUS
2008-04-10 17:24 . 2008-04-10 17:24 65 --a------ C:\WINDOWS\GENIUS.INI
2008-04-10 16:43 . 2008-04-10 16:43 1,126 --a------ C:\Documents and Settings\Antti.PERHEKONE\Application Data\filterclsid.dat
2008-03-31 20:56 . 2008-03-31 20:56 d-------- C:\Program Files\Frets on Fire
2008-03-30 23:25 . 2008-03-30 23:28 d-------- C:\Documents and Settings\Antti.PERHEKONE\Application Data\fretsonfire
2008-03-26 15:43 . 2008-04-11 17:06 d-------- C:\WINDOWS.mpr_file_store_32
2008-03-25 16:12 . 2008-03-25 16:12 d-------- C:\Program Files\Running with scissors
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 15:13 13,776,928 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-25 14:56 162,404 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-25 14:24 5,356 ----a-w C:\Documents and Settings\Antti.PERHEKONE\Application Data\wklnhst.dat
2008-04-24 19:26 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-24 19:05 --------- d-----w C:\Program Files\Fish Tycoon
2008-04-23 13:42 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\LimeWire
2008-04-20 17:16 --------- d-----w C:\Program Files\Rockstar Games
2008-04-20 17:15 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-04-18 14:16 --------- d-----w C:\Program Files\Mount&Blade
2008-04-18 12:59 --------- d-----w C:\Program Files\Paint.NET
2008-04-17 07:33 24,624 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\wklnhst.dat
2008-04-11 08:03 88,502 -c–a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-04-09 12:06 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\Ahead
2008-04-08 17:45 --------- d-----w C:\Program Files\Diablo
2008-04-08 08:05 --------- d-----w C:\Program Files\ExtraFilm Kotona
2008-03-23 13:47 --------- d-----w C:\Program Files\Empire Chess
2008-03-21 10:49 --------- d-----w C:\Program Files\Pure Motion
2008-03-20 14:49 --------- d-----w C:\Program Files\LEGO Island
2008-03-17 18:09 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2008-03-17 16:46 --------- d-----w C:\Program Files\Warcraft III
2008-03-17 14:25 --------- d-----w C:\Program Files\Bejeweled 2 Deluxe
2008-03-14 11:49 --------- d-----w C:\Documents and Settings\Pekka\Application Data\InterVideo
2008-03-13 12:41 1,382,282 ----a-w C:\Program Files\gta_mod_installer_v5.0_beta.zip
2008-03-13 12:39 --------- d-----w C:\Program Files\Lemonade Tycoon 2
2008-03-12 11:06 --------- d-----w C:\Documents and Settings\Antti.PERHEKONE\Application Data\wsInspector
2008-03-07 15:38 --------- d-----w C:\Program Files\Everest Poker
2008-03-06 08:14 --------- d-----w C:\Program Files\Raptisoft
2008-03-04 12:07 --------- d-----w C:\Program Files\Winamp
2008-02-29 16:31 --------- d-----w C:\Program Files\IObit
2008-02-29 11:15 --------- d-----w C:\Documents and Settings\pommi tommi\Application Data\LimeWire
2008-02-28 20:11 --------- d-----w C:\Program Files\Ant War
2008-02-28 20:00 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-28 20:00 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-28 18:16 148 ----a-w C:\Documents and Settings\pommi tommi\Application Data\wklnhst.dat
2008-02-28 13:50 --------- d-----w C:\Program Files\MP3 Player Utilities
2008-02-28 13:17 --------- d-----w C:\Program Files\Ski Jump International
2008-02-28 08:56 446 ----a-w C:\Documents and Settings\Pekka\Application Data\wklnhst.dat
2008-02-26 14:38 --------- d-----w C:\Program Files\Zone.com Deluxe Games
2008-02-26 13:06 --------- d-----w C:\Program Files\Injoy Games
2008-02-14 09:00 1,481 —ha-w C:\Documents and Settings\SALME NEUVONEN\hpothb07.dat
2008-02-09 19:47 72,074 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-02-09 19:47 5,382 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-01-03 16:28 110,648 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\GDIPFONTCACHEV1.DAT
2008-01-01 19:37 110,648 ----a-w C:\Documents and Settings\Antti.PERHEKONE\Application Data\GDIPFONTCACHEV1.DAT
2007-09-16 10:49 22 ----a-w C:\Program Files\Uusi WinRAR ZIP-arkisto.zip
2006-11-23 14:08 8,704 --sha-w C:\Program Files\Thumbs.db
2006-02-21 18:57 348 ----a-w C:\Program Files\HitListe.dat
2006-01-13 12:57 3,418 ----a-w C:\Program Files\INSTALL.LOG
2005-12-07 23:59 1,572,307 ----a-w C:\Program Files\war3.exe
2004-12-17 15:35 2,755 ----a-w C:\Program Files\Uninst.isu
2004-12-01 11:50 524,300 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\position.bin
2004-10-22 15:54 561 —ha-w C:\Documents and Settings\SALME NEUVONEN\Application Data\hpothb07.dat
2004-10-01 12:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-09-27 09:24 18,762 ----a-w C:\Program Files\gametext.txt
2002-10-29 19:31 589,824 ----a-w C:\Documents and Settings\SALME NEUVONEN\Application Data\book.bin
1998-03-19 10:58 8,962 ----a-w C:\Program Files\Terning.wav
1998-03-03 09:29 176 ----a-w C:\Program Files\Pop.wav
1998-03-03 09:29 1,078 ----a-w C:\Program Files\Face03.ico
1997-02-12 21:17 19,426 -c----w C:\Program Files\Applaus.wav
1995-01-01 00:51 44 ----a-w C:\Program Files\Track14.cda
.
------- Sigcheck -------
2007-06-13 16:22 975872 bfb589091060c9e3c5e6f55c6881ed78 C:\WINDOWS\explorer.exe
2007-06-13 16:10 1033728 fb53c3b1e17f62e8fcb07caaf4c4272e C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-09-16 15:00 1004544 d6c6bfea41800fd67d3c08f73478065e C:\WINDOWS$NtServicePackUninstall$\explorer.exe
2004-09-14 16:12 1032704 43c0b3d357f319875a51bc111f393147 C:\WINDOWS$NtUninstallKB938828$\explorer.exe
2007-06-13 16:22 975872 bfb589091060c9e3c5e6f55c6881ed78 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 16:22 1033728 0f88a5b1ca666754c4c62ad3db4730ef C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Huom Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 17:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [2008-01-27 17:20 262144]
[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-27 17:20 262144]
[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-09-14 16:12 15360]
“VMCL”=“C:\Program Files\vodafone\vmclite\DongleEnumerator.exe” [2007-04-16 12:56 131072]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2004-07-01 13:02 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2004-07-01 12:58 118784]
“Microsoft Works Update Detection”=“C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe” [2003-06-10 03:11 50688]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-07-25 13:01 1397760]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-11-14 17:05 919016]
“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” [2008-01-16 01:54 37376]
“ExtraFilmHemmaAgent”=“C:\Program Files\ExtraFilm Kotona\Agent.exe” [2004-05-21 14:16 290816]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-09-14 16:12 15360]
“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2007-10-24 00:18 443968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoResolveSearch”= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.divxa32”= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\Program Files\LimeWire\LimeWire.exe”=
“C:\Program Files\eMule\emule.exe”=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 20:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 20:35]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2003-04-18 14:45]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Antti\LOCALS~1\Temp\iMSPCLOj.sys
S3 zlportio;zlportio;C:\Documents and Settings\Antti.PERHEKONE\Työpöytä\Lataukset\ultrastardx-101a-lite\zlportio.sys
S4 Webcam Corp. Service Starter;Webcam Corp. Service Starter;C:\Program Files\Webcam\Webcam123\dogsvc.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{006565cf-06cf-11dd-94df-003005673e3a}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{09d81075-06e9-11dd-94e2-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3796bfba-7cd2-11dc-b68e-003005673e3a}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe
.
‘Ajoitetut teht„v„t’-kansion sis„lt”
“2008-04-25 11:20:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1199449175.job”
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
“2008-03-29 10:37:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1204193333.job” - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
“2008-04-10 09:03:28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1204273610.job” - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
“2008-04-25 14:26:00 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job”
THank You! THat trojan is now deleted my computer. There is no cryptsv.dll and drivers/crychmuh something like that. Thank you very much. You are the best!!!
This is looking pretty good. There is a directory that is strange. Do you recognize this?
C:\Program Files\kiihdytys
Please post a new HJT log
Thanks
That is game. Yes I recognize. It’s not strange.
Thank you, there where no hits for it on google.
You can clean up the tools you used.
- Click start button, run, then copy and paste the following line into the box and click ok.
ComboFix /u
- Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
- Remove old restore points
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.