Jump to content

gmer detects rootkit like behaviour


Recommended Posts

Here is the log:

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit quick scan 2011-06-24 11:29:49

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.

Running: gy1cgbwr.exe; Driver: C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\pxtdqpow.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA4DD3BF2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA4DD3A5D]

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xA5F4D8A0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

Here is the rest of the logs...

attach.zipark.zip

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Käyttäjä at 11:37:03 on 2011-06-24

Microsoft Windows XP Professional 5.1.2600.3.1252.358.1033.18.2047.1549 [GMT 3:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

SP: Spy Sweeper *Disabled/Outdated* {00000000-E9D0-004F-D859-4D0000000000}

SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}

SP: Spyware Doctor *Disabled/Updated* {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}

SP: Spy Sweeper *Enabled/Updated* {00000000-0000-0000-0000-000000000000}

SP: Webroot Spy Sweeper *Disabled/Updated* {00000000-E9D0-004F-D859-4D0001000000}

FW: Outpost Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HDD Health\HDDHealth.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\Käyttäjä\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.fi/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [HDDHealth] c:\program files\hdd health\HDDHealth.exe -wl

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice

mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Lataa FDM:llä - file://c:\program files\free download manager\dllink.htm

IE: Lataa kaikki FDM:llä - file://c:\program files\free download manager\dlall.htm

IE: Lataus valittu FDM:n toimesta - file://c:\program files\free download manager\dlselected.htm

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231841782203

TCP: DhcpNameServer = 193.229.0.40 193.229.0.42

TCP: Interfaces\{F867CC7D-BCCC-4E76-852A-7393F0237997} : DhcpNameServer = 193.229.0.40 193.229.0.42

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\käyttäjä\application data\mozilla\firefox\profiles\hm63qxli.default\

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-2 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-2 307928]

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-6-2 704384]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-6-2 1195008]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-2 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-2 42184]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-6-2 31128]

R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-6-2 257432]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S3 aswArKrn;aswArKrn;\??\c:\docume~1\kyttj~1\locals~1\temp\aswarkrn.sys --> c:\docume~1\kyttj~1\locals~1\temp\aswArKrn.sys [?]

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]

S3 BCASPROT;Advanced System Protector;\??\c:\program files\systweak\advanced system protector\sasprot32.sys --> c:\program files\systweak\advanced system protector\sasprot32.sys [?]

S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\kprocwatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-6-24 35816]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2011-6-3 53248]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-31 93360]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S4 CXZTK;CXZTK;c:\docume~1\kyttj~1\locals~1\temp\cxztk.exe --> c:\docume~1\kyttj~1\locals~1\temp\CXZTK.exe [?]

S4 HZOCWYSUYO;HZOCWYSUYO;c:\docume~1\kyttj~1\locals~1\temp\hzocwysuyo.exe --> c:\docume~1\kyttj~1\locals~1\temp\HZOCWYSUYO.exe [?]

S4 JQBG;JQBG;c:\docume~1\kyttj~1\locals~1\temp\jqbg.exe --> c:\docume~1\kyttj~1\locals~1\temp\JQBG.exe [?]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]

.

=============== File Associations ===============

.

JSEFile="c:\program files\scriptrap\scriptrap.exe" "%1" %*

.

=============== Created Last 30 ================

.

2011-06-24 08:28:33 -------- d--h--r- c:\documents and settings\käyttäjä\Recent

2011-06-24 07:47:42 39192 ----a-w- c:\windows\system32\Partizan.exe

2011-06-24 07:47:42 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys

2011-06-24 07:46:34 -------- d-----w- c:\program files\Greatis

2011-06-23 19:50:21 -------- d-----w- c:\program files\SpeedFan

2011-06-23 13:19:02 -------- d-----w- C:\Downloads

2011-06-23 13:13:16 -------- d-----w- c:\documents and settings\käyttäjä\application data\Free Download Manager

2011-06-23 13:13:03 -------- d-----w- c:\documents and settings\all users\application data\FreeDownloadManager.ORG

2011-06-23 13:13:02 -------- d-----w- c:\program files\Free Download Manager

2011-06-23 06:04:20 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-23 06:04:20 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-06-23 06:02:27 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-23 06:02:26 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-23 06:02:26 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-23 06:02:25 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-23 06:02:25 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-23 06:02:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-23 02:46:15 -------- d-----w- c:\windows\Standalone System Sweeper

2011-06-22 11:31:35 -------- d-----w- c:\program files\EMCO

2011-06-21 16:21:01 -------- d-----w- c:\documents and settings\käyttäjä\application data\f-secure

2011-06-21 13:55:40 -------- d-----w- c:\program files\Gore

2011-06-21 13:35:36 -------- d-----w- C:\PScanner Backup

2011-06-21 11:01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-21 11:01:26 -------- d-----w- c:\program files\Ask.com

2011-06-21 11:00:13 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-21 10:37:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2011-06-19 12:00:31 -------- d-----w- C:\tiedostot

2011-06-16 15:12:50 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-04 09:56:20 -------- d-----w- c:\documents and settings\käyttäjä\application data\SUPERAntiSpyware.com

2011-06-03 18:04:19 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-06-03 18:00:58 -------- d-----w- c:\program files\Safer Networking

2011-06-02 16:44:59 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys

2011-06-02 16:44:27 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys

2011-06-02 16:43:42 31128 ----a-w- c:\windows\system32\drivers\afw.sys

2011-06-02 16:43:37 -------- d-----w- c:\program files\Agnitum

2011-06-02 11:39:13 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-06-02 11:38:28 40112 ----a-w- c:\windows\avastSS.scr

2011-06-02 11:37:47 -------- d-----w- c:\program files\AVAST Software

2011-06-02 11:37:47 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-06-02 11:05:37 -------- d-----w- c:\documents and settings\käyttäjä\application data\Auslogics

.

==================== Find3M ====================

.

2011-06-24 07:46:53 2 --shatr- c:\windows\winstart.bat

2011-06-21 10:58:17 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-02 06:20:30 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 00:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 00:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 00:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 00:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 00:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 00:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A8DDAB8]

3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006e[0x8A8DF348]

5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A8D4940]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user != kernel MBR !!!

.

============= FINISH: 11:40:48,00 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello, i have changed some security programs in my computer since i posted the last logs. I now have antivir, zonealarm and mbam trial. When i started the combofix it said that spy sweeper real time shield was on even though i dont have spy sweeper installed on my computer i had it installed but uninstalled it. I still ran the combofix.

Here are the logs...

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6957

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27.6.2011 13:26:27

mbam-log-2011-06-27 (13-26-27).txt

Scan type: Quick scan

Objects scanned: 144011

Time elapsed: 8 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Käyttäjä at 14:18:57 on 2011-06-27

Microsoft Windows XP Professional 5.1.2600.3.1252.358.1033.18.2047.1288 [GMT 3:00]

.

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

SP: Spy Sweeper *Disabled/Outdated* {00000000-E9D0-004F-D859-4D0000000000}

SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}

SP: Spyware Doctor *Disabled/Updated* {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}

SP: Spy Sweeper *Enabled/Updated* {00000000-0000-0000-0000-000000000000}

SP: Webroot Spy Sweeper *Disabled/Updated* {00000000-E9D0-004F-D859-4D0001000000}

FW: ZoneAlarm Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.fi/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [spyShelter] c:\program files\spyshelter personal free\SpyShelter.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Lataa FDM:llä - file://c:\program files\free download manager\dllink.htm

IE: Lataa kaikki FDM:llä - file://c:\program files\free download manager\dlall.htm

IE: Lataus valittu FDM:n toimesta - file://c:\program files\free download manager\dlselected.htm

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231841782203

TCP: DhcpNameServer = 193.229.0.40 193.229.0.42

TCP: Interfaces\{F867CC7D-BCCC-4E76-852A-7393F0237997} : DhcpNameServer = 193.229.0.40 193.229.0.42

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\käyttäjä\application data\mozilla\firefox\profiles\hm63qxli.default\

FF - prefs.js: browser.startup.homepage - www.saunalahti.fi

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-26 11608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 Spyshelter;Spyshelter;c:\program files\spyshelter personal free\SpyShelter.sys [2011-6-27 158192]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-6-26 532224]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-26 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-26 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-26 61960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-26 366640]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-26 22712]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\kprocwatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2011-6-24 35816]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2011-6-3 53248]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-31 93360]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]

.

=============== File Associations ===============

.

JSEFile="c:\program files\scriptrap\scriptrap.exe" "%1" %*

.

=============== Created Last 30 ================

.

2011-06-27 07:35:55 28672 ----a-w- c:\windows\system32\SpyShelterShellExt.dll

2011-06-27 07:35:53 1740800 ----a-w- c:\windows\system32\Osklauncher.exe

2011-06-27 07:35:52 54784 ----a-w- c:\windows\system32\inject_logon_dll.dll

2011-06-27 07:35:51 -------- d-----w- c:\program files\SpyShelter Personal Free

2011-06-27 07:35:51 -------- d-----w- c:\documents and settings\käyttäjä\application data\SpyShelter

2011-06-26 18:06:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-26 18:05:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 15:05:41 -------- d-----w- c:\documents and settings\käyttäjä\application data\Avira

2011-06-26 14:56:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-06-26 14:56:50 -------- d-----w- c:\windows\system32\ZoneLabs

2011-06-26 14:56:45 -------- d-----w- c:\program files\Zone Labs

2011-06-26 14:48:33 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-26 14:48:32 -------- d-----w- c:\program files\Avira

2011-06-26 14:48:32 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-06-26 09:09:37 -------- d-----w- C:\acr_logs

2011-06-25 16:54:11 -------- d-----w- c:\program files\Webroot

2011-06-25 14:47:05 98816 ----a-w- c:\windows\sed.exe

2011-06-25 14:47:05 518144 ----a-w- c:\windows\SWREG.exe

2011-06-25 14:47:05 256512 ----a-w- c:\windows\PEV.exe

2011-06-25 14:47:05 208896 ----a-w- c:\windows\MBR.exe

2011-06-24 14:50:11 388096 ----a-r- c:\documents and settings\käyttäjä\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-06-24 07:47:42 39192 ----a-w- c:\windows\system32\Partizan.exe

2011-06-24 07:47:42 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys

2011-06-24 07:46:34 -------- d-----w- c:\program files\Greatis

2011-06-23 19:50:21 -------- d-----w- c:\program files\SpeedFan

2011-06-23 13:19:02 -------- d-----w- C:\Downloads

2011-06-23 13:13:16 -------- d-----w- c:\documents and settings\käyttäjä\application data\Free Download Manager

2011-06-23 13:13:03 -------- d-----w- c:\documents and settings\all users\application data\FreeDownloadManager.ORG

2011-06-23 13:13:02 -------- d-----w- c:\program files\Free Download Manager

2011-06-23 06:04:20 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-23 06:04:20 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-06-23 06:02:27 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-23 06:02:26 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-23 06:02:26 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-23 06:02:25 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-23 06:02:25 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-23 06:02:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-23 02:46:15 -------- d-----w- c:\windows\Standalone System Sweeper

2011-06-22 06:58:27 -------- d-----w- c:\documents and settings\käyttäjä\local settings\application data\AskToolbar

2011-06-21 16:21:01 -------- d-----w- c:\documents and settings\käyttäjä\application data\f-secure

2011-06-21 11:01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-21 11:01:26 -------- d-----w- c:\program files\Ask.com

2011-06-21 11:00:13 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-21 10:46:48 -------- d-----w- c:\documents and settings\käyttäjä\local settings\application data\Secunia PSI

2011-06-16 15:12:50 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-04 09:56:20 -------- d-----w- c:\documents and settings\käyttäjä\application data\SUPERAntiSpyware.com

2011-06-03 18:04:19 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-06-03 18:00:58 -------- d-----w- c:\program files\Safer Networking

2011-06-02 11:05:37 -------- d-----w- c:\documents and settings\käyttäjä\application data\Auslogics

.

==================== Find3M ====================

.

2011-06-24 07:46:53 2 --shatr- c:\windows\winstart.bat

2011-06-21 10:58:17 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-02 06:20:30 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 00:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 00:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 00:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 00:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 00:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 00:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 14:21:22,31 ===============

attach.zip

Link to post
Share on other sites

Heres the combofix log...

ComboFix 11-06-26.02 - Käyttäjä 27.06.2011 13:52:14.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.358.1033.18.2047.1385 [GMT 3:00]

Sijainti: c:\documents and settings\Käyttäjä\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}

SP: Spy Sweeper *Disabled/Outdated* {00000000-E9D0-004F-D859-4D0000000000}

SP: Spy Sweeper *Enabled/Updated* {00000000-0000-0000-0000-000000000000}

SP: Spyware Doctor *Disabled/Updated* {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}

SP: Webroot Spy Sweeper *Disabled/Updated* {00000000-E9D0-004F-D859-4D0001000000}

.

.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2011-05-27 to 2011-06-27 )))))))))))))))))

.

.

2011-06-27 07:35 . 2011-05-03 19:04 28672 ----a-w- c:\windows\system32\SpyShelterShellExt.dll

2011-06-27 07:35 . 2010-04-21 09:57 1740800 ----a-w- c:\windows\system32\Osklauncher.exe

2011-06-27 07:35 . 2009-06-24 12:34 54784 ----a-w- c:\windows\system32\inject_logon_dll.dll

2011-06-27 07:35 . 2011-06-27 07:36 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\SpyShelter

2011-06-27 07:35 . 2011-06-27 07:35 -------- d-----w- c:\program files\SpyShelter Personal Free

2011-06-26 18:06 . 2011-05-29 06:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-26 18:05 . 2011-05-29 06:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 15:05 . 2011-06-26 15:05 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\Avira

2011-06-26 14:57 . 2011-03-17 22:24 69120 ----a-w- c:\windows\system32\zlcomm.dll

2011-06-26 14:57 . 2011-03-17 22:24 104448 ----a-w- c:\windows\system32\zlcommdb.dll

2011-06-26 14:56 . 2011-03-17 22:24 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-06-26 14:56 . 2011-06-26 14:57 -------- d-----w- c:\windows\system32\ZoneLabs

2011-06-26 14:56 . 2011-06-26 14:56 -------- d-----w- c:\program files\Zone Labs

2011-06-26 14:48 . 2011-06-17 09:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-26 14:48 . 2011-06-17 09:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-26 14:48 . 2010-06-17 12:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-26 14:48 . 2010-06-17 12:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-26 14:48 . 2011-06-26 14:48 -------- d-----w- c:\program files\Avira

2011-06-26 14:48 . 2011-06-26 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-26 09:09 . 2011-06-26 09:10 -------- d-----w- C:\acr_logs

2011-06-25 16:54 . 2011-06-25 16:54 -------- d-----w- c:\program files\Webroot

2011-06-24 14:50 . 2011-06-24 14:50 388096 ----a-r- c:\documents and settings\Käyttäjä\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-06-24 07:47 . 2011-06-24 07:47 39192 ----a-w- c:\windows\system32\Partizan.exe

2011-06-24 07:47 . 2011-06-24 07:47 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys

2011-06-24 07:46 . 2011-06-24 07:46 -------- d-----w- c:\program files\Greatis

2011-06-23 19:50 . 2011-06-25 17:38 -------- d-----w- c:\program files\SpeedFan

2011-06-23 13:19 . 2011-06-24 17:34 -------- d-----w- C:\Downloads

2011-06-23 13:13 . 2011-06-24 12:16 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\Free Download Manager

2011-06-23 13:13 . 2011-06-23 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG

2011-06-23 13:13 . 2011-06-23 13:13 -------- d-----w- c:\program files\Free Download Manager

2011-06-23 06:04 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-06-23 06:04 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-06-23 06:02 . 2011-06-16 04:38 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-06-23 06:02 . 2011-06-16 04:38 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-06-23 06:02 . 2011-06-16 04:38 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-06-23 06:02 . 2011-06-16 04:38 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-06-23 06:02 . 2011-06-16 04:38 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-06-23 06:02 . 2011-06-16 04:38 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-06-23 02:46 . 2011-06-23 02:46 -------- d-----w- c:\windows\Standalone System Sweeper

2011-06-22 06:58 . 2011-06-26 09:40 -------- d-----w- c:\documents and settings\Käyttäjä\Local Settings\Application Data\AskToolbar

2011-06-21 16:21 . 2011-06-21 16:21 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\f-secure

2011-06-21 11:01 . 2011-06-21 11:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-21 11:01 . 2011-06-24 14:03 -------- d-----w- c:\program files\Ask.com

2011-06-21 11:01 . 2011-06-21 11:01 -------- d-----w- c:\program files\Common Files\Java

2011-06-21 11:00 . 2011-06-21 10:58 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-21 10:57 . 2011-06-21 10:57 -------- d-----w- c:\program files\Java

2011-06-21 10:46 . 2011-06-21 10:46 -------- d-----w- c:\documents and settings\Käyttäjä\Local Settings\Application Data\Secunia PSI

2011-06-16 15:12 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-04 09:56 . 2011-06-04 09:56 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\SUPERAntiSpyware.com

2011-06-03 18:04 . 2011-06-25 11:50 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-06-03 18:00 . 2011-06-03 18:00 -------- d-----w- c:\program files\Safer Networking

2011-06-03 17:39 . 2011-06-03 17:39 -------- d-----w- c:\program files\7-Zip

2011-06-02 11:05 . 2011-06-02 11:05 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\Auslogics

.

.

.

(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-24 07:46 . 2009-10-24 12:50 2 --shatr- c:\windows\winstart.bat

2011-06-21 10:58 . 2010-04-30 08:28 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-02 06:20 . 2010-04-28 14:08 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-05-02 15:31 . 2009-01-09 07:32 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

1998-12-09 00:53 . 1998-12-09 00:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 00:53 . 1998-12-09 00:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 00:53 . 1998-12-09 00:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 00:53 . 1998-12-09 00:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 00:53 . 1998-12-09 00:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 00:53 . 1998-12-09 00:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

2011-06-16 04:38 . 2011-06-23 06:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-05-17 10:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpyShelter"="c:\program files\SpyShelter Personal Free\SpyShelter.exe" [2011-05-30 2565616]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-17 1043968]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Käyttäjä\\My Documents\\Lataukset\\utorrent.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 21:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10.5.2010 21:41 67656]

R1 Spyshelter;Spyshelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [27.6.2011 10:35 158192]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26.6.2011 17:48 136360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [26.6.2011 21:06 366640]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19.4.2011 9:44 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19.4.2011 9:44 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [26.6.2011 21:05 22712]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1.9.2010 11:30 15544]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\KProcWatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [24.6.2011 10:47 35816]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [3.6.2011 21:04 53248]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [31.10.2009 12:24 93360]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4.8.2004 15:00 14336]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe --> c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [?]

.

--- Muut muistissa olevat ajurit/palvelut ---

.

*NewlyCreated* - SPYSHELTER

*Deregistered* - XueTr

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

getPlusHelper REG_MULTI_SZ getPlusHelper

.

'Ajoitetut tehtävät'-kansion sisältö

.

2011-06-27 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-04-21 14:24]

.

2011-06-27 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 10:29]

.

.

------- Täydentävä tarkistus -------

.

uStart Page = hxxp://www.google.fi/

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Lataa FDM:llä - file://c:\program files\Free Download Manager\dllink.htm

IE: Lataa kaikki FDM:llä - file://c:\program files\Free Download Manager\dlall.htm

IE: Lataus valittu FDM:n toimesta - file://c:\program files\Free Download Manager\dlselected.htm

TCP: DhcpNameServer = 193.229.0.40 193.229.0.42

FF - ProfilePath - c:\documents and settings\Käyttäjä\Application Data\Mozilla\Firefox\Profiles\hm63qxli.default\

FF - prefs.js: browser.startup.homepage - www.saunalahti.fi

.

.

------- Tiedostokytkennät -------

.

JSEFile="c:\program files\ScripTrap\scriptrap.exe" "%1" %*

.

- - - - POISTETUT JÄMÄRIVIT - - - -

.

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-27 14:04

Windows 5.1.2600 Service Pack 3 NTFS

.

tarkistaa piilotettuja prosesseja ...

.

tarkistaa piilotettuja käynnistysarvoja ...

.

tarkistaa piilotettuja tiedostoja ...

.

tarkistus on valmis

piilotetut tiedostot: 0

.

**************************************************************************

.

--------------------- Prosesseihin ladatut DLLt ---------------------

.

- - - - - - - > 'winlogon.exe'(608)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(16948)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Valmistumisajankohta: 2011-06-27 14:13:50

ComboFix-quarantined-files.txt 2011-06-27 11:13

.

Ennen ajoa: 142 852 087 808 bytes free

Ajon jälkeen: 142 842 613 760 bytes free

.

- - End Of File - - BABFA02AAD6E0A7DB34D2A21CDE98DB9

Link to post
Share on other sites

  • Staff

Hi,

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis and/or Ask Toolbar to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

SecCenter::
SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

  • 3 weeks later...

Here is the new combofix log... Sorry this took some time...

ComboFix 11-07-21.02 - Käyttäjä 21.07.2011 14:08:59.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.358.1033.18.2047.1552 [GMT 3:00]

Sijainti: c:\combofix\ComboFix.exe

Käytetyt komentorivivalitsimet :: c:\documents and settings\Kõyttõjõ\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

SP: Spy Sweeper *Disabled/Outdated* {00000000-E9D0-004F-D859-4D0000000000}

SP: Spy Sweeper *Enabled/Updated* {00000000-0000-0000-0000-000000000000}

SP: Spyware Doctor *Disabled/Updated* {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}

SP: Webroot Spy Sweeper *Disabled/Updated* {00000000-E9D0-004F-D859-4D0001000000}

.

.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\isRS-000.tmp

c:\windows\regedit.com

c:\windows\system32\taskmgr.com

.

.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2011-06-21 to 2011-07-21 )))))))))))))))))

.

.

2011-06-28 16:32 . 2011-06-28 16:32 3584 ----a-r- c:\documents and settings\Käyttäjä\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-06-28 16:32 . 2011-06-28 16:32 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-06-28 16:08 . 2011-06-28 16:08 -------- d-----w- c:\windows\ShellNew

2011-06-28 15:38 . 2011-06-28 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2011-06-28 11:25 . 2011-06-28 11:25 -------- d-----w- c:\windows\Internet Logs

2011-06-27 17:52 . 2011-06-27 17:52 -------- d-----w- c:\program files\HD Tune

2011-06-27 17:17 . 2011-06-27 17:17 -------- d-----w- c:\program files\SecurityXploded

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\VDLL.DLL

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\system32\runouce.exe

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\rundll16.exe

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\RUNDL132.EXE

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\logo1_.exe

2011-06-27 12:30 . 2011-06-27 12:30 -------- d---a-w- c:\windows\logo_1.exe

2011-06-27 12:21 . 2011-06-27 12:21 34048 ----a-w- c:\windows\system32\eEmpty.exe

2011-06-27 12:21 . 2011-06-27 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MicroWorld

2011-06-26 18:06 . 2011-07-06 16:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-26 18:05 . 2011-07-06 16:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 15:05 . 2011-06-26 15:05 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\Avira

2011-06-26 14:48 . 2011-06-29 07:52 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-26 14:48 . 2011-06-29 07:52 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-26 14:48 . 2010-06-17 12:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-26 14:48 . 2010-06-17 12:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-26 14:48 . 2011-06-26 14:48 -------- d-----w- c:\program files\Avira

2011-06-26 14:48 . 2011-06-26 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-26 09:09 . 2011-06-26 09:10 -------- d-----w- C:\acr_logs

2011-06-25 16:54 . 2011-06-25 16:54 -------- d-----w- c:\program files\Webroot

2011-06-24 14:50 . 2011-06-24 14:50 388096 ----a-r- c:\documents and settings\Käyttäjä\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-06-24 07:47 . 2011-06-24 07:47 39192 ----a-w- c:\windows\system32\Partizan.exe

2011-06-24 07:47 . 2011-06-24 07:47 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys

2011-06-24 07:46 . 2011-06-24 07:46 -------- d-----w- c:\program files\Greatis

2011-06-23 19:50 . 2011-06-28 15:39 -------- d-----w- c:\program files\SpeedFan

2011-06-23 13:19 . 2011-06-24 17:34 -------- d-----w- C:\Downloads

2011-06-23 13:13 . 2011-06-24 12:16 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\Free Download Manager

2011-06-23 13:13 . 2011-06-23 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG

2011-06-23 13:13 . 2011-06-23 13:13 -------- d-----w- c:\program files\Free Download Manager

2011-06-23 06:04 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-06-23 06:04 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-06-23 06:02 . 2011-06-16 04:38 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-06-23 06:02 . 2011-06-16 04:38 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-06-23 06:02 . 2011-06-16 04:38 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-06-23 06:02 . 2011-06-16 04:38 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-06-23 06:02 . 2011-06-16 04:38 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-06-23 06:02 . 2011-06-16 04:38 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-06-23 02:46 . 2011-06-23 02:46 -------- d-----w- c:\windows\Standalone System Sweeper

2011-06-21 16:21 . 2011-06-21 16:21 -------- d-----w- c:\documents and settings\Käyttäjä\Application Data\f-secure

.

.

.

(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-25 11:50 . 2011-06-03 18:04 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-06-24 07:46 . 2009-10-24 12:50 2 --shatr- c:\windows\winstart.bat

2011-06-21 11:03 . 2011-06-21 11:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-21 10:58 . 2011-06-21 11:00 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-21 10:58 . 2010-04-30 08:28 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-06-02 06:20 . 2010-04-28 14:08 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-05-02 15:31 . 2009-01-09 07:32 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:23 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-16 04:38 . 2011-06-23 06:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Käyttäjä\\My Documents\\Lataukset\\utorrent.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 21:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10.5.2010 21:41 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26.6.2011 17:48 136360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [26.6.2011 21:06 366640]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19.4.2011 9:44 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19.4.2011 9:44 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [26.6.2011 21:05 22712]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Käyttäjä\My Documents\Lataukset\SASKUTIL.SYS --> c:\documents and settings\Käyttäjä\My Documents\Lataukset\SASKUTIL.SYS [?]

S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\KProcWatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [26.6.2011 21:06 41272]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [24.6.2011 10:47 35816]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1.9.2010 11:30 15544]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [3.6.2011 21:04 53248]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [31.10.2009 12:24 93360]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4.8.2004 15:00 14336]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe --> c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

getPlusHelper REG_MULTI_SZ getPlusHelper

.

'Ajoitetut tehtävät'-kansion sisältö

.

2011-07-21 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-04-21 14:24]

.

.

------- Täydentävä tarkistus -------

.

uStart Page = hxxp://www.google.fi/

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Lataa FDM:llä - file://c:\program files\Free Download Manager\dllink.htm

IE: Lataa kaikki FDM:llä - file://c:\program files\Free Download Manager\dlall.htm

IE: Lataus valittu FDM:n toimesta - file://c:\program files\Free Download Manager\dlselected.htm

LSP: c:\program files\Ashampoo\Ashampoo FireWall\spi.dll

TCP: DhcpNameServer = 193.229.0.40 193.229.0.42

FF - ProfilePath - c:\documents and settings\Käyttäjä\Application Data\Mozilla\Firefox\Profiles\hm63qxli.default\

FF - prefs.js: browser.startup.homepage - www.saunalahti.fi

.

- - - - POISTETUT JÄMÄRIVIT - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-21 14:23

Windows 5.1.2600 Service Pack 3 NTFS

.

tarkistaa piilotettuja prosesseja ...

.

tarkistaa piilotettuja käynnistysarvoja ...

.

tarkistaa piilotettuja tiedostoja ...

.

tarkistus on valmis

piilotetut tiedostot: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ASFWHide]

"ImagePath"="\??\c:\docume~1\KYTTJ~1\LOCALS~1\Temp\ASFWHide"

.

--------------------- Prosesseihin ladatut DLLt ---------------------

.

- - - - - - - > 'winlogon.exe'(516)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(572)

c:\program files\Ashampoo\Ashampoo FireWall\spi.dll

.

Valmistumisajankohta: 2011-07-21 14:30:31

ComboFix-quarantined-files.txt 2011-07-21 11:30

.

Ennen ajoa: 141 167 058 944 bytes free

Ajon jälkeen: 141 162 930 176 bytes free

.

- - End Of File - - 8DF8F9AB911C40EEDD484A9927B3BE8D

Link to post
Share on other sites

Here is the hijackthis log and ads spy log...

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:45:21, on 21.7.2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Lataa FDM:llä - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Lataa kaikki FDM:llä - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Lataus valittu FDM:n toimesta - file://C:\Program Files\Free Download Manager\dlselected.htm

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231841782203

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe

O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe

--

End of file - 6313 bytes

C:\Documents and Settings\All Users\Application Data\TEMP : 0D786AE3 (120 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 430C6D84 (102 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 5C321E34 (95 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (118 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : A8ADE5D8 (115 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : C31F31E6 (100 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : CB0AACC9 (150 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (125 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : FA5F15C4 (114 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 0D786AE3 (120 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 430C6D84 (102 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 5C321E34 (95 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (118 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : A8ADE5D8 (115 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : C31F31E6 (100 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : CB0AACC9 (150 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (125 bytes)

C:\Documents and Settings\All Users\Application Data\TEMP : FA5F15C4 (114 bytes)

This is what i dont understand because i only have antivir and ashampoo firewall installed...

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

SP: Spy Sweeper *Disabled/Outdated* {00000000-E9D0-004F-D859-4D0000000000}

SP: Spy Sweeper *Enabled/Updated* {00000000-0000-0000-0000-000000000000}

SP: Spyware Doctor *Disabled/Updated* {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}

SP: Webroot Spy Sweeper *Disabled/Updated* {00000000-E9D0-004F-D859-4D0001000000}

Link to post
Share on other sites

  • Staff

Hi,

Don't worry about that.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest BlairWitch

Hello, i am posting from my other account now.

Sorry that this have took some time. Here are the logs. Digital defender antivirus said it quarantined some worm when running the security check however the program continued to run i quess it's a false positive.

Here is the eset online scanner log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=dca263f79153d74fbc3f4b0a7063bb41

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-04 12:53:33

# local_time=2011-08-04 03:53:33 (+0200, FLE Daylight Time)

# country="Finland"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1182682 1182682 0 0

# compatibility_mode=1024 16777215 100 0 1122009 1122009 0 0

# compatibility_mode=2304 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 196 196 0 0

# compatibility_mode=9217 16777214 75 70 1106838 12057432 0 0

# scanned=40477

# found=0

# cleaned=0

# scan_time=9495

Here is the Security Check log:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

Error creating install.txt after 3 tries! Trying alternate method...

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

NoVirusThanks Anti-Rootkit (Free Edition) v1.1

digital-defender Antivirus

ZoneAlarm

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 26

Adobe Flash Player 10.3.181.26

Mozilla Firefox (x86 fi..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

digital-defender Antivirus AVScanningService.exe

digital-defender Antivirus AVAssistant.exe

digital-defender Antivirus AVTray.exe

Zone Labs ZoneAlarm zlclient.exe

``````````End of Log````````````

At the moment there is no visible problems in this computer but there are the four bad sectors and the overheating hard disk otherwise this computer is working quite good exept the startup takes some time.

Link to post
Share on other sites

  • Staff

Hi,

Why do you have 2 accounts??

Check your heat sink and fans for dust and carefully clean accordingly. Run chkdsk /r and see if the bad sectors can be recovered.

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.