MSN Messenger virus+ hjt logi

mfn72os · 02.06.2008

Eli messengerin kautta tuli ilmeisesti jokin virus.
Tässä hjt-logi:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41:18, on 2.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\service.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jones\Desktop\cureit.exe
C:\DOCUME~1\Jones\LOCALS~1\Temp\RarSFX2\_start.exe
C:\DOCUME~1\Jones\LOCALS~1\Temp\RarSFX2\setup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: BetOnBet Poker - {2B936D2B-EDD7-405f-9057-3685BE897E62} - C:\Microgaming\Poker\betonbetMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Microgaming\Poker\nordicbetMPP\MPPoker.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5186 bytes

ja lisäksi Combofixin logi:
ComboFix 08-06-01.6 - Jones 2008-06-02 18:47:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1423 [GMT 3:00]
Running from: C:\Documents and Settings\Jones\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ninni\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\service.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 15:22 . 2008-06-02 15:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-01 23:30 . 2008-06-01 23:31 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{46AC75EC-A524-4206-8FDF-9982CD2514B5}
2008-05-20 23:03 . 2008-05-20 23:03 <DIR> d-------- C:\Program Files\Ubisoft
2008-05-17 21:43 . 2008-05-17 21:43 <DIR> d-------- C:\Documents and Settings\Jones\Application Data\AdobeUM
2008-05-17 15:16 . 2008-06-02 18:41 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-15 20:24 . 2008-06-02 14:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Program Files\AVG
2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-15 20:24 . 2008-05-15 20:24 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-15 20:24 . 2008-05-15 20:24 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-15 20:24 . 2008-05-15 20:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-14 07:56 . 2008-05-14 07:59 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-05-14 07:56 . 2008-05-14 07:59 54,606 --a------ C:\WINDOWS\scunin.dat
2008-05-14 07:56 . 2008-05-14 07:59 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-11 23:38 . 2008-05-11 23:38 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-11 23:35 . 2008-05-11 23:35 36 ---h----- C:\WINDOWS\system32\swk.ini
2008-05-10 09:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-10 09:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-10 09:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-09 14:40 . 2008-05-09 14:41 <DIR> d-------- C:\Program Files\Windows Live
2008-05-09 14:40 . 2008-05-09 14:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-09 14:40 . 2008-05-09 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-09 14:14 . 2008-05-09 14:14 <DIR> d-------- C:\Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 12:35 --------- d-----w C:\Documents and Settings\Jones\Application Data\Xfire
2008-06-02 08:04 --------- d-----w C:\Documents and Settings\Jones\Application Data\Skype
2008-05-31 04:20 --------- d-----w C:\Documents and Settings\Jones\Application Data\skypePM
2008-05-30 16:20 --------- d-----w C:\Documents and Settings\Jones\Application Data\Microgaming
2008-05-26 18:59 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-22 18:59 --------- d-----w C:\Documents and Settings\Jones\Application Data\teamspeak2
2008-05-20 20:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 20:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-13 08:32 --------- d-----w C:\Program Files\Winamp
2008-05-05 16:21 --------- d-----w C:\Program Files\Opera
2008-04-23 16:51 --------- d-----w C:\Program Files\StepMania
2008-04-02 16:35 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-04-02 16:35 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-04-02 16:35 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 13:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-26 13:09 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-01-17 17:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-08-28 20:02 396,288 ----a-w C:\Documents and Settings\Jones\scanner.exe
2007-08-28 20:02 396,288 ----a-w C:\Documents and Settings\Jones\Jones.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-22 15:06 167368]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Power2GoExpress"="" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-12 16:20 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 09:46 208896]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 09:46 69632]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 12:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-11-03 16:53 81920]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-23 00:45 1115728]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-15 20:24 1177368]
"Windows svchost"="service.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13544:TCP"= 13544:TCP:BitComet 13544 TCP
"13544:UDP"= 13544:UDP:BitComet 13544 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-15 20:24]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-15 20:24]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-15 20:24]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-15 20:24]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 18:48:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\antiwpa.dll
.
Completion time: 2008-06-02 18:49:40
ComboFix-quarantined-files.txt 2008-06-02 15:49:31
ComboFix2.txt 2007-08-30 12:00:33

Pre-Run: 46,564,659,200 bytes free
Post-Run: 46,569,758,720 bytes free

132 --- E O F --- 2008-05-16 20:50:34

AfterDawn

kalminen · 02.06.2008

Alku on jo hyvä !!!

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows svchost] service.exe

-----------------------------------------------------

Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt

* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
.

Kirjaudu tai liity jäseneksi

MSN Messenger virus+ hjt logi

mfn72os Member

kalminen Regular member

Jaa tämä sivu

Kirjaudu tai liity jäseneksi

MSN Messenger virus+ hjt logi

mfn72os Member

kalminen Regular member

Jaa tämä sivu

Hyödyllisiä hakuja