Hjt- ja Combofix-logit msn-viruksesta

heedi · May 28, 2008

Kyseessä on jälleen se sama "Oletko tässä" -virus. Tein ohjeiden mukaan, mitä löysin muista keskusteluista. Nyt jos joku pystyisi kertomaan, mitä ylimääräistä siellä vielä on ja mitä pitäisi tehdä seuraavaksi. Suurkiitokset.

HijackThis-logi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:31, on 29.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\cbXOgDvs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP-leikekirja - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart -valitse - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1208030386671
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: cbXOgDvs - C:\WINDOWS\SYSTEM32\cbXOgDvs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8229 bytes

Combofix-logi

ComboFix 08-05-28.1 - Senja 2008-05-29 0:44:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1035.18.203 [GMT 3:00]
Running from: C:\Documents and Settings\Senja\Työpöytä\ComboFix.exe
Command switches used :: C:\Documents and Settings\Senja\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\winudspm.exe
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Senja\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\dhxtbsor.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\qsBLkUvw.ini
C:\WINDOWS\system32\qsBLkUvw.ini2
C:\WINDOWS\system32\rosbtxhd.dll
C:\WINDOWS\system32\wvUkLBsq.dll
C:\WINDOWS\winudspm.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-04-28 to 2008-05-28 )))))))))))))))))
.

2008-05-29 00:31 . 2008-05-29 00:31 57,344 --a------ C:\WINDOWS\system32\nnnkHaXr.dll
2008-05-29 00:11 . 2008-05-29 00:11 57,344 --a------ C:\WINDOWS\system32\fccccBSj.dll
2008-05-29 00:02 . 2008-05-29 00:02 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-05-28 23:50 . 2008-05-28 23:50 57,344 --a------ C:\WINDOWS\system32\wvUmmKAt.dll
2008-05-28 23:40 . 2008-05-28 23:40 57,344 --a------ C:\WINDOWS\system32\ssqOFXqP.dll
2008-05-28 23:24 . 2008-05-28 23:24 57,344 --a------ C:\WINDOWS\system32\ssqPgDVm.dll
2008-05-28 21:12 . 2008-05-28 21:12 57,344 --a------ C:\WINDOWS\system32\cbXOgDvs.dll
2008-05-28 21:11 . 2008-05-28 22:35 40,960 --a------ C:\dci.exe
2008-05-28 16:52 . 2004-09-14 16:11 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-28 16:52 . 2001-10-05 16:31 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-27 22:48 . 2008-05-28 00:59 <KANSIO> d-------- C:\Program Files\DC++
2008-05-24 19:42 . 2008-05-24 21:08 <KANSIO> d-------- C:\Documents and Settings\Senja\Application Data\Skype
2008-05-11 20:23 . 2008-05-11 20:23 <KANSIO> d-------- C:\Program Files\Webteh
2008-05-11 20:23 . 2008-05-11 20:23 <KANSIO> d-------- C:\Documents and Settings\Senja\Application Data\BSplayer Pro
2008-05-11 20:23 . 2008-05-11 21:45 <KANSIO> d-------- C:\Documents and Settings\Senja\Application Data\BSplayer
2008-05-06 22:52 . 2008-05-06 22:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-06 22:52 . 2008-05-06 22:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 17:18 . 2008-05-02 17:18 <KANSIO> d-------- C:\Program Files\Bullfrog
2008-05-02 17:17 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-05-02 17:16 . 2008-05-02 17:16 <KANSIO> d-------- C:\Documents and Settings\Senja\WINDOWS

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-28 18:11 --------- d-----w C:\Documents and Settings\Senja\Application Data\AVG7
2008-05-28 12:26 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-23 07:56 --------- d-----w C:\Documents and Settings\Senja\Application Data\uTorrent
2008-05-23 07:26 87,056 ----a-w C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-23 07:26 24,208 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-23 07:26 143,104 ----a-w C:\WINDOWS\system32\guard32.dll
2008-04-25 16:21 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-04-25 10:28 --------- d-----w C:\Program Files\BitComet
2008-04-25 10:25 --------- d-----w C:\Program Files\uTorrent
2008-04-16 11:58 --------- d-----w C:\Documents and Settings\Senja\Application Data\Winamp
2008-04-13 16:12 --------- d-----w C:\Program Files\DOSBox-0.72
2008-04-13 13:44 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-13 13:16 --------- d-----w C:\Documents and Settings\Senja\Application Data\HPAppData
2008-04-13 12:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-13 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-13 12:10 --------- d-----w C:\Program Files\HP
2008-04-13 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-13 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-13 12:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-13 12:04 --------- d-----w C:\Program Files\Common Files\HP
2008-04-13 12:03 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 12:03 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-13 10:46 --------- d-----w C:\Documents and Settings\Senja\Application Data\DAEMON Tools
2008-04-13 10:36 --------- d-----w C:\Documents and Settings\Senja\Application Data\Talkback
2008-04-13 10:32 --------- d-----w C:\Documents and Settings\Senja\Application Data\Thunderbird
2008-04-13 10:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 10:26 --------- d-----w C:\Program Files\PSCS2
2008-04-13 10:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 10:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-13 10:09 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-13 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-13 09:59 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-13 09:59 --------- d-----w C:\Program Files\Ahead
2008-04-13 09:15 --------- d-----w C:\Documents and Settings\Senja\Application Data\Comodo
2008-04-13 09:15 --------- d-----w C:\Documents and Settings\Senja\Application Data\ATI
2008-04-12 21:18 --------- d-----w C:\Program Files\Windows Live
2008-04-12 21:14 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-12 21:02 --------- d-----w C:\Program Files\Sun
2008-04-12 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 21:00 --------- d-----w C:\Program Files\MSECache
2008-04-12 20:55 --------- d-----w C:\Program Files\Winamp
2008-04-12 20:55 --------- d-----w C:\Program Files\VideoLAN
2008-04-12 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-12 20:50 --------- d-----w C:\Program Files\CyberLink
2008-04-12 19:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-12 19:44 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-12 19:39 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-12 19:27 --------- d-----w C:\Program Files\ATI Technologies
2008-04-12 19:04 --------- d-----w C:\Program Files\ffdshow
2008-04-12 19:01 --------- d-----w C:\Program Files\Intel
2008-04-12 18:57 --------- d-----w C:\Program Files\Java
2008-04-12 18:45 --------- d-----w C:\Program Files\Analog Devices
2008-04-12 18:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 17:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 17:41 --------- d-----w C:\Program Files\Skype
2008-04-12 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 17:40 --------- d-----w C:\Program Files\Real Alternative
2008-04-12 17:39 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-12 17:39 --------- d-----w C:\Program Files\Media Player Classic
2008-04-12 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-12 17:38 --------- d-----w C:\Program Files\Picasa2
2008-04-12 17:37 --------- d-----w C:\Program Files\Google
2008-04-12 17:37 --------- d-----w C:\Program Files\7-Zip
2008-04-12 17:32 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-12 17:32 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-12 17:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-12 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-12 17:27 --------- d-----w C:\Program Files\Common Files\Java
2008-04-12 16:28 --------- d-----w C:\Program Files\TW-IA300C ADSL
2008-04-12 16:26 --------- d-----w C:\Program Files\Conexant
2008-04-12 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-04-12 16:16 --------- d-----w C:\Program Files\COMODO
2008-04-12 15:54 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:01 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

------- Sigcheck -------

2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-09-15 15:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-25 19:21 360064 d1e0a099360a7ac279d883b057ab58a5 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-04-25 19:21 360064 d1e0a099360a7ac279d883b057ab58a5 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06E12C36-760F-4D92-8509-5E5DBF12C423}]
2008-05-28 21:12 57344 --a------ C:\WINDOWS\system32\cbXOgDvs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 10:20 1575680]
"CnxDslTaskBar"="C:\Program Files\\TW-IA300C ADSL\CnxDslTb.exe" [2003-05-12 14:24 454656]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-20 20:01 579584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34 69632]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-15 15:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-12 20:32 219136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 04:23 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{06E12C36-760F-4D92-8509-5E5DBF12C423}"= C:\WINDOWS\system32\cbXOgDvs.dll [2008-05-28 21:12 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2006-03-25 22:21 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOgDvs]
cbXOgDvs.dll 2008-05-28 21:12 57344 C:\WINDOWS\system32\cbXOgDvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27253:TCP"= 27253:TCP:BitComet 27253 TCP
"27253:UDP"= 27253:UDP:BitComet 27253 UDP

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 10:26]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 10:26]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R3 CnxTgN;Conexant AccessRunner PCI ADSL LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-05-12 14:02]
R3 CnxTgP;Conexant AccessRunner PCI ADSL LAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgP.sys [2003-05-12 13:56]
R3 CnxTgR;Conexant AccessRunner PCI ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTgR.sys [2003-05-12 13:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 00:52:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXOgDvs.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TW-IA300C ADSL\CnxDslTb.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-29 0:56:41 - machine was rebooted [Senja]
ComboFix-quarantined-files.txt 2008-05-28 21:56:22

Pre-Run: 22,034,325,504 tavua vapaana
Post-Run: 21,972,086,784 tavua vapaana

231 --- E O F --- 2008-05-28 10:29:57

heedi · May 29, 2008

Lisättäköön vielä se, että Windowsin päivitykset menivät pois päältä, eivätkä mene takaisin päälle. Järjestelmä-asetuksissa ne ovat olevinaan päällä, mutta Tietoturvakeskus herjaa.

heedi · May 29, 2008

Tässä on vielä Malwarebytesin logi.

Malwarebytes' Anti-Malware 1.12
Tietokantaversio: 797

Tarkistustyyppi: Täysi tarkistus (C:\|D:\|)
Tarkistetut kohteet: 116167
Kulunut aika: 42 minute(s), 28 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 4
Saastuneita rekisteriavaimia: 12
Saastuneita rekisteriarvoja: 13
Saastuneita rekisterikohteita: 2
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 18

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
C:\WINDOWS\system32\epdjqdvw.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnOIbyV.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXOgDvs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Unloaded module successfully.

Saastuneita rekisteriavaimia:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3765fe8d-6a77-4479-933f-9aae2816c3da} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3765fe8d-6a77-4479-933f-9aae2816c3da} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxogdvs (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Saastuneita rekisteriarvoja:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7075c3b3 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuAdminTools (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuFavorites (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyPics (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyMusic (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Saastuneita rekisterikohteita:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnoibyv -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnoibyv -> Delete on reboot.

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
C:\WINDOWS\system32\epdjqdvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvdqjdpe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnOIbyV.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\VybIOnmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VybIOnmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXOgDvs.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Senja\Local Settings\Temporary Internet Files\Content.IE5\C9A78PUF\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Senja\Local Settings\Temporary Internet Files\Content.IE5\O1AF05AB\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rosbtxhd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUkLBsq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65E9786E-C59B-4C1D-A6B4-3938FE4B6055}\RP63\A0026738.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65E9786E-C59B-4C1D-A6B4-3938FE4B6055}\RP63\A0026739.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Delete on reboot.
C:\WINDOWS\system32\nnnkHaXr.dll (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqOFXqP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPgDVm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmmKAt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccccBSj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Log in or Sign up

Hjt- ja Combofix-logit msn-viruksesta

heedi Member

heedi Member

heedi Member

Share This Page

Log in or Sign up

Hjt- ja Combofix-logit msn-viruksesta

heedi Member

heedi Member

heedi Member

Share This Page

Useful Searches