HJT loki

aggre · Sep 28, 2008

Eilisen aikana löytyi kaksi mainosohjelmaa koneelta. Niiden jälkeen alkoi norman ilmoitella muistakin viruksista.

DesktopMedia.LS Tämän löysi kaksi kertaa eri paikoista.
SdBot.BRHE Ei pitäisi olla virus koska löytyi vanhoista Mbam:n karanteeneista.
W32/Hupigon.DKVV Tästä luin, että ei olisi kanskaan oikea virus, koska se oli FL studio 8 musatiedostoissa. Näin ainakin netissä kerrottiin useampaan otteeseen. Sama virus löytyi uudestaan System volume informationista kuitenkin.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:30, on 28.9.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Util1\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Util1\Norman\Npm\Bin\Zanda.exe
C:\Util1\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Util1\Norman\Npm\bin\NJEEVES.EXE
C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
C:\Util1\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Util1\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\Util1\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\Util1\Norman\Nvc\Bin\Nip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Util1\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Util nero\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Util1\Norman\nvc\bin\nvcod.exe
C:\Util1\SeaMonkey\seamonkey.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Util1\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Util1\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Util1\Winamp\winampa.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Util nero\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Util1Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Iina_MozBU.cmd
O4 - Global Startup: Suorita Nintendo Wi-Fi USB Connector -rekisteröintityökalu.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217944616968
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Util1\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Norman ASA - C:\Util1\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Util1\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Util1\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Util1\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Util1\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5451 bytes

Malwarebytes' Anti-Malware 1.14
Tietokantaversio: 824

7:21:15 5.6.2008
mbam-log-6-5-2008 (07-21-15).txt

Tarkistustyyppi: Täysi tarkistus (F:\|)
Tarkistetut kohteet: 205222
Kulunut aika: 1 hour(s), 59 minute(s), 12 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

Hujo · Sep 28, 2008

Jos koneella on Malwarebytes' Anti-Malware ennestään suorita ensin päivitys aja sen jälkeen.

===============

Lataa SDFix by AndyManchesta ja tallenna se työpöydällesi.

Käynnistä koneesi vikasietotilaan:

sammuta ja käynnistä
käynnistyksen yhteydessä hakkaa F8 nappia
valitse nuolinäppäimellä vikasietotila
paina enter ja enter
valitse käyttäjätilisi
paina kyllä

Jossakin koneissa hakataan F8:sin sijasta F5:tä

" Kun vikasietotilassa, pura tiedoston SDFix.zip sisältö (SDFix kansio) työpöydällesi. Työpöydälle pitäisi ilmestyä kansio nimeltä SDFix.
" Avaa SDFix-kansio ja tuplaklikkaa tiedostoa RunThis.bat käynnistääksesi ohjelman.
" Paina Y käynnistääksesi skriptin.
" Työkalu puhdistaa troijalaisen palvelut ja tekee myös joitakin korjauksia rekisteriin. Lopuksi se pyytää käynnistämään koneen uudelleen, "Press any key to Reboot".
" Paina mitä tahansa näppäintä ja kone käynnistyy uudelleen.
" Käynnistyminen kestää normaalia kauemmin sillä SDFix puhdistaa konetta.
" Kun kone on käynnistynyt ja työpöytä latautunut, SDFix kertoo että puhdistus on suoritettu, "Finished".
" Paina sitten mitä tahansa näppäintä sulkeaksesi skriptin ja ladataksesi pikakuvakkeet työpöydälle.
" Lopuksi avaa SDFix kansio (työpöydällä) ja kopioi & liitä tiedoston Report.txt sisältö viestiketjuusi uuden HijackThis:n lokin kera

aggre · Sep 28, 2008

SDFix: Version 1.229
Run by Ilari on Sun 09/28/2008 at 10:52 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Ilari\Desktop\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 10:59:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"="C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*isabled:LEXPPS.EXE"
"C:\\Users\\Ilari\\Videot\\Torrent\\uTorrent.exe"="C:\\Users\\Ilari\\Videot\\Torrent\\uTorrent.exe:*isabled:æTorrent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*isabled:æTorrent"
"C:\\Util1\\CorelDraw10\\Register\\NAVBrowser.exe"="C:\\Util1\\CorelDraw10\\Register\\NAVBrowser.exe:*isabled:NAVBrowser"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Pelit2\\Battlefield 2 Deluxe Edition\\BF2.exe"="C:\\Pelit2\\Battlefield 2 Deluxe Edition\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

Files with Hidden Attributes :

Tue 22 Aug 2006 98,304 A..H. --- "C:\Users\Iina\~WRL0002.tmp"
Sat 3 Sep 2005 67,072 A..H. --- "C:\Users\Ilari\~WRL0002.tmp"
Tue 22 Aug 2006 98,304 A..H. --- "C:\Vara-Users\Iina\~WRL0002.tmp"
Sun 15 Jun 2008 25,755,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d27c2900aa2705e008389ddae7c985e9\BITEF.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT3.tmp"
Thu 27 Feb 1997 21,504 A..H. --- "C:\Util1\CorelDraw10\Draw\Scripts\Misc\scpext.dll"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:52 AM, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Util1\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Util1\Norman\Npm\Bin\Zanda.exe
C:\Util1\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Util1\Norman\Npm\bin\NJEEVES.EXE
C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
C:\Util1\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Util1\Norman\Nvc\bin\nvcoas.exe
C:\Util1\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Util nero\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Util1\Norman\Nvc\Bin\Nip.exe
C:\Util1\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Util1\SeaMonkey\seamonkey.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Util1\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Util1\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Util1\Winamp\winampa.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Util nero\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Util1Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ilari_MozBU.cmd
O4 - Global Startup: Suorita Nintendo Wi-Fi USB Connector -rekisteröintityökalu.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217944616968
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Util1\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Norman ASA - C:\Util1\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Util1\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Util1\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Util1\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Util1\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5638 bytes

Hujo · Sep 28, 2008

scannaa hjt:llä merkkaa paina Fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

aggre · Sep 28, 2008

Tehty. Oliko se sitten siinä?

Hujo · Sep 28, 2008

Päivitä
Malwarebytes' Anti-Malware
aja päivityksen jälkeen täysi scannaus

aggre · Sep 28, 2008

Eipä löytynyt mitään.

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

28.9.2008 14:01:08
mbam-log-2008-09-28 (14-01-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 312154
Time elapsed: 1 hour(s), 56 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hujo · Sep 28, 2008

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

=============

scannaa uusi hjt:n loki

aggre · Sep 28, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30, on 2008-09-28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Util1\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Util1\Norman\Npm\Bin\Zanda.exe
C:\Util1\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Util1\Norman\Npm\bin\NJEEVES.EXE
C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Util1\Norman\Nvc\bin\nvcoas.exe
C:\Util1\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Util nero\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Util1\Norman\Nvc\Bin\Nip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Util1\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\explorer.exe
C:\Util1\SeaMonkey\seamonkey.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Util1\adobe\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Util1\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Util nero\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Util1Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ilari_MozBU.cmd
O4 - Global Startup: Suorita Nintendo Wi-Fi USB Connector -rekisteröintityökalu.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217944616968
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Util1\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Norman ASA - C:\Util1\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Util1\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Util1\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Util1\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5385 bytes

aggre · Sep 28, 2008

Ääh unohdin ottaa cf:n lokin. No tässä on ainakin joku quarantine loki.

2008-09-28 11:23:17 7,456 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-09-28 11:23:22 1,060 C:\Qoobox\Quarantine\Registry_backups\Legacy_NSESVC.reg.dat
2008-09-28 11:23:22 2,738 C:\Qoobox\Quarantine\Registry_backups\Service_nsesvc.reg.dat
2008-09-28 11:23:40 54 C:\Qoobox\Quarantine\catchme.log
2008-09-28 11:28:11 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-09-28 11:28:11 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-09-28 11:28:11 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-09-28 11:28:13 128 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WinampAgent.reg.dat
2008-09-28 11:28:13 167 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Nokia.PCSync.reg.dat

Hujo · Sep 28, 2008

tuo loki kokonaan

aggre · Sep 28, 2008

Mistäs se löytyy, kun ei Qooboxissa ollut kuin tuo, joku catchme.log ja add-remove programs.txt? Vai pitääkö vetää Combofix tarkistus uusiksi?

Hujo · Sep 28, 2008

C:\Combofix.txt

aggre · Sep 28, 2008

Pistinpähän vielä uuden HJT-lokin kaiken varalta.

ComboFix 08-09-27.03 - Ilari 2008-09-28 14:21:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1339 [GMT 3:00]
Running from: C:\Documents and Settings\Noora\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NSESVC
-------\Service_nsesvc

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 10:51 . 2008-09-28 10:51 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-28 10:50 . 2008-09-28 10:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 10:48 . 2008-09-28 10:48 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-28 07:24 . 2008-09-28 07:24 499,568 --a------ C:\Temp\hijackthis_v2.0.2.zip
2008-09-25 13:57 . 2008-09-25 14:20 <DIR> d-------- C:\Documents and Settings\Ilari\Application Data\Ventrilo
2008-09-25 13:56 . 2008-09-25 13:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 18:20 . 2008-09-24 18:20 <DIR> d-------- C:\Documents and Settings\Noora\Application Data\AdobeUM
2008-09-23 14:59 . 2008-09-23 14:59 <DIR> d-------- C:\Documents and Settings\Ilari\Contacts
2008-09-23 14:57 . 2008-09-23 14:58 <DIR> d-------- C:\Program Files\Windows Live
2008-09-23 14:57 . 2008-09-23 14:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-23 14:57 . 2008-09-23 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-23 14:56 . 2008-02-03 14:02 2,400,784 --a------ C:\Temp\WLinstaller.exe
2008-09-23 11:41 . 2008-09-23 11:41 <DIR> d-------- C:\Documents and Settings\Noora\Phone Browser
2008-09-20 17:25 . 2008-09-20 17:25 <DIR> d-------- C:\Documents and Settings\Iina\Application Data\Corel
2008-09-20 15:00 . 2005-02-26 08:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-09-18 19:57 . 2008-09-18 19:57 120,872 --a------ C:\WINDOWS\system32\MSForms.TWD
2008-09-08 16:06 . 2008-09-28 12:59 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-08 14:11 . 2008-09-08 14:11 25 --a------ C:\WINDOWS\cdplayer.ini
2008-09-08 14:09 . 2008-09-08 14:09 <DIR> d-------- C:\Program Files\Real
2008-09-08 14:09 . 2008-09-08 14:09 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-08 14:09 . 2008-09-08 14:09 <DIR> d-------- C:\Program Files\Common Files\Real
2008-09-08 14:06 . 2008-09-08 14:06 353,840 --a------ C:\Temp\RealPlayer11GOLD.exe
2008-09-06 22:15 . 2008-09-06 22:15 <DIR> d-------- C:\WINDOWS\Cache
2008-09-06 22:14 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-09-06 22:14 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-09-06 22:14 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-09-06 22:14 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-09-06 22:14 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-09-06 22:14 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-09-06 22:14 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-09-06 22:14 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-09-06 22:13 . 2008-09-06 22:13 <DIR> d-------- C:\WINDOWS\InCD
2008-09-06 22:13 . 2008-09-06 22:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-09-06 22:13 . 2008-09-06 22:14 <DIR> d-------- C:\Program Files\Ahead
2008-09-06 22:13 . 2004-09-07 13:09 2,146,304 --------- C:\WINDOWS\NuNinst.exe
2008-09-06 22:13 . 2004-09-07 16:27 91,136 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-09-06 22:13 . 2004-10-19 09:48 51,969 --------- C:\WINDOWS\NuNinst.cfg
2008-09-06 22:13 . 2004-09-07 16:27 28,544 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-09-06 22:13 . 2004-09-07 16:29 5,760 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-09-06 22:12 . 2008-09-06 22:12 <DIR> d-------- C:\MyWorks
2008-09-06 22:12 . 2003-12-05 12:46 10,368 --------- C:\WINDOWS\system32\drivers\pfc.sys
2008-09-06 22:11 . 2008-09-06 22:12 <DIR> d-------- C:\Util nero
2008-09-06 22:11 . 2008-09-06 22:11 <DIR> d-------- C:\Program Files\CyberLink
2008-09-06 22:11 . 2008-09-06 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-06 22:11 . 2004-03-11 13:27 40,960 --a------ C:\Program Files\Uninstall_CDS.exe
2008-09-06 22:10 . 2008-09-06 22:10 <DIR> d-------- C:\Util1Nero_yms
2008-09-06 21:57 . 2008-09-06 21:57 <DIR> d-------- C:\Util1Nokia
2008-09-06 21:57 . 2008-09-06 21:57 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-09-06 21:57 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-09-06 21:57 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-06 21:57 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-09-06 21:57 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-09-06 21:57 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-29 13:58 . 2008-08-29 13:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-29 13:56 . 2008-04-11 22:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-29 13:56 . 2008-05-01 17:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-28 11:32 . 2007-09-08 10:14 77,824 --a------ C:\WINDOWS\NameDate.exe
2008-08-28 11:30 . 2008-08-28 11:30 51,375 --a------ C:\Temp\namedate.zip
2008-08-28 10:24 . 2008-08-28 10:24 <DIR> d-------- C:\Documents and Settings\Olli\Application Data\Winamp
2008-08-28 10:03 . 2008-08-29 14:26 72,301 --a------ C:\WINDOWS\system32\perfmonkoti.msc
2008-08-28 08:30 . 2008-08-28 08:30 <DIR> d-------- C:\Documents and Settings\Olli\Application Data\vlc
2008-08-28 08:29 . 2008-08-28 08:29 9,501,920 --a------ C:\Temp\vlc-0.8.6i-win32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 08:22 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 15:09 137,728 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-26 15:09 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-25 13:43 --------- d-----w C:\Documents and Settings\Noora\Application Data\Winamp
2008-09-20 16:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-09 21:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 21:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-06 19:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 18:57 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-06 18:40 --------- d-----w C:\Program Files\Nokia
2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-08-24 09:29 --------- d-----w C:\Documents and Settings\Noora\Application Data\Malwarebytes
2008-08-06 08:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-08-02 16:53 113 ----a-w C:\Documents and Settings\Olli\Olli_MozBU_koe.cmd
2008-07-30 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-30 11:45 --------- d-----w C:\Program Files\Yahoo!
2008-07-30 11:39 --------- d-----w C:\Documents and Settings\Ilari\Application Data\AdobeUM
2008-07-18 19:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 19:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 19:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 19:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 19:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 19:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 19:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 19:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 19:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 19:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-29 07:54 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"="C:\Util1\Norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-11-27 2169368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-25 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-25 81920]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"PCSuiteTrayApplication"="C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"RemoteControl"="C:\Util nero\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="C:\Util1Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

C:\Documents and Settings\Iina\Start Menu\Programs\Startup\
Iina_MozBU.cmd [2008-08-29 498]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

C:\Documents and Settings\Ilari\Start Menu\Programs\Startup\
Ilari_MozBU.cmd [2008-08-29 501]

C:\Documents and Settings\Olli\Start Menu\Programs\Startup\
Olli_MozBU.cmd [2008-08-28 498]

C:\Documents and Settings\Noora\Start Menu\Programs\Startup\
Iina_MozBU.cmd [2008-08-29 501]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Suorita Nintendo Wi-Fi USB Connector -rekister”intity”kalu.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2008-06-28 1073152]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Util1\\CorelDraw10\\Register\\NAVBrowser.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Pelit2\\Battlefield 2 Deluxe Edition\\BF2.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Ndiskio;Ndiskio;C:\Util1\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448]
R2 NVOY;Norman's Very Own supplY of resources;C:\Util1\Norman\npm\bin\nvoy.exe [2008-02-07 121912]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512]
R3 nvcoas;Norman Virus Control on-access component;C:\Util1\Norman\Nvc\bin\nvcoas.exe [2008-04-30 191544]
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Util1\Norman\Npm\bin\NVCSCHED.EXE [2007-09-18 154680]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nokia.PCSync - C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
HKLM-Run-WinampAgent - C:\Util1\Winamp\winampa.exe

.
------- Supplementary Scan -------
.
O15 -: Trusted Zone: *.http
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 14:25:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Util1\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Util1\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Util1\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LEXMAR~1\lxbkbmon.exe
C:\Util1\Norman\nvc\bin\Nip.exe
C:\Util1\Norman\nvc\bin\CClaw.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-28 14:28:32 - machine was rebooted [Ilari]
ComboFix-quarantined-files.txt 2008-09-28 11:28:29

Pre-Run: 438 958 325 760 bytes free
Post-Run: 440,960,569,344 bytes free

207 --- E O F --- 2008-09-27 18:59:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40:18, on 28.9.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Util1\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Util1\Norman\Npm\Bin\Zanda.exe
C:\Util1\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Util1\Norman\Npm\bin\NJEEVES.EXE
C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Util1\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\Util1\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Util nero\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Util1\Norman\Nvc\Bin\Nip.exe
C:\Util1\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Util1\SeaMonkey\seamonkey.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Util1\adobe\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Util1\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Util1Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Util nero\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Util1\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Util1\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Util1Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Iina_MozBU.cmd
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Suorita Nintendo Wi-Fi USB Connector -rekisteröintityökalu.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217944616968
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Util1\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Norman ASA - C:\Util1\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Util1\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Util1\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Util1\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Util1\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5898 bytes

Hujo · Sep 28, 2008

scannaa hjt:llä merkkaa paina Fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

================

Tämä ei ole vieläkään päivitetty

Malwarebytes' Anti-Malware

================

Lataa Tästä Ccleaner
CCleaner v 2.11.636.- Standard Build, ÄLÄ aseenna Yahoo toolbaria!
Asennuksessa poista merkki/rasti kohdasta "asenna Yahoo! toolbar/työkalupalkki".
Asennuksen jälkeen aukaise CCleaneri.
Valitse vasemmalta pystyrivistä Options.
Valitse viereisestä pystyrivistä Settings.
Language kohtaan valitse Suomi.

Puhdistaja
Valitse vasemmalta pystyrivistä Puhdistaja.
Paina alhaalta Tutki.
Nyt CCleaneri tutkii, mitä voidaan poistaa (tempit, cookiessit jne.).
Kun tutkiminen on valmis, paina Aja CCleaner.
Nyt CCleaneri poistaa löydetyt tempit, cookiessit jne.

Rekisterin virheiden korjaus
Valitse vasemmalta pystyrivistä Rekisteri.
Paina alhaalta Etsi rekisterin virheitä.
Kun etsintä on valmis ja olet varma, että haluat korjata ne rivit jotka ovat merkattuja, niin paina Korjaa valitut rekisterin virheet.
Sinulta kysytään "haluatko varmuuskopioida muutokset rekisteriin", paina Kyllä. Tallenna varmuuskopio vaikka "Omat tiedostot" -kansioon.
Klikkaa uudesta aukeavasta ikkunasta Korjaa kaikki valitut virheet.
Saat vielä varmistus kysymyksen, paina Ok.
Kun virheet on korjattu, paina Sulje.
Nyt voit sulkea CCleanerin painamalla oikealta ylhäältä punaista rastia.

aggre · Sep 28, 2008

Tehty. Päivitin kyllä Malwarebytesin ennen skannausta.

Hujo · Sep 28, 2008

tuo väittää muuta
version: 1134
pitäis olla yli 1200

aggre · Sep 28, 2008

Anteeksi tuplapostaus, mutta ccleanerin ajon jälkeen monilta sivuilta katosivat melkein kaikki taustat, kuvat ja videot. Esim. youtubessa ei ole muuta kuin tekstiä.

aggre · Sep 28, 2008

No nyt on ainakin 1219. Viimeksi painoin päivitysnappulaa ja näkyi päivittävän, mutta ei kai sitten tullut perille.

Hujo · Sep 28, 2008

sammuta ja käynnistä kone välillä

Log in or Sign up

HJT loki

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

aggre Member

Hujo Guest

Share This Page

Log in or Sign up

HJT loki

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

Hujo Guest

aggre Member

aggre Member

Hujo Guest

Share This Page

Useful Searches