Messengerviirus vai mikä? Eroon siitä kuitenkin.

Jumpseri · May 28, 2008

Elikkäs tuli hutaroitua ja painettua "oletko sinä tässä *url*" messengerissä sen ajattelatta. Nyt spammii kaikille mesessä jos mese on auki.
Hjack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08:21, on 28.5.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wserving.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FI_FI&c=64&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FI_FI&c=64&bd=pavilion&pf=laptop
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Automattinen LiveUpdate-ajastustoiminto - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect -palvelu (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center -palvelu (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--
End of file - 7528 bytes

kalminen · May 28, 2008

On täällä muutakin tauhkaa !!!

******************'****
Tämmöisessä hakemistossa:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hiiren oikealla napilla pääset nimeämään HijackThis.exe uudelleen vaikka hoojiitee.exe
****************

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
combofix.exe
combofix.exe

Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

File::
C:\WINDOWS\winudspm.exe

Click to expand...

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)

Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.
Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.

Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O4 - HKLM\..\Run: [Windows UDP Control] winudspm.exe

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
*

Jumpseri · May 28, 2008

hjack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34, on 2008-05-28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\hoojiitee.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FI_FI&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FI_FI&c=64&bd=pavilion&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\efcDSmKE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: efcDSmKE - C:\WINDOWS\SYSTEM32\efcDSmKE.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automattinen LiveUpdate-ajastustoiminto - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect -palvelu (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Norton Protection Center -palvelu (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8966 bytes

combofix :

ComboFix 08-05-27.4 - Administrator 2008-05-28 23:18:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1495 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\winudspm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMWaHRqr.ini
C:\WINDOWS\system32\CMWaHRqr.ini2
C:\WINDOWS\system32\rqRHaWMC.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\internet explorer\keygen.exe
C:\WINDOWS\system32\abtbtbrw.dll
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\GLAPILIB.dll
C:\WINDOWS\system32\opnmKBrP.dll
C:\WINDOWS\system32\PrBKmnpo.ini
C:\WINDOWS\system32\PrBKmnpo.ini2
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\winudspm.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_WServing

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 22:16 . 2008-05-28 22:16 57,344 --a------ C:\WINDOWS\system32\jkkJyYPi.dll
2008-05-28 21:53 . 2008-05-28 21:53 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-28 21:27 . 2008-05-28 21:28 <DIR> d-------- C:\Program Files\Netcom3 Cleaner
2008-05-28 21:19 . 2008-05-28 21:19 <DIR> d-------- C:\Program Files\ToniArts
2008-05-28 21:15 . 2008-05-28 21:15 57,344 --a------ C:\WINDOWS\system32\hgGaxutt.dll
2008-05-28 21:09 . 2008-05-28 21:09 57,344 --a------ C:\WINDOWS\system32\byXppNHW.dll
2008-05-28 20:51 . 2008-05-28 20:51 57,344 --a------ C:\WINDOWS\system32\efcDSmKE.dll
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 20:31 . 2008-05-28 20:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-28 20:31 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 20:31 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 20:26 . 2008-05-28 20:26 40,960 --a------ C:\dczi.exe
2008-05-28 20:24 . 2008-05-28 20:24 <DIR> d-------- C:\Program Files\Miranda IM
2008-05-28 20:24 . 2008-05-28 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Miranda
2008-05-28 20:19 . 2008-05-28 20:39 57,344 --------- C:\WINDOWS\system32\hgGwVNhF.dll
2008-05-28 20:15 . 2008-05-28 20:39 57,344 --------- C:\WINDOWS\system32\yayWqPFX.dll
2008-05-28 20:10 . 2008-05-28 20:10 56,832 --a------ C:\sxy1.com
2008-05-28 20:05 . 2008-05-28 20:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 19:48 . 2008-05-28 21:17 <DIR> d-------- C:\MSNCleaner
2008-05-28 19:16 . 2008-05-28 20:39 57,344 --------- C:\WINDOWS\system32\pmnlihHY.dll
2008-05-28 19:13 . 2008-05-28 21:54 40,960 --a------ C:\dci.exe
2008-05-28 19:09 . 2008-05-28 19:09 <DIR> d-------- C:\Program Files\foobar2000
2008-05-28 19:09 . 2008-05-28 19:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\foobar2000
2008-05-28 19:00 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-28 19:00 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-28 19:00 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-28 15:01 . 2008-05-28 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-05-28 14:56 . 2008-05-28 14:56 <DIR> d-------- C:\Program Files\uTorrent
2008-05-28 14:56 . 2008-05-28 19:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-28 14:53 . 2008-05-28 21:14 <DIR> d-------- C:\Program Files\mIRC
2008-05-28 14:53 . 2008-05-28 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-05-28 14:48 . 2008-05-28 15:00 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-28 14:47 . 2008-05-28 15:00 <DIR> d-------- C:\Program Files\Windows Live
2008-05-28 14:47 . 2008-05-28 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-27 13:00 . 2008-05-27 13:00 <DIR> d-------- C:\Program Files\RMClock
2008-05-20 17:52 . 2008-05-20 17:52 <DIR> d-------- C:\dx
2008-05-19 17:41 . 2008-05-19 16:59 <DIR> d-------- C:\Program Files\NeoSmart Technologies
2008-05-19 17:40 . 2008-05-19 17:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-19 17:40 . 2008-05-19 17:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-19 17:40 . 2008-05-19 17:40 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 17:40 . 2008-05-19 17:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-19 17:36 . 2008-05-19 17:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-19 17:23 . 2008-04-14 03:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-05-19 17:22 . 2008-04-14 03:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-05-19 17:15 . 2008-05-19 17:15 <DIR> d-------- C:\cpuz
2008-05-19 17:10 . 2008-05-19 17:10 <DIR> d-------- C:\Program Files\RivaTuner v2.09
2008-05-19 16:51 . 2008-05-19 16:52 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-19 16:51 . 2008-05-19 16:52 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-19 16:44 . 2008-05-19 16:44 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-16 00:18 . 2008-05-16 00:18 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-16 00:18 . 2008-05-16 00:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-15 23:57 . 2008-05-15 23:57 <DIR> d-------- C:\WINDOWS\Sun
2008-05-15 22:52 . 2008-05-15 22:52 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-05-15 22:52 . 2007-08-18 09:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-05-15 22:42 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\drivers\kswdmcap.ax
2008-05-15 22:42 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\drivers\kstvtune.ax
2008-05-15 22:42 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2008-05-15 22:42 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\drivers\ksxbar.ax
2008-05-15 22:42 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\drivers\vidcap.ax
2008-05-15 22:42 . 2008-04-14 03:12 18,432 --a------ C:\WINDOWS\system32\bdaplgin.ax
2008-05-15 22:42 . 2008-04-13 21:46 15,232 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2008-05-15 22:42 . 2008-04-13 21:46 11,776 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2008-05-15 22:41 . 2006-05-18 09:01 218,624 --a------ C:\WINDOWS\system32\drivers\bdacap.sys
2008-05-15 22:41 . 2008-04-13 21:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-15 22:41 . 2006-01-06 08:55 11,264 --a------ C:\WINDOWS\system32\drivers\GLKbFilter.sys
2008-05-15 22:41 . 2006-03-31 03:33 3,729 --a------ C:\WINDOWS\system32\drivers\IRKEYMAP_1.SET
2008-05-15 07:13 . 2008-05-14 23:15 <DIR> d--hs---- C:\Boot
2008-05-15 07:13 . 2008-05-14 22:38 443,912 -rahs---- C:\bootmgr
2008-05-15 07:13 . 2008-05-15 07:13 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-05-15 04:43 . 2008-05-15 04:43 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-05-15 04:43 . 2008-05-15 04:43 <DIR> d-------- C:\Program Files\Futuremark
2008-05-15 04:43 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2008-05-15 04:43 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-05-15 04:43 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-05-15 04:43 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-05-15 03:01 . 2008-05-15 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-15 02:03 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-05-14 20:27 . 2008-05-14 20:27 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-05-14 20:24 . 2007-03-17 14:41 171,136 -rahs---- C:\grldr
2008-05-14 18:22 . 2008-05-14 18:21 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-14 18:22 . 2008-05-14 18:22 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-14 18:21 . 2008-05-19 16:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-14 18:21 . 2008-05-14 18:21 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-14 18:08 . 2008-05-19 17:43 <DIR> d-------- C:\Program Files\EA GAMES
2008-05-14 18:01 . 2008-05-14 18:05 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-14 18:00 . 2008-05-14 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-05-14 17:26 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-14 17:26 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-14 17:26 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-14 17:26 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-14 17:26 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-14 17:26 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-14 17:26 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-14 17:21 . 2008-05-14 17:21 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-14 17:16 . 2006-03-21 06:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-05-14 17:11 . 2006-12-07 07:14 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-05-14 09:47 . 2008-05-14 09:47 <DIR> d-------- C:\Program Files\WIDCOMM
2008-05-14 09:46 . 2008-05-28 15:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-14 09:45 . 2008-05-14 09:45 1,733 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (RE380EA#UUW)_YN_0Pavi_QCNF64435DK_E432250DH2_46_I30B9_SQuanta_V65.21_BF.1A_T061025_WXP2_L409_M1023_J80_7AMD_8Turion 64 X2 Technology TL-56_91.81_#061023_N14E44312_(RE380EA#UUW).MRK
2008-05-14 09:41 . 2008-04-14 03:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-14 09:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-14 09:41 . 2008-04-13 21:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 20:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 18:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 11:45 --------- d-----w C:\Program Files\SpeedFan
2008-05-19 13:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-19 13:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-19 13:52 --------- d-----w C:\Program Files\Symantec
2008-05-15 20:15 --------- d-----w C:\Program Files\CONEXANT
2008-05-14 16:23 --------- d-----w C:\Program Files\Windows XP MUI Pack
2008-05-14 16:23 --------- d-----w C:\Program Files\Windows Plus
2008-05-14 16:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-14 16:22 --------- d-----w C:\Program Files\Synaptics
2008-05-14 16:22 --------- d-----w C:\Program Files\Sonic
2008-05-14 16:22 --------- d-----w C:\Program Files\NetWaiting
2008-05-14 16:22 --------- d-----w C:\Program Files\Microsoft Works
2008-05-14 16:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-14 16:21 --------- d-----w C:\Program Files\Java
2008-05-14 16:21 --------- d-----w C:\Program Files\HPQ
2008-05-14 16:21 --------- d-----w C:\Program Files\HP
2008-05-14 16:20 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-14 16:20 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-05-14 16:20 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-14 16:20 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-14 16:19 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-05-14 16:19 --------- d-----w C:\Program Files\Common Files\Java
2008-05-14 16:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-14 16:19 --------- d-----w C:\Program Files\Common Files\HP
2008-05-14 16:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-14 16:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-02 10:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_23.11.16.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 20:06:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 20:22:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 20:22:18 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_248.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06E12C36-760F-4D92-8509-5E5DBF12C423}]
2008-05-28 20:51 57344 --a------ C:\WINDOWS\system32\efcDSmKE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 03:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpyClean"="C:\Program Files\Netcom3 Cleaner\SpyClean.exe" [2008-03-11 22:06 4505600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 13:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:15 52840]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 08:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55 102400]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 11:33 163840]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 13:46 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 03:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Windows UDP Control"="winudspm.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 03:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe [2006-05-12 13:33:22 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{06E12C36-760F-4D92-8509-5E5DBF12C423}"= C:\WINDOWS\system32\efcDSmKE.dll [2008-05-28 20:51 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDSmKE]
efcDSmKE.dll 2008-05-28 20:51 57344 C:\WINDOWS\system32\efcDSmKE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier -pikakäynnistys.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier -pikakäynnistys.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier -pikakäynnistys.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2006-05-30 16:02 40960 C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2006-05-03 22:58 458752 C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--a------ 2005-10-11 10:23 1187840 C:\Windows\SMINST\RecGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2006-02-09 09:52 643072 C:\Windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 21:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"AFinding"=2 (0x2)
"AddFiltr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 02:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 02:16]
R2 Automattinen LiveUpdate-ajastustoiminto;Automattinen LiveUpdate-ajastustoiminto;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:58]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 23:39]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 02:49]
S3 bdacap;%BdaSWCapture.DeviceDesc%;C:\WINDOWS\system32\drivers\bdacap.sys [2006-05-18 09:01]
S3 GLHIDKBFILTER;GLHIDKBFILTER;C:\WINDOWS\system32\DRIVERS\GLKbFilter.sys [2006-01-06 08:55]
S3 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [2006-11-18 19:36]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 18:27:31 C:\WINDOWS\Tasks\Norton AntiVirus - Suorita täydellinen järjestelmäntarkistus - Administrator.job"

kalminen · May 29, 2008

Mene Windowsin ControlPaneliin (Ohjauspaneli) ja sieltä Lisää / Poista sovellus
Etsi ja poista ohjelma jonka nimessä on:

Netcom3

-----------------------------------------------
Avaa Muistio ja kopioi/liitä Lainaus: laatikon sisältö sinne:

File::
C:\WINDOWS\system32\efcDSmKE.dll
Folder::
C:\Program Files\Netcom3 Cleaner
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDP Control"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{06E12C36-760F-4D92-8509-5E5DBF12C423}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDSmKE]

Click to expand...

Tallenna nimellä CFScript (itse asiassa combofix tunnistaa tuon vaikka tiedostopääte ei olisi
edes .txt).

Sitten raahaa ja pudota CFScript ComboFix.exeen kuten alla.(Älä klikkaa)

Käynnistä kone uudelleen, jos niin pyydetään ja lähetä combofix.txt-tiedoston sisältö tänne.
--------------------------------------------------
Lataa Malwarebytes' Anti-Malware työpöydällesi.

* Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
* Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
* Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
* Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
* Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
* Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
* Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
* Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
-----------------------------------------------
Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\efcDSmKE.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O20 - Winlogon Notify: efcDSmKE - C:\WINDOWS\SYSTEM32\efcDSmKE.dll
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe

Tyhjennä roskakori ja käynnistä koneesi uudelleen.

Postita tänne seuraavat lokit:
* Tuore HijackThis loki (Otetaan viimeisenä ennen postitusta)
* (C:\ComboFix.txt) raportti
* Malwarebytes' Anti-Malware\Logs\log-päiväys.txt
*

Log in or Sign up

Messengerviirus vai mikä? Eroon siitä kuitenkin.

Jumpseri Member

kalminen Regular member

Jumpseri Member

kalminen Regular member

Share This Page

Log in or Sign up

Messengerviirus vai mikä? Eroon siitä kuitenkin.

Jumpseri Member

kalminen Regular member

Jumpseri Member

kalminen Regular member

Share This Page

Useful Searches