MSN Messenger virus+ hjt logi

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by mfn72os, Jun 2, 2008.

  1. mfn72os

    mfn72os Member

    Joined:
    Aug 28, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    11
    Eli messengerin kautta tuli ilmeisesti jokin virus.
    Tässä hjt-logi:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:41:18, on 2.6.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\CyberLink\PowerCinema\PCMService.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\service.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Jones\Desktop\cureit.exe
    C:\DOCUME~1\Jones\LOCALS~1\Temp\RarSFX2\_start.exe
    C:\DOCUME~1\Jones\LOCALS~1\Temp\RarSFX2\setup.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Windows svchost] service.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: BetOnBet Poker - {2B936D2B-EDD7-405f-9057-3685BE897E62} - C:\Microgaming\Poker\betonbetMPP\MPPoker.exe
    O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
    O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
    O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Microgaming\Poker\nordicbetMPP\MPPoker.exe
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

    --
    End of file - 5186 bytes

    ja lisäksi Combofixin logi:
    ComboFix 08-06-01.6 - Jones 2008-06-02 18:47:37.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1423 [GMT 3:00]
    Running from: C:\Documents and Settings\Jones\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Ninni\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\WINDOWS\service.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
    .

    2008-06-02 15:22 . 2008-06-02 15:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2008-06-01 23:30 . 2008-06-01 23:31 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{46AC75EC-A524-4206-8FDF-9982CD2514B5}
    2008-05-20 23:03 . 2008-05-20 23:03 <DIR> d-------- C:\Program Files\Ubisoft
    2008-05-17 21:43 . 2008-05-17 21:43 <DIR> d-------- C:\Documents and Settings\Jones\Application Data\AdobeUM
    2008-05-17 15:16 . 2008-06-02 18:41 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-05-15 20:24 . 2008-06-02 14:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Program Files\AVG
    2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-05-15 20:24 . 2008-05-15 20:24 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-05-15 20:24 . 2008-05-15 20:24 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-05-15 20:24 . 2008-05-15 20:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-05-14 07:56 . 2008-05-14 07:59 94,208 --a------ C:\WINDOWS\ScUnin.exe
    2008-05-14 07:56 . 2008-05-14 07:59 54,606 --a------ C:\WINDOWS\scunin.dat
    2008-05-14 07:56 . 2008-05-14 07:59 967 --a------ C:\WINDOWS\ScUnin.pif
    2008-05-11 23:38 . 2008-05-11 23:38 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
    2008-05-11 23:35 . 2008-05-11 23:35 36 ---h----- C:\WINDOWS\system32\swk.ini
    2008-05-10 09:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-05-10 09:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-05-10 09:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-05-09 14:40 . 2008-05-09 14:41 <DIR> d-------- C:\Program Files\Windows Live
    2008-05-09 14:40 . 2008-05-09 14:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
    2008-05-09 14:40 . 2008-05-09 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-05-09 14:14 . 2008-05-09 14:14 <DIR> d-------- C:\Poker

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-02 12:35 --------- d-----w C:\Documents and Settings\Jones\Application Data\Xfire
    2008-06-02 08:04 --------- d-----w C:\Documents and Settings\Jones\Application Data\Skype
    2008-05-31 04:20 --------- d-----w C:\Documents and Settings\Jones\Application Data\skypePM
    2008-05-30 16:20 --------- d-----w C:\Documents and Settings\Jones\Application Data\Microgaming
    2008-05-26 18:59 --------- d-----w C:\Program Files\PeerGuardian2
    2008-05-22 18:59 --------- d-----w C:\Documents and Settings\Jones\Application Data\teamspeak2
    2008-05-20 20:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-05-17 20:03 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-05-13 08:32 --------- d-----w C:\Program Files\Winamp
    2008-05-05 16:21 --------- d-----w C:\Program Files\Opera
    2008-04-23 16:51 --------- d-----w C:\Program Files\StepMania
    2008-04-02 16:35 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
    2008-04-02 16:35 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
    2008-04-02 16:35 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-26 13:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
    2008-03-26 13:09 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-01-17 17:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-08-28 20:02 396,288 ----a-w C:\Documents and Settings\Jones\scanner.exe
    2007-08-28 20:02 396,288 ----a-w C:\Documents and Settings\Jones\Jones.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-22 15:06 167368]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "Power2GoExpress"="" []
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-12 16:20 21686568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
    "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 09:46 208896]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 09:46 69632]
    "SoundMan"="SOUNDMAN.EXE" [2004-12-22 12:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
    "D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
    "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
    "PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-11-03 16:53 81920]
    "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-23 00:45 1115728]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-15 20:24 1177368]
    "Windows svchost"="service.exe" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "13544:TCP"= 13544:TCP:BitComet 13544 TCP
    "13544:UDP"= 13544:UDP:BitComet 13544 UDP

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-15 20:24]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-15 20:24]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-15 20:24]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-15 20:24]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-02 18:48:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\antiwpa.dll
    .
    Completion time: 2008-06-02 18:49:40
    ComboFix-quarantined-files.txt 2008-06-02 15:49:31
    ComboFix2.txt 2007-08-30 12:00:33

    Pre-Run: 46,564,659,200 bytes free
    Post-Run: 46,569,758,720 bytes free

    132 --- E O F --- 2008-05-16 20:50:34
     
    Last edited: Jun 2, 2008
    mfn72os, Jun 2, 2008
    #1
  2. kalminen

    kalminen Regular member

    Joined:
    May 4, 2007
    Messages:
    3,915
    Likes Received:
    0
    Trophy Points:
    46
    Alku on jo hyvä !!!

    Sammuta selain ja muut ohjelmat Fixin ajaksi. (ei virustorjuntaa)
    Käynnistä HijackThis:ja Scan ja ruksaa seuraavat punaisella listatut tiedostot sekä poista ne.(fix Chekked)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Windows svchost] service.exe

    -----------------------------------------------------

    Lataa Malwarebytes' Anti-Malware työpöydällesi.

    * Tuplaklikkaa mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
    * Lopuksi varmistu, että seuraavat on valittu: Update Malwarebytes' Anti-Malware ja Launch Malwarebytes' Anti-Malware ja sen jälkeen klikkaa Finish.
    * Jos päivitys löytyy. ohjelma lataa ja asentaa uusimman version.
    * Kun ohjelma on latautunut, valitse Perform full scan ja klikkaa Scan.
    * Kun skanni on valmis, klikkaa OK ja sitten Show Results nähdäksesi tulokset.
    * Varmistu, että kaikki on merkitty ja klikkaa Remove Selected.
    * Tämän jälkeen loki avautuu muistioon. Tallenna se paikkaan, josta löydät sen helposti. Loki löytyy myös
    täältä: C:\Documents and Settings\Käyttäjänimi\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-päiväys.txt

    * Lähetä lokin sisältö seuraavassa viestissäsi + uusi hjt-loki.
    .
     
    kalminen, Jun 2, 2008
    #2

Share This Page