Just nu i M3-nätverket
Jump to content

SpyFalcon


dollargrin

Recommended Posts

dollargrin

Genom min jobbmail, via webbläsaren, fick jag SpyFalcon.

Startsidan till Explorer är kapad och en symbol nere i högra hörnet blinkar (växlar mellan röd överkorsad cirkel samt handikappfigur).

Vad jag förstår är det SpyFalcon.

Vad göra?

 

Tack för all hjälp

/Conny

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 16:59:40, on 2006-05-05

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Program\F-secure\backweb\4476822\Program\SERVIC~1.EXE

D:\Program\F-secure\backweb\4476822\program\fsbwsys.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dcomcfg.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

D:\Program\F-secure\backweb\4476822\Program\fspex.exe

D:\Program\F-secure\Common\FSMA32.EXE

D:\Program\F-secure\Common\FSMB32.EXE

D:\Program\F-secure\Common\FCH32.EXE

D:\Program\F-secure\Anti-Virus\fsgk32st.exe

D:\Program\F-secure\Anti-Virus\FSGK32.EXE

D:\Program\F-secure\Common\FAMEH32.EXE

D:\Program\F-secure\Anti-Virus\fsqh.exe

D:\Program\F-secure\Anti-Virus\fssm32.exe

D:\Program\F-secure\Anti-Virus\fsrw.exe

D:\Program\F-secure\FWES\Program\fsdfwd.exe

D:\Program\F-secure\FSPC\fspc.exe

D:\Program\F-secure\Anti-Virus\fsav32.exe

D:\Program\F-secure\Common\FSM32.EXE

D:\Program\F-secure\ANTI-S~1\fsaw.exe

D:\Program\F-secure\FSGUI\fsguidll.exe

D:\Program\Winamp\winamp.exe

C:\DOCUME~1\Peter\LOKALA~1\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpEDF9.tmp

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program\F-secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program\F-secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Program\F-secure\FSGUI\FSSW.EXE" /reboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: F-Secure 2006.lnk = D:\Program\F-secure\backweb\4476822\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Blockera detta popup-fönster - D:\Program\F-secure\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\Anti-Spyware\ieshield.dll

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145100466714

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145101839639

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab

O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - D:\Program\F-secure\backweb\4476822\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program\F-secure\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - D:\Program\F-secure\backweb\4476822\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program\F-secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Program\F-secure\FSPC\fshttps\fshttps.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program\F-secure\Common\FSMA32.EXE

[/log]

 

 

Link to comment
Share on other sites

dollargrin

Tack, här kommer den:

 

SmitFraudFix v2.40

 

Scan done at 23:21:02,00, 2006-05-05

Run from C:\Documents and Settings\Peter\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\dcomcfg.exe FOUND !

C:\WINDOWS\system32\hp????.tmp FOUND !

C:\WINDOWS\system32\ot.ico FOUND !

C:\WINDOWS\system32\reglogs.dll FOUND !

C:\WINDOWS\system32\simpole.tlb FOUND !

C:\WINDOWS\system32\stdole3.tlb FOUND !

C:\WINDOWS\system32\ts.ico FOUND !

C:\WINDOWS\system32\1024\ FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Peter\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Peter\FAVORI~1

 

C:\DOCUME~1\Peter\FAVORI~1\Antivirus Test Online.url FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{35a88e51-b53d-43e9-b8a7-75d4c31b4676}"="Register LogWare"

 

[HKEY_CLASSES_ROOT\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]

@="C:\WINDOWS\system32\reglogs.dll"

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]

@="C:\WINDOWS\system32\reglogs.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

Link to comment
Share on other sites

 

Starta datorn i felsäkert läge

 

Öppna SmitfraudFix mappen och dubbelklicka på smitfraudfix.cmd

Välj altenativ Clean = klicka 2 och Enter

Sen vänta tills den jobbar klart.

På frågan "Registry cleaning - Do you want to clean the registry ?"

svara Yes med att klicka Y och Enter

Om wininet.dll är infekterad får du frågan "Replace infected file ?"

svara Yes med att klicka Y och Enter.

Om inte datorn startar om automatiskt så starta den i normalläge.

 

Skicka sen en ny Hijack logg och C:\rapport.txt logg.

 

 

Link to comment
Share on other sites

dollargrin

Ålrajt, här kommer loggarna, först Hijack:

 

--------

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 13:36:34, on 2006-05-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Program\F-secure\backweb\4476822\Program\SERVIC~1.EXE

D:\Program\F-secure\Anti-Virus\fsgk32st.exe

D:\Program\F-secure\Anti-Virus\FSGK32.EXE

D:\Program\F-secure\backweb\4476822\program\fsbwsys.exe

D:\Program\F-secure\backweb\4476822\Program\fspex.exe

D:\Program\F-secure\Common\FSMA32.EXE

D:\Program\F-secure\Common\FSMB32.EXE

C:\WINDOWS\System32\svchost.exe

D:\Program\F-secure\Anti-Virus\fssm32.exe

D:\Program\F-secure\Common\FCH32.EXE

C:\WINDOWS\Explorer.EXE

D:\Program\F-secure\Common\FSM32.EXE

D:\Program\F-secure\Common\FAMEH32.EXE

D:\Program\F-secure\Anti-Virus\fsqh.exe

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

D:\Program\Winzip\WZQKPICK.EXE

D:\Program\F-secure\FSPC\fspc.exe

D:\Program\F-secure\Anti-Virus\fsrw.exe

D:\Program\F-secure\FWES\Program\fsdfwd.exe

D:\Program\F-secure\Anti-Virus\fsav32.exe

D:\Program\F-secure\ANTI-S~1\fsaw.exe

D:\Program\F-secure\FSGUI\fsguidll.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Peter\Skrivbord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program\F-secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program\F-secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Program\F-secure\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: F-Secure 2006.lnk = D:\Program\F-secure\backweb\4476822\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program\Winzip\WZQKPICK.EXE

O8 - Extra context menu item: &Blockera detta popup-fönster - D:\Program\F-secure\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra 'Tools' menuitem: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Program\F-secure\FSPC\fspcmsie.dll

O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\F-secure\Anti-Spyware\ieshield.dll

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145100466714

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145101839639

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab

O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - D:\Program\F-secure\backweb\4476822\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program\F-secure\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - D:\Program\F-secure\backweb\4476822\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program\F-secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Program\F-secure\FSPC\fshttps\fshttps.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program\F-secure\Common\FSMA32.EXE

[/log]

----------

 

och så rapport.txt:

 

----------

 

SmitFraudFix v2.40

 

Scan done at 13:31:56,42, 2006-05-06

Run from C:\Documents and Settings\Peter\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\system32\dcomcfg.exe Deleted

C:\WINDOWS\system32\hp????.tmp Deleted

C:\WINDOWS\system32\ot.ico Deleted

C:\WINDOWS\system32\reglogs.dll Deleted

C:\WINDOWS\system32\simpole.tlb Deleted

C:\WINDOWS\system32\stdole3.tlb Deleted

C:\WINDOWS\system32\ts.ico Deleted

C:\WINDOWS\system32\1024\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

--------

 

/Conny

 

 

 

 

Link to comment
Share on other sites

dollargrin

Ja - skönt!

Tack så hemskt mycket för hjälpen.

 

Må solen lysa på dig dag som natt.

 

Vänligen

Conny Orbetu

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...