Just nu i M3-nätverket
Jump to content

TROJAN.SMALL.FB


Mattias1975

Recommended Posts

körde först evido och då dök det upp download.agent.uj som inte gick å ta bort. men jag hittade ett program som lyckades tabort det eller om det bara bytte namn till trojan.small.fb. För det gick inte heller att tabort med ewido. programet heter rmdlagentuj.exe

hur som helst så dyker det upp sidor när jag surfar som jag inte valt. här är en loggfil från hijackthis

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 22:03:33, on 2006-11-08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\sm56hlpr.exe

C:\Program\CyberLink\PowerDVD\PDVDServ.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\BERKAN\Mina dokument\Mina mottagna filer\spywereprogram\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.se/'>http://www.chello.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.sve.chello.se/ssi/welcome/welcome.php?url=home

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer erhållet av chello broadband n.v.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [dmjdf.exe] C:\WINDOWS\system32\dmjdf.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?71a9ad7ab43341c9b4831b80727670c1

O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?71a9ad7ab43341c9b4831b80727670c1

O9 - Extra button: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF916150-4F67-4359-8AA1-42894ABD14FC}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{F63FA883-FA11-4A73-92AC-C6D5FAA55AA1}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

[/log]

Mvh Mattias

 

 

Link to comment
Share on other sites

Ladda ner FixWareout från en av dessa platser och spara t ex på Skrivbordet:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Spara filen på Skrivbordet.

 

Stäng alla program eftersom datorn kommer att startas om snart.

 

Dubbelklicka på den just nedladdade filen för att starta programmet FixWareout.

 

Tryck sedan Next, Install, kolla att Run fixit är förbockad och tryck Finish.

Fixen börjar köra, följ alla anvisningar. När du blir ombedd att starta om datorn så gör det. Det är normalt att omstarten tar längre tid än vanligt.

Klistra in loggfilen C:\fixwareout\report.txt som normalt öppnas automatiskt och en ny HijackThis-logg i ditt svar samt skriv hur det har gått.

 

Link to comment
Share on other sites

Hej Cecilia!

jag ska prova det lite senare idag. Men jag kom på en sak att loggfilen jag skickade med körde jag inte i felsäkert läge med hijackthis. Måste jag skicka en ny loggfil där jag har kört i felsäkert läge?

 

Link to comment
Share on other sites

Okej vad bra.

Jag ska prova det du sa, men dock blir det inte förens ikväll då jag jobbar nu.

Det ska bli intressant å se om det funkar.

 

Mvh Mattias

 

Link to comment
Share on other sites

Hej Cecilia!

 

har nu kört fixwareout. Så här kommer logg filerna

först fixwareout.

 

sen körde jag ewido och då var trojan.small.fb borta

så jag får tacka så himla mycket för hjälpen

 

 

Fixwareout ver 1.003

Last edited 8/11/2006

Post this report in the forums please

 

Reg Entries that were deleted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8AE0FE5CF717-9B29-C844-3D29-55D72223{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8AE3030AC10-3C59-CE14-7194-99A3C656{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\skmmd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls...

 

Random Runs removed from HKLM

"dmmks.exe"=-

...

 

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

 

»»»»» Searching by size/names...

C:\WINDOWS\SYSTEM32\DMQOME~1.REN

 

»»»»»

Search five digit cs, dm and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

C:\WINDOWS\SYSTEM32\CSVXY.EXE 51 735 2006-10-10

C:\WINDOWS\SYSTEM32\DMMKS.EXE 61 022 2005-04-07

C:\WINDOWS\SYSTEM32\DMSEL.EXE 61 022 2005-04-07

 

Other suspects.

Directory of C:\WINDOWS\system32

 

»»»»» Misc files.

 

»»»»» Checking for older varients covered by the Rem3 tool.

 

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 17:06:35, on 2006-11-09

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\sm56hlpr.exe

C:\Program\CyberLink\PowerDVD\PDVDServ.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\BERKAN\Mina dokument\Mina mottagna filer\spywereprogram\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer erhållet av chello broadband n.v.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?71a9ad7ab43341c9b4831b80727670c1

O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?71a9ad7ab43341c9b4831b80727670c1

O9 - Extra button: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF916150-4F67-4359-8AA1-42894ABD14FC}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{F63FA883-FA11-4A73-92AC-C6D5FAA55AA1}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

[/log]

Mvh Mattias

:thumbsup::thumbsup:

[inlägget ändrat 2006-11-09 18:32:51 av Mattias1975]

Link to comment
Share on other sites

Gå till http://www.virustotal.com/ klistra in ett av följande filnamn, tryck på Send och vänta tills resultatet är klart (Status blir Finished). Klistra in resultatet (inkl. filstorlek) här. Upprepa med nästa filnamn.

C:\WINDOWS\SYSTEM32\CSVXY.EXE

C:\WINDOWS\SYSTEM32\DMMKS.EXE

C:\WINDOWS\SYSTEM32\DMSEL.EXE

 

Kontrollpanelen - Administrationsverktyg - Tjänster

Leta upp Norman API-hooking helper i listan, dubbelklicka och välj Startmetod Inaktiverad.

 

Skanna med HijackThis och bocka för:

 

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A

88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF916150-4F67-4359-8AA1-4

2894ABD14FC}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{F63FA883-FA11-4A73-92AC-C

6D5FAA55AA1}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F9099E5-FE9E-4158-A7F2-A

88053A96BD2}: NameServer = 85.255.116.70,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och så en ny HijackThis-logg.

 

Link to comment
Share on other sites

här kommer den första

 

STATUS: FINISHEDComplete scanning result of "CSVXY.EXE", received in VirusTotal at 11.09.2006, 20:13:29 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.39 11.09.2006 no virus found

Authentium 4.93.8 11.09.2006 could be a corrupted executable file

Avast 4.7.892.0 11.09.2006 no virus found

AVG 386 11.09.2006 no virus found

BitDefender 7.2 11.09.2006 MemScan:Trojan.Downloader.Mohbpork.A

CAT-QuickHeal 8.00 11.09.2006 (Suspicious) - DNAScan

ClamAV devel-20060426 11.09.2006 no virus found

DrWeb 4.33 11.09.2006 Trojan.DnsChange

eTrust-InoculateIT 23.73.50 11.09.2006 no virus found

eTrust-Vet 30.3.3184 11.09.2006 no virus found

Ewido 4.0 11.09.2006 no virus found

Fortinet 2.82.0.0 11.09.2006 Agent.BC!tr.spy

F-Prot 3.16f 11.09.2006 Possibly a new variant of W32/new-malware!Maximus

F-Prot4 4.2.1.29 11.09.2006 W32/new-malware!Maximus

Ikarus 0.2.65.0 11.09.2006 no virus found

Kaspersky 4.0.2.24 11.09.2006 no virus found

McAfee 4892 11.09.2006 Spy-Agent.bc

Microsoft 1.1609 11.09.2006 no virus found

NOD32v2 1860 11.09.2006 a variant of Win32/Small.FB

Norman 5.80.02 11.09.2006 no virus found

Panda 9.0.0.4 11.09.2006 Trj/Ruins.BH

Sophos 4.11.0 11.07.2006 no virus found

TheHacker 6.0.1.116 11.09.2006 no virus found

UNA 1.83 11.09.2006 no virus found

VBA32 3.11.1 11.09.2006 suspected of Trojan-Downloader.Agent.32

VirusBuster 4.3.15:9 11.09.2006 no virus found

 

 

Aditional Information

 

 

Link to comment
Share on other sites

den andra

 

STATUS: FINISHEDComplete scanning result of "DMMKS.EXE", received in VirusTotal at 11.09.2006, 20:18:12 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.39 11.09.2006 TR/Dldr.Mohbpork.B.10

Authentium 4.93.8 11.09.2006 could be a corrupted executable file

Avast 4.7.892.0 11.09.2006 no virus found

AVG 386 11.09.2006 no virus found

BitDefender 7.2 11.09.2006 MemScan:Trojan.Downloader.Mohbpork.B

CAT-QuickHeal 8.00 11.09.2006 (Suspicious) - DNAScan

ClamAV devel-20060426 11.09.2006 no virus found

DrWeb 4.33 11.09.2006 Trojan.DnsChange

eTrust-InoculateIT 23.73.50 11.09.2006 no virus found

eTrust-Vet 30.3.3184 11.09.2006 no virus found

Ewido 4.0 11.09.2006 no virus found

Fortinet 2.82.0.0 11.09.2006 suspicious

F-Prot 3.16f 11.09.2006 Possibly a new variant of W32/new-malware!Maximus

F-Prot4 4.2.1.29 11.09.2006 W32/new-malware!Maximus

Ikarus 0.2.65.0 11.09.2006 no virus found

Kaspersky 4.0.2.24 11.09.2006 no virus found

McAfee 4892 11.09.2006 no virus found

Microsoft 1.1609 11.09.2006 no virus found

NOD32v2 1860 11.09.2006 a variant of Win32/Small.FB

Norman 5.80.02 11.09.2006 no virus found

Panda 9.0.0.4 11.09.2006 Trj/Ruins.DA

Sophos 4.11.0 11.07.2006 no virus found

TheHacker 6.0.1.116 11.09.2006 no virus found

UNA 1.83 11.09.2006 no virus found

VBA32 3.11.1 11.09.2006 Trojan.DnsChange

VirusBuster 4.3.15:9 11.09.2006 no virus found

 

 

Aditional Information

File size: 61022 bytes

 

 

Link to comment
Share on other sites

och den tredje

 

STATUS: FINISHEDComplete scanning result of "DMSEL.EXE", received in VirusTotal at 11.09.2006, 20:21:59 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.39 11.09.2006 TR/Dldr.Mohbpork.B.10

Authentium 4.93.8 11.09.2006 could be a corrupted executable file

Avast 4.7.892.0 11.09.2006 no virus found

AVG 386 11.09.2006 no virus found

BitDefender 7.2 11.09.2006 MemScan:Trojan.Downloader.Mohbpork.B

CAT-QuickHeal 8.00 11.09.2006 (Suspicious) - DNAScan

ClamAV devel-20060426 11.09.2006 no virus found

DrWeb 4.33 11.09.2006 Trojan.DnsChange

eTrust-InoculateIT 23.73.50 11.09.2006 no virus found

eTrust-Vet 30.3.3184 11.09.2006 no virus found

Ewido 4.0 11.09.2006 no virus found

Fortinet 2.82.0.0 11.09.2006 suspicious

F-Prot 3.16f 11.09.2006 Possibly a new variant of W32/new-malware!Maximus

F-Prot4 4.2.1.29 11.09.2006 W32/new-malware!Maximus

Ikarus 0.2.65.0 11.09.2006 no virus found

Kaspersky 4.0.2.24 11.09.2006 no virus found

McAfee 4892 11.09.2006 no virus found

Microsoft 1.1609 11.09.2006 no virus found

NOD32v2 1860 11.09.2006 a variant of Win32/Small.FB

Norman 5.80.02 11.09.2006 no virus found

Panda 9.0.0.4 11.09.2006 Trj/Ruins.DA

Sophos 4.11.0 11.07.2006 no virus found

TheHacker 6.0.1.116 11.09.2006 no virus found

UNA 1.83 11.09.2006 no virus found

VBA32 3.11.1 11.09.2006 Trojan.DnsChange

VirusBuster 4.3.15:9 11.09.2006 no virus found

 

 

Aditional Information

 

 

Link to comment
Share on other sites

halloj!

 

så nu har jag tagit bort filerna som du sa och startat om

samt kört hijack. så här kommer loggfilen.

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 20:43:26, on 2006-11-09

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Grisoft\AVGFRE~1\avgemc.exe

C:\Program\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\sm56hlpr.exe

C:\Program\CyberLink\PowerDVD\PDVDServ.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\Program\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\BERKAN\Mina dokument\Mina mottagna filer\spywereprogram\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer erhållet av chello broadband n.v.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/229?71a9ad7ab43341c9b4831b80727670c1

O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\Windows Live Toolbar\Components\sv-se\msntabres.dll.mui/230?71a9ad7ab43341c9b4831b80727670c1

O9 - Extra button: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

[/log]

Mvh Mattias

 

Link to comment
Share on other sites

Ta bort filerna:

C:\WINDOWS\SYSTEM32\CSVXY.EXE

C:\WINDOWS\SYSTEM32\DMMKS.EXE

C:\WINDOWS\SYSTEM32\DMSEL.EXE

 

Syns inget otrevligt i loggen längre. Hur uppför sig datorn? Hittar Ewido något?

 

Link to comment
Share on other sites

:thumbsup:

 

så nu har jag tagit bort filerna och kört ewido som inte hittar något.

Nu har jag inte varit ute på nätet så mycket men en så länge så har jag inte hamnat på en oönskad sida som ja inte valt.

Så allt ser väl jätte bra ut.

 

Tack så himla mycket:):thumbsup:

 

/Mattias

 

Link to comment
Share on other sites

Det var ju bra!

 

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...