swizzor

[sidartha]

Hej jag har några problem.

1. nod32 varnar och blockerar varje jämn timme och ibland mer för http://bins.dns-look-up/bins/int/upAYB.int win32/trojandownloader.swizzor trojan

 

Jag har testat massa antispy proggram men inget hittar felet verkar det som.

tex

SnD

xoftspy

emco

spyware doctor

 

2. någon codeinjektion sker i explorer.exe som blockeras en gång i minuten av keirofirewall.

Bland annat så sker det något märkligt som inte brukar synas om det nu har med saken att göra men det är att någon fil som heter microsoft.exe körs vi uppstarten.

 

Har in nån ide om problemet är jag glad!

 

[Cecilia]

Vi kan ju se om HijackThis visar något till att börja med:

http://www.thespykiller.co.uk/files/HJTsetup.exe

Installera, kör, skanna och spara loggen (inget annat).

 

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

[sidartha]

[log]

Logfile of HijackThis v1.99.1

Scan saved at 16:57:24, on 2006-12-13

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\atievxx.exe

C:\Program\Iomega\System32\AppServices.exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Java\jre1.5.0_09\bin\jusched.exe

C:\Program\Iomega HotBurn Pro\Autolaunch.exe

C:\Program\DAEMON Tools\daemon.exe

C:\Program\Eset\nod32kui.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Winamp\winampa.exe

C:\Program\Windows Defender\MSASCui.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS02'>http://g.msn.se/0SESVSE/SAOS02

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se'>http://www.google.se'>http://www.google.se'>http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.tangomini.se'>http://www.tangomini.se

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154065635352'>http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154065635352

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab'>http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab'>http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab'>http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab'>http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

 

Logfile of HijackThis v1.99.1

Scan saved at 16:57:24, on 2006-12-13

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\atievxx.exe

C:\Program\Iomega\System32\AppServices.exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\Java\jre1.5.0_09\bin\jusched.exe

C:\Program\Iomega HotBurn Pro\Autolaunch.exe

C:\Program\DAEMON Tools\daemon.exe

C:\Program\Eset\nod32kui.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Winamp\winampa.exe

C:\Program\Windows Defender\MSASCui.exe

C:\Program\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS02

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.tangomini.se

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154065635352

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

[/log]

 

[sidartha]

OBS problem 2 är redan löst verkar det som för problemet med explorer verkade försvinna sedan jag uppdaterat på windowsupdate.

 

 

[Cecilia]

I vilken fil och mapp hittar Nod32 trojanen?

 

[sidartha]

Inte i någon mapp alls!

Imon i nod 32 stoppar ovan nämnda adress från att ladda ned filen i min dator.

Vad som är problemet verkar vara att något malware som jag inte hittar försöker logga till sidan en gång varje jämn timme.

 

IMON i nod startar en dialog ruta varje jämn timme där den hindrar adress:bins.dns-look-up/bins/int/upAYB.int win32/trojandownloader.swizzor trojan

från att laddas ned och låter mig välja "terminate" eller copy to "quarantine".

Läs nods log nedan

Loggarna är både ifrån amon och imon i nod32

[log]

Time Module Object Name Threat Action User Information

2006-12-11 23:02:00 AMON file C:\DOCUME~1\p\LOKALA~1\Temp\fbb76.exe Win32/TrojanDownloader.Swizzor trojan quarantined - deleted Event occurred on a new file created by the application: c:\program\intern~1\iexplore.exe. The file was moved to quarantine. You may close this window.

 

Time Module Object Name Threat Action User Information

2006-12-11 23:03:01 AMON file C:\Documents and Settings\p\Lokala inställningar\Temporary Internet Files\Content.IE5\7V51Y341\upAYB[9].int Win32/TrojanDownloader.Swizzor trojan quarantined - deleted Event occurred on a new file created by the application: c:\program\intern~1\iexplore.exe. The file was moved to quarantine. You may close this window.

 

Time Module Object Name Threat Action User Information

2006-12-13 18:00:29 IMON file http://bins.dns-look-up.com/bins/int/upAYB.int'>http://bins.dns-look-up.com/bins/int/upAYB.int Win32/TrojanDownloader.Swizzor trojan Connection terminated PRIVAT\p

 

Time Module Object Name Threat Action User Information

2006-12-13 17:00:23 IMON file http://bins.dns-look-up.com/bins/int/upAYB.int Win32/TrojanDownloader.Swizzor trojan Connection terminated PRIVAT\p

[/log]

 

[Cecilia]

Det finns i alla fall två filer nämnda där i loggen.

 

Ladda ner NoLop till Skrivbordet:

http://www.spywareedge.net/nolop/NoLop.exe

Stäng alla program för datorn kommer att startas om.

Dubbelklicka på NoLop för att starta det.

Klicka på Search and Destroy

Om något hittas så kommer det ett meddelande om att starta om datorn, klicka då på OK

Klicka på Reboot

Ett meddelande borde komma upp från NoLop, om inte så dubbelklicka på programmet igen och det kommer att göra det sista.

 

Klistra in C:\NoLop.log

 

I felsäkert läge:

 

Töm mappen C:\DOCUME~1\p\LOKALA~1\Temp, där ~1 står för ett antal godtyckliga tecken.

 

Ta bort tillfälliga internet-filer:

Kontrollpanelen - Internet-alternativ - Ta bort filer - Kryssa i rutan - OK - OK

 

I normalt läge:

Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här

 

Jag tittar på resultatet i morgon.

 

[sidartha]

Här har du loggarna.

[log]

NoLop! Log by Skate_Punk_21

 

Fix running from: C:\Documents and Settings\p\Skrivbord

[2006-12-13]

[19:43:58]

 

---Infection Files Found/Removed---

C:\WINDOWS\tasks\8DEE705E80E6111E.job

 

Beginning Removal...

Rebooting...

Removing Lop's Leftover Files/Folders...

Editing Registry...

**Fix Complete!**

 

---Listing AppData sub directories---

 

C:\Documents and Settings\All Users\Application Data\Adobe

C:\Documents and Settings\All Users\Application Data\Microsoft

C:\Documents and Settings\All Users\Application Data\Microsoft Help

C:\Documents and Settings\All Users\Application Data\Pc Suite

C:\Documents and Settings\All Users\Application Data\Pinnacle

C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory

C:\Documents and Settings\All Users\Application Data\Skype -- EMPTY Directory

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

C:\Documents and Settings\Default User\Application Data\Microsoft

C:\Documents and Settings\Localservice\Application Data\Microsoft

C:\Documents and Settings\Networkservice\Application Data\Microsoft

C:\Documents and Settings\P\Application Data\Adobe

C:\Documents and Settings\P\Application Data\Adobeum -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Azureus

C:\Documents and Settings\P\Application Data\Bitroll

C:\Documents and Settings\P\Application Data\Blaxxun Interactive -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Chessbase

C:\Documents and Settings\P\Application Data\Datalayer

C:\Documents and Settings\P\Application Data\Google -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Grim Else Link

C:\Documents and Settings\P\Application Data\Help -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Icqlite

C:\Documents and Settings\P\Application Data\Identities

C:\Documents and Settings\P\Application Data\Lavasoft -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Leadertech

C:\Documents and Settings\P\Application Data\Limewire

C:\Documents and Settings\P\Application Data\Macromedia

C:\Documents and Settings\P\Application Data\Media Player Classic

C:\Documents and Settings\P\Application Data\Microsoft

C:\Documents and Settings\P\Application Data\Mozilla

C:\Documents and Settings\P\Application Data\Nokia

C:\Documents and Settings\P\Application Data\Openoffice.org1.9.110

C:\Documents and Settings\P\Application Data\Pc Suite

C:\Documents and Settings\P\Application Data\Pc Tools

C:\Documents and Settings\P\Application Data\Real

C:\Documents and Settings\P\Application Data\Skype

C:\Documents and Settings\P\Application Data\Sun

C:\Documents and Settings\P\Application Data\Superantispyware.com -- EMPTY Directory

C:\Documents and Settings\P\Application Data\Vlc

C:\Documents and Settings\P\Application Data\Xnview -- EMPTY Directory

[/log]

[log]

p - 06-12-13 20:52:44,96 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\p\Skrivbord"

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))

 

 

2006-12-13 19:48 <KAT> d-------- C:\NoLopBackups

2006-12-13 16:55 <KAT> d-------- C:\Program\Hijackthis

2006-12-13 00:23 <KAT> d-------- C:\Program\Windows Defender

2006-12-12 01:48 <KAT> d-------- C:\WINDOWS\system32\ActiveScan

2006-12-12 00:31 41,888 --a------ C:\WINDOWS\system32\drivers\Oreans.sys

2006-12-11 22:05 <KAT> d-------- C:\Program\XoftSpySE

2006-12-11 02:47 34,308 --a------ C:\WINDOWS\system32\Chip.dll

2006-12-11 02:44 <KAT> d-------- C:\Documents and Settings\p\Application Data\PC Tools

2006-12-11 00:14 <KAT> d-------- C:\WINDOWS\system32\DRM

2006-12-10 22:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2006-12-10 22:31 <KAT> d-------- C:\Documents and Settings\p\.housecall6.6

2006-12-07 03:01 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2006-12-07 02:37 <KAT> d-------- C:\Documents and Settings\p\Application Data\SUPERAntiSpyware.com

2006-12-05 03:08 <KAT> d-------- C:\Documents and Settings\p\Application Data\grim else link

2006-12-05 03:06 <KAT> d-------- C:\My Downloads

2006-12-05 03:06 <KAT> d-------- C:\Documents and Settings\p\Application Data\BitRoll

2006-12-04 10:48 80,304 --------- C:\WINDOWS\system\TWAVBX.DLL

2006-12-04 10:48 7,437 --------- C:\WINDOWS\system\TWADST10.EXE

2006-12-04 10:48 6,800 --------- C:\WINDOWS\system\TWACALL.EXE

2006-12-04 10:48 398,416 --------- C:\WINDOWS\system\VBRUN300.DLL

2006-12-04 10:48 38,832 --------- C:\WINDOWS\system\TWARSC01.DLL

2006-12-04 10:48 36,416 --------- C:\WINDOWS\system\TWAOPS01.DLL

2006-12-04 10:48 29,696 --------- C:\WINDOWS\system\WIN32CMI.DLL

2006-12-04 10:48 19,456 --------- C:\WINDOWS\system\TWAVER32.EXE

2006-12-04 10:48 <KAT> d-------- C:\BC31

2006-12-04 10:46 <KAT> d-------- C:\Program\SAOL

2006-12-02 23:07 <KAT> d-------- C:\Program\Fyrad 32

2006-11-27 09:45 60,416 --------- C:\WINDOWS\system32\tzchange.exe

2006-11-18 02:25 <KAT> d-------- C:\Program\Delade filer\PCSuite

2006-11-16 01:46 <KAT> d-------- C:\Documents and Settings\p\Application Data\ChessBase

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-13 01:56 -------- d-------- C:\Documents and Settings\p\Application Data\Azureus

2006-12-12 23:04 -------- d-------- C:\Program\Outlook Express

2006-12-12 23:04 -------- d-------- C:\Program\Delade filer\System

2006-12-12 23:01 -------- d-------- C:\Program\Internet Explorer

2006-12-12 00:33 -------- d-------- C:\Program\Delade filer

2006-12-10 21:33 -------- d-------- C:\Program\ESET

2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll

2006-12-07 03:01 -------- d-------- C:\Program\USBToolbox

2006-11-24 01:56 -------- d-------- C:\Program\Mozilla Firefox

2006-11-24 01:45 145408 --a------ C:\WINDOWS\CustoMess_Uninstall.exe

2006-11-24 01:38 -------- d-------- C:\Program\MSN Messenger

2006-11-22 01:45 -------- d-------- C:\Documents and Settings\p\Application Data\LimeWire

2006-11-22 01:44 -------- d-------- C:\Program\LimeWire

2006-11-18 02:44 -------- d-------- C:\Documents and Settings\p\Application Data\Nokia

2006-11-16 01:33 -------- d--h----- C:\Program\InstallShield Installation Information

2006-11-13 03:52 -------- d-------- C:\Program\EMCO Malware Destroyer

2006-11-11 23:22 -------- d-------- C:\Program\ReflexiveArcade

2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-11-06 11:35 531568 --a------ C:\WINDOWS\system32\RmActivate_isv.exe

2006-11-06 11:35 523376 --a------ C:\WINDOWS\system32\RmActivate.exe

2006-11-06 11:35 519280 --a------ C:\WINDOWS\system32\SecProc_isv.dll

2006-11-06 11:35 518768 --a------ C:\WINDOWS\system32\SecProc.dll

2006-11-06 11:35 358000 --a------ C:\WINDOWS\system32\RmActivate_ssp.exe

2006-11-06 11:35 354416 --a------ C:\WINDOWS\system32\RmActivate_ssp_isv.exe

2006-11-06 11:35 323696 --a------ C:\WINDOWS\system32\msdrm.dll

2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp_isv.dll

2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp.dll

2006-11-04 20:03 -------- d-------- C:\Program\Java

2006-11-04 18:43 -------- d-------- C:\Program\Dictionary 2000 4.0

2006-10-31 22:42 -------- d-------- C:\Program\NetMeeting

2006-10-29 06:41 -------- d-------- C:\Program\Winamp

2006-10-27 22:31 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE

2006-10-25 19:39 -------- d-------- C:\Documents and Settings\p\Application Data\DataLayer

2006-10-25 19:26 -------- d-------- C:\Program\DIFX

2006-10-25 19:26 -------- d-------- C:\Documents and Settings\p\Application Data\PC Suite

2006-10-20 02:39 712192 --a------ C:\WINDOWS\system32\sxs.dll

2006-10-17 19:02 -------- d-------- C:\Documents and Settings\p\Application Data\blaxxun interactive

2006-10-13 13:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll

2006-10-13 13:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-13 11:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2006-10-11 17:26 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll

2006-10-11 17:26 553984 --a------ C:\WINDOWS\system32\p2psvc.dll

2006-10-11 17:26 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll

2006-10-11 17:26 153088 --a------ C:\WINDOWS\system32\p2p.dll

2006-10-11 17:26 116224 --a------ C:\WINDOWS\system32\p2pnetsh.dll

2006-10-11 17:26 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll

2006-10-10 08:54 50688 --a------ C:\WINDOWS\system32\nmwcdcls.dll

2006-10-09 12:55 73216 --a------ C:\WINDOWS\ST6UNST.EXE

2006-10-09 12:55 286720 --------- C:\WINDOWS\Setup1.exe

2006-09-28 15:05 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll

2006-09-28 15:05 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll

2006-09-28 15:04 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll

2006-09-28 15:03 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll

2006-09-20 16:35 571696 --a------ C:\WINDOWS\system32\MATTHAXLegitCheckControlMATTHAX.dll

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"PcSync"="C:\\Program\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"

"SunJavaUpdateSched"="\"C:\\Program\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

"Drag'n'Drop_Autolaunch"="\"C:\\Program\\Iomega HotBurn Pro\\Autolaunch.exe\""

"DAEMON Tools"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"

"nod32kui"="\"C:\\Program\\Eset\\nod32kui.exe\" /WAITSERVICE"

"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"

"WinampAgent"="C:\\Program\\Winamp\\winampa.exe"

"Windows Defender"="\"C:\\Program\\Windows Defender\\MSASCui.exe\" -hide"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000005

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00, 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,60,03,00,00,e2,02, 00,00,04,00,00,40

"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,60,03,00,00,e2,02, 00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoDriveAutoRun"=dword:ffffffff

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

 

Vill du avbryta kommandofilen

[/log]

 

[sidartha]

Verkar som det fungerade!!

TACK!

 

 

[Cecilia]

C:\Documents and Settings\P\Application Data\Grim Else Link är troligen mappen där otrevligheten har gömt sig, så kolla upp den och ta bort den om du inte hittar bekanta filer i den.

 

Den mappen är skapad 2 minuter efter att mappen Bitroll är skapad,

2006-12-05 03:08 <KAT> d-------- C:\Documents and Settings\p\Application Data\grim else link

2006-12-05 03:06 <KAT> d-------- C:\My Downloads

2006-12-05 03:06 <KAT> d-------- C:\Documents and Settings\p\Application Data\BitRoll

 

BitRoll verkar vara ett olämpligt program som troligen har installerat LOP på datorn enligt dessa sidor:

http://torrentfreak.com/bitroll-bittorrent-client-installs-malware/

http://forums.torrentspy.com/showthread.php?t=37130

Det verkar lämpligt att avinstallera BitRoll och så ta bort ovanstående mapp.

 

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

[sidartha]

Systemet fungerar bra nu verkar det som!

Jag installerade bitroll men avinstallerade det eftersom det inte verkade fungera sedan glömde jag hela saken.

Så lätt att frestas till att prova massa program till höger och vänster.

 

Jag kör ju keiro firewall skulle zonealarm vara bättre?

 

De flesta av de andra programen har jag.

 

Ska försöka använda de lilla förstånd jag fått till skänks från ovan då!

Tack för din hjälp och din tid!

 

 

[inlägget ändrat 2006-12-15 18:43:14 av sidartha]

[Cecilia]

Jag kör ju keiro firewall skulle zonealarm vara bättre?

Nej

 

Ta bort mappen C:\Documents and Settings\p\Application Data\BitRoll, om du inte redan har gjort det.

 

Man kan få viss kontroll över vad man laddar ner genom att låta skanna filen på http://www.virustotal.com/

 

Tack själv för alla poäng! :)

Lycka till framöver med datorn!