Manuellt avlägsna en trojan ?

[manolo]

Hej ! Jag har en gammal Pentium II med Windows 2000 NT.

Mitt virusskyddsprogram från Grisoft varnade idag om att en trojan som hette PAW.Generic2.SUS upptäckts i programfilen dmwup som låg i Windowskatalogen SYS32, men den kunde inte avlägsna eller åtgärda denna programfil.

Jag flytta filen till papperskorgen och tömde sedan denna.

Efter raderingen körde jag Grisoft, Adaware och Spybot efter varandra med internet frånkopplat- ingen av dem upptäckte Generic-problemet en gång till.

Fråga= är trojanen nu helt borta från systemet eller måste jag köra något mer åtgärdsprogram ?

Stort Tack på förhand. / M

 

 

[inlägget ändrat 2007-02-08 15:09:45 av manolo]

[Zipp.]

 

Ladda ner HijackThis.exe och scanna datorn med det.

Skicka hit loggen sen så tar vi en titt hur den ser ut.

 

http://www.thespykiller.co.uk/files/HJTsetup.exe

 

[manolo]

Hej Zipp och tack för svaret.

Jag vet inte om jag har gjort rätt, men här är vad som verkar vara logfilen från scanningen =

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 16:05:21, on 2007-02-08

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Winamp\winampa.exe

C:\Program\Grisoft\AVGFRE~1\avgcc.exe

C:\WINNT\system32\internat.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program\iMesh\iMesh5\iMeshBHO.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3F4D537B-8355-49F9-ADD2-6AAA47471F63} - C:\WINNT\system32\ioh.dll (file missing)

O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program\iMeshBar\bar\2b.bin\IMESHBAR.DLL (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program\iMeshBar\bar\2b.bin\IMESHBAR.DLL (file missing)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CreateCD50] "C:\Program\Delade filer\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Monitor TynManager] fqdv.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [dmdnf.exe] C:\WINNT\system32\dmdnf.exe

O4 - HKLM\..\RunServices: [Monitor TynManager] fqdv.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Monitor TynManager] fqdv.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: Mania Win Restore.lnk = C:\21STCENT\WINMANIA\RESWIN.EXE

O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FF23F99-AEC2-4067-8D45-0A419906526A}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

O17 - HKLM\System\CS1\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

O17 - HKLM\System\CS2\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IC Login Service (ICLogin) - Unknown owner - C:\Program\IcLogin\iclogin1.2.exe" -service (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

[/log]

 

[Zipp.]

 

Du har 2 antivirus igång Norton och Avg

Stäng av en av dom

 

Ladda ner Fixwareout på Skrivbordet

 

http://downloads.subratam.org/Fixwareout.exe

 

Kör den och följ anvisningar.

När den är färdigkört så skicka C:\fixwareout\report.txt

 

[manolo]

Hej igen, så har ser loggfilen för fixwareout ut =

 

 

Fixwareout

Last edited 1/30/2007

Post this report in the forums please

...

Prerun check

»»»»» HKLM run and Winlogon System values

C:\WINNT\System32\dmdnf.exe will be moved to C:\WINNT\temp\dmdnf.ren at reboot.

C:\WINNT\System32\csdum.exe will be moved to C:\WINNT\temp\csdum.ren at reboot.

 

»»»»» System restarted

Reg Entries that were deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm"

...

Random Runs removed from HKLM

"dmdnf.exe"=-

...

C:\WINNT\RDT.INI Deleted

 

»»»»» Misc files.

 

»»»»» Checking for older varients.

 

»»»»» Postrun check

»»»»» HKLM run

»»»»» Winlogon System value

"system"=""

»»»»»

 

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

 

This WILL/CAN also list Legit Files, Submit them at Virustotal

Search five digit cs, dm kd and jb files.

»»»»»

»»»»» Current runs

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"CreateCD50"="\"C:\\Program\\Delade filer\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"

"AdaptecDirectCD"="\"C:\\Program\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

"ccApp"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe\""

"ccRegVfy"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccRegVfy.exe\""

"Monitor TynManager"="fqdv.exe"

"Symantec NetDriver Monitor"="C:\\Program\\SYMNET~1\\SNDMon.exe /Consumer"

"WinampAgent"="C:\\Program\\Winamp\\winampa.exe"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe"

"Monitor TynManager"="fqdv.exe"

"MsnMsgr"="\"C:\\Program\\MSN Messenger\\MsnMsgr.Exe\" /background"

"Skype"="\"C:\\Program\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

 

Hosts file was reset, If you use a custom hosts file please replace it

 

[inlägget ändrat 2007-02-08 16:38:33 av manolo]

[Zipp.]

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och klicka Fix checked

 

[log]O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program\iMesh\iMesh5\iMeshBHO.dll (file missing)

O2 - BHO: (no name) - {3F4D537B-8355-49F9-ADD2-6AAA47471F63} - C:\WINNT\system32\ioh.dll (file missing)

O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program\iMeshBar\bar\2b.bin\IMESHBAR.DLL (file missing)

O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program\iMeshBar\bar\2b.bin\IMESHBAR.DLL (file missing)

O4 - HKLM\..\Run: [Monitor TynManager] fqdv.exe

O4 - HKLM\..\Run: [dmdnf.exe] C:\WINNT\system32\dmdnf.exe

O4 - HKLM\..\RunServices: [Monitor TynManager] fqdv.exe

O4 - HKCU\..\Run: [Monitor TynManager] fqdv.exe

O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC

O17 - HKLM\System\CCS\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5

FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FF23F99-AEC2-4067-8D45-0

A419906526A}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

O17 - HKLM\System\CS1\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5

FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

O17 - HKLM\System\CS2\Services\Tcpip\..\{199E2AE3-BB3E-4254-9C7A-5

FCD4918D37B}: NameServer = 85.255.114.94,85.255.112.132

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.94 85.255.112.132

 

 

sen ta bort om hittas

 

fqdv.exe

 

starta om datorn och scanna en ny logg och skicka hit.[/log]

 

[manolo]

Hej igen Zipp, jag gjorde som som du sade och tog bort de filerna

( kunde dock INTE hitta filen

O4 - HKLM\..\Run: [dmdnf.exe] C:\WINNT\system32\dmdnf.exe

trots att jag kontrollerade skärmen 3 ggr med linjal - gör det något ? )

 

 

Här är den nya loggen för hijackthis efter att jag tog bort

dom "fula" filerna och startade om datorn

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 17:57:53, on 2007-02-08

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program\Delade filer\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Winamp\winampa.exe

C:\WINNT\system32\internat.exe

C:\Program\MSN Messenger\MsnMsgr.Exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CreateCD50] "C:\Program\Delade filer\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: Mania Win Restore.lnk = C:\21STCENT\WINMANIA\RESWIN.EXE

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: IC Login Service (ICLogin) - Unknown owner - C:\Program\IcLogin\iclogin1.2.exe" -service (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

[/log]

 

 

 

 

[Zipp.]

 

> gör det något ? <

 

Nej..och loggen är ok ser inget i den.

 

[manolo]

Ett MYCKET Stort och Uppriktigt Tack för hjälpen Zipp.

Bara för att jag skall förstå det; kan jag betrakta risken för någon kvarvarande trojan eller liknande som liten/obefintlig ?

Finns det några bättre program än Grisoft, Adaware eller Norton som jag borde köra i fortsättningen - eller duger den rutinen ?

MvH M

 

[Zipp.]

 

> kan jag betrakta risken för någon kvarvarande trojan eller liknande som liten/obefintlig ? <

 

Kan finnas nåt kvar even on loggen är ren.

Du kan köra ex. Kapersky online scan

 

> som jag borde köra i fortsättningen - eller duger den rutinen ? <

 

Dessa är bra program att rensa med ibland

 

http://www.ewido.net/en/

http://www.superantispyware.com/

 

 

 

 

 

[Zipp.]

 

Ladda ner HijackThis.exe och scanna datorn med det.

Skicka hit loggen sen så tar vi en titt hur den ser ut.

 

http://www.thespykiller.co.uk/files/HJTsetup.exe

 

> Jag vet inte ens vad LOG-knapp är <

 

Högst upp har du ex. där finns LOG knappen.

Klistra in loggen sen måla\markera den klicka på LOG och skicka

 

 

[manolo]

OK. Megatack igen, hjälpen är uppskattad.

MvH M