IST.ISTbar

[BiarneSiösteen]

De senaste dagarna har jag utsatts för en Spyware-attack av ett helt nytt slag. Fruktansvärt tröttsamt eftersom den upprepas med bara någon minuts mellanrum..

 

Har beskrivit det hela på länken nedan...

 

http://www.lakestone.se/istbar/

 

Någon mer som utsatts? Någon ide hur förhindra?

 

[Zipp.]

 

 

Ladda ner HijackThis.exe och scanna datorn med det.

Skicka hit loggen sen så tar vi en titt vad som finns där.

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

[BiarneSiösteen]

Tack för svar. Försöker här...

 

Logfile of HijackThis v1.99.1

Scan saved at 12:24:52, on 2005-03-14

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe

C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program\Iomega\DriveIcons\ImgIcon.exe

C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\hjts\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [Connection Keeper] "C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe"

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [DVf1CGvoU] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\Run: [<°,*ÝeKFlÄ6JÌ¥÷º¼¶ C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [iomega Automatic Backup] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - Startup: wkcalrem.LNK = C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw013XXSE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.telia.com/vspta3.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

 

 

 

 

 

 

[Zipp.]

 

Avinstallera via Kontrollpanelen om det finns

 

Istbar eller ISTsvc

 

Dolda filer synliga

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKLM\..\Run: [DVf1CGvoU] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\Run: [<°,* ÝeKFlÄ6JÌ¥÷º¼¶ C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\ewoyw.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw013XXSE

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

 

Starta sen i felsäkert läge sök och ta bort

 

C:\WINDOWS\ewoyw.exe

- ta bort ewoyw.exe

 

C:\Program\ISTsvc\ < mappen

 

Starta normalt och ny Hijack logg

 

 

 

[BiarneSiösteen]

OK. Utfört åtgärdena.

 

Istbar eller ISTsvc fanns ej via Kontrollpanelen.

 

Ej heller mappen

C:\Program\ISTsvc

Här nya loggen:

 

Logfile of HijackThis v1.99.1

Scan saved at 13:13:03, on 2005-03-14

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe

C:\Program\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program\Iomega\DriveIcons\ImgIcon.exe

C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE

C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\hjts\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [Connection Keeper] "C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe"

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [iomega Automatic Backup] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - Startup: wkcalrem.LNK = C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.telia.com/vspta3.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

 

 

 

[Zipp.]

 

Bocka och Fix:sa

 

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

 

Sen är loggen ok.

Blev det bättre eller är problemet kvar?

 

[BiarneSiösteen]

 

Varmt tack för hjälpen !!

 

Vet ej om allt är just eftersom de värsta attackerna kommer omedelbart efter uppkoppling.

 

Ännu ej någon ny dock , sen vi började fixa...

 

Hör av mig.

 

[BiarneSiösteen]

 

Hallå Zipp !

 

Det verkar som din insats gjort susen! Inga nya angrepp än så länge, trots flera nya uppstarter på nätet, och några långa sessioner...

 

Tack än en gång!