Just nu i M3-nätverket
Jump to content

IST.ISTbar


BiarneSiösteen

Recommended Posts

BiarneSiösteen

De senaste dagarna har jag utsatts för en Spyware-attack av ett helt nytt slag. Fruktansvärt tröttsamt eftersom den upprepas med bara någon minuts mellanrum..

 

Har beskrivit det hela på länken nedan...

 

http://www.lakestone.se/istbar/

 

Någon mer som utsatts? Någon ide hur förhindra?

 

Link to comment
Share on other sites

BiarneSiösteen

Tack för svar. Försöker här...

 

Logfile of HijackThis v1.99.1

Scan saved at 12:24:52, on 2005-03-14

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe

C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program\Iomega\DriveIcons\ImgIcon.exe

C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\hjts\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [Connection Keeper] "C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe"

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [DVf1CGvoU] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\Run: [<°,*ÝeKFlÄ6JÌ¥÷º¼¶ C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [iomega Automatic Backup] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - Startup: wkcalrem.LNK = C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw013XXSE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.telia.com/vspta3.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

 

 

 

 

 

 

Link to comment
Share on other sites

 

Avinstallera via Kontrollpanelen om det finns

 

Istbar eller ISTsvc

 

Dolda filer synliga

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O4 - HKLM\..\Run: [DVf1CGvoU] C:\WINDOWS\ewoyw.exe

O4 - HKLM\..\Run: [<°,* ÝeKFlÄ6JÌ¥÷º¼¶ C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\ewoyw.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw013XXSE

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

 

Starta sen i felsäkert läge sök och ta bort

 

C:\WINDOWS\ewoyw.exe

- ta bort ewoyw.exe

 

C:\Program\ISTsvc\ < mappen

 

Starta normalt och ny Hijack logg

 

 

 

Link to comment
Share on other sites

BiarneSiösteen

OK. Utfört åtgärdena.

 

Istbar eller ISTsvc fanns ej via Kontrollpanelen.

 

Ej heller mappen

C:\Program\ISTsvc

Här nya loggen:

 

Logfile of HijackThis v1.99.1

Scan saved at 13:13:03, on 2005-03-14

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe

C:\Program\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program\Iomega\DriveIcons\ImgIcon.exe

C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe

C:\Program\Microsoft AntiSpyware\gcasServ.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE

C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE

C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\hjts\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [Connection Keeper] "C:\Program\LennartFranzén\LFConnectionKeeper\lfck.exe"

O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [iomega Automatic Backup] C:\Program\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - Startup: wkcalrem.LNK = C:\Program\Delade filer\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.telia.com/vspta3.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\Program\Iomega\System32\AppServices.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe

O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe

O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program\Delade filer\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe

O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

 

 

 

Link to comment
Share on other sites

 

Bocka och Fix:sa

 

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

 

Sen är loggen ok.

Blev det bättre eller är problemet kvar?

 

Link to comment
Share on other sites

BiarneSiösteen

 

Varmt tack för hjälpen !!

 

Vet ej om allt är just eftersom de värsta attackerna kommer omedelbart efter uppkoppling.

 

Ännu ej någon ny dock , sen vi började fixa...

 

Hör av mig.

 

Link to comment
Share on other sites

BiarneSiösteen

 

Hallå Zipp !

 

Det verkar som din insats gjort susen! Inga nya angrepp än så länge, trots flera nya uppstarter på nätet, och några långa sessioner...

 

Tack än en gång!

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...