trojan: downloader.inservice.O

Gå ind her og hent Spybot og Hijackthis.
http://www.spywarefri.dk/vaerktoj.htm
Installer og kør Spybot, opdater online, scan, afhjælp valgte problemer, genstart.
Derefter udpakker og kører du Hijackthis, scan, save log og kopier logfilen herind, så kigger vi på den.
Lad være med at slette noget selv med Hijackthis, det kan skade mere end det gavner.

ok

Ok her er den

Logfile of HijackThis v1.98.2
Scan saved at 16:04:17, on 22-08-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\michael\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration-PCTV.lnk = C:\Program Files\Pinnacle\Pinnacle PCTV\ERegister\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

Ikke så meget at komme efter i loggen.

Prøv denne scanner:
http://www.arlet.dk/mwti.htm

Ok

Sun Aug 22 16:17:00 2004 => **********************************************************
Sun Aug 22 16:17:00 2004 => eScan AntiVirus Toolkit Utility.
Sun Aug 22 16:17:00 2004 => Copyright © 2003-2004,  MicroWorld Technologies Inc.
Sun Aug 22 16:17:00 2004 => **********************************************************
Sun Aug 22 16:17:00 2004 => Version 4.4.6
Sun Aug 22 16:17:00 2004 => Log File: C:\DOCUME~1\michael\LOCALS~1\Temp\mwav.log
Sun Aug 22 16:17:00 2004 => Latest Date of files inside MWAV: 09 Aug 2004  12:03:08.
Sun Aug 22 16:17:03 2004 => AV Library Loaded...
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\kavss.exe
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\Getvlist.exe
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\kavss.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\kavssdi.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\kavssi.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\kavvlg.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\msvlclnt.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\ipc.dll
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\main.avi
Sun Aug 22 16:17:03 2004 => Scanning File C:\DOCUME~1\michael\LOCALS~1\Temp\virus.avi
Sun Aug 22 16:17:03 2004 => Virus Database Date: 2004/08/09
Sun Aug 22 16:17:03 2004 => Virus Database Count: 100135
Sun Aug 22 16:17:22 2004 => Generating Virus List... getvlist.exe C:\DOCUME~1\michael\LOCALS~1\Temp\vlist.txt

Er der noget i denne fil

tag lige og tøm din temp mappe:
C:\DOCUME~1\michael\LOCALS~1\Temp

derefter slå din systemgendannelse fra:
http://www.arlet.dk/systemgendannelsen.htm

og lav et fuld scan med avg.
Hvis den finder noget men ikke kan slette den, så noter stien ned og læg herind.

log fra AVG

Results of Complete Test, date and time 22-08-2004 17:29:59 :

Testing C:\$VAULT$.AVG serial 6892-0F9A
Testing C:\Documents and Settings\michael\Local Settings\Temp serial 6892-0F9A
Testing C:\Documents and Settings\michael\Local Settings\Temporary Internet Files serial 6892-0F9A
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\CONTENT.IE5\P89J2LD5\CRACK[1].CD-Image_Broadway_v4.5.zip:\awi.exe Trojan horse Downloader.Inservice.O

Test finished, duration 00:01:22.9 s
704 objects tested, 1 found infected

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

så finder du:
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\CONTENT.IE5\P89J2LD5\CRACK[1].CD-Image_Broadway_v4.5.zip:\awi.exe
og sletter den

jeps så er den væk... tror jeg holder mig væk fra den slags en anden gang :-)
lav lige et svar

ok, her er svaret