Microsoft giver trojan ?

det skal lige siges at man skal søge en gang før den er inde,,,

Den trojaner kommer med E-mail http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=4863#33833

nej ikke kun mail,,, prøv det jeg skrev,,,
den kommer ind med deres søge del,,,

Falsk alarm.
Jeg scannede med Spysweeper, gik ind på siden, søgte åbnede et link, scannede med Spysweeper igen.
Intet at bemærke.

Det samme her

ok, ???
men hvordan kommer den så ? bruger jeg spysweeper til at fjerne den med og køre det igennem igen er den væk, men gå jeg så ind på det link kommer den og siger jeg har den igen, og det er kun det link den gør det med,,,,

jeg skal lige ud med hunden, så jeg er lige væk lidt, men jeg kan lige beskrive de filer den siger det omhandler og eks vise dem her ( det er .js filer )

sætter det op om ca 45 minutter,,,

jeg har tømt for alt i min pc og kørt spysweeper igennem og den finder intet, køre jeg så den søge side op er det inde igen, den finder 3 filer som den siger er den trojan, disse 3 filer heder ( utils.js - helppane26.js - hdr35.js )

her ses hvad der står i de filer,,,,

----------------------------------------------------------------------------------------------------------

utils.js

----------------------------------------------------------------------------------------------------------


// Checkquery
// Determines whether form has proper submission criterion
// RETURNS: false if no value given for query param
function CheckMT(objMT, strID,qform)
{
    if (strID == "") {
        window.alert(notextalert);
        SetFocus(objMT);
        return false;
    }else{
        return true;
    }
}   

// SetFocus()
// Given an element, it will set the focus
function SetFocus(objMT)
{
    objMT.focus();
}

// rollover code for Info trans gifs...
//sniffs for ie3 or 4 and delivers the goods :)  image swaps for IE3 on Mac browser only)
//ignores netscape browsers
function toggleInfoGifs(p_obj)
{
    if((navigator.appVersion.charAt(0) >= 3) && (navigator.appName.indexOf("Explorer") > -1)){
        if(p_obj.src.indexOf("/images/infotransOFF.gif") > -1){
            p_obj.src="/images/infoTransON.gif"
        }else{
            p_obj.src="/images/infotransOFF.gif"
        }
    }
}
function newImage(arg) {
    if (document.images) {
        rslt = new Image();
        rslt.src = arg;
        return rslt;
    }
}
function changeImages() { 
    if (document.images ) {
        for (var i=0; i<changeImages.arguments.length; i+=2) {
            document[changeImages.arguments[i]].src = changeImages.arguments[i+1];
        }
    }
}

if( navigator.appVersion.indexOf("4.")>=0) bScreen=true;

// Wrapper function to allow me to modify the variables in the Help call and not have to set global variables to do so
// fWrapHelp( IN v_bSearch, IN v_H_KEY, IN v_L_H_TEXT )
// WHERE
// v_bSearch = boolean value identifying whether this is a search in help or a topic
// v_H_KEY = if v_bSearch is false, then this is a topic, else it is a secret keyword
// v_L_H_TEXT = if v_bSearch is false, then it's ignored, else it is a localized string displayed in UI
function fWrapHelp(v_OptNoResize, v_bSearch, v_H_KEY, v_L_H_TEXT )
{
    //Set each var and then call DoHelp()
    //If a Search in enabled, then we need a KEY and TEXT values, otherwise it's a topic and we just need TOPIC
    var old_H_KEY = H_KEY;
    var old_L_H_TEXT = L_H_TEXT;
    if( v_bSearch.toString().toUpperCase() == "TRUE" )
    {
        bSearch = v_bSearch;
        H_KEY = v_H_KEY;
        if (v_L_H_TEXT != "")
            L_H_TEXT = v_L_H_TEXT;
        bSearch = true;
    } else {
        H_TOPIC = unescape(v_H_KEY);
        bSearch = false;
    }
    if (v_OptNoResize == "off")
    {
        bOptNoResize = 1;
    }
    DoHelp();
    H_KEY = old_H_KEY;
    L_H_TEXT = old_L_H_TEXT;
    bSearch = true;
}

// ChangePage( obj )
// Modifies anchor to include query string
function ChangePage(objAnchor)
{
    var strQuery, intLoc, strPath;
    //Sanity check to be sure the value passed is an object
    if (typeof(objAnchor) == "object")
    {
        var strAnchor = objAnchor.href;
        strPath = window.location.pathname.substring( window.location.pathname.lastIndexOf( '/' ) + 1, window.location.pathname.length );
        //determine if this page has valid controls to pass forward or not
        if( strPath == "contactus.asp" || strPath == "contactusthanks.asp" || strPath == "default.asp" || strPath == "advanced.asp" || strPath == "results.asp" || strPath == "Preference.asp" || strPath== "searchclip.asp" || strPath == "searchclipCode.asp" || strPath == "searchclipTerms.asp" || strPath == "worldwide.asp" || strPath == "category.asp" || strPath == "" )
        {
            if (strAnchor.indexOf("Preference.asp") < 0)
            {
                if (document.STWF){
                    if( typeof(document.STWF.q ) == "object" )
                    {
                        document.STWF.cfg.value = "ADVANCED";
                        document.STWF.submit();
                    }
                } else {
                    self.location = "advanced.asp";
                }
            } else {
                window.top.location.href = strAnchor + "&newURL=" + escape(self.location);
            }
        }
        else
        {
            //write query string to originating anchor
            if(navigator.appVersion.lastIndexOf("MSIE 3.") > -1 || navigator.appVersion.lastIndexOf("WebTV") > -1) // For all MSIE 3.0 versions
            {
                window.top.location.href = objAnchor.href + window.location.search;
            } else {
                if( objAnchor.search.length > 0 ) {
                    //do nothing
                } else {
                    window.top.location.href = objAnchor.href;
                }
            }
        }
    }
}

function main()
{
    if (window.comppopup != null)
        comppopup();
}

function newUrl()
{
    var strID = document.all.item("q").value;
    if(strID == "") {
        window.alert(notextalert);
        SetFocus();
    }else{
        if (strID.indexOf("://") < 1)
            strID = "http://" + strID;
        self.location = strID;
    }
}

function tooltip()
{
    document.all.item("tips").style.display = "";
}

function GoMediaElem( oAnchor, sForm )
{
    var sURL = "redir.aspx?target=" + escape(oAnchor.href) + "&FORM=" + sForm;
    window.location.href = sURL;
    return false;
}

//hide or show element oElm. Also toggle the associated image oImg.
function hideshow(elmId, imgId){
    oElm = document.getElementById(elmId);
    oImg = document.getElementById(imgId);
    if (oElm.style.display == ""){
        oElm.style.display = "none";
        oImg.src = "/static/up.gif"
    } else {
        oElm.style.display = "";
        oImg.src = "/static/down.jpg"
    }
}

function FixHosts()
{
        window.open("/static/fixhosts.exe", "_self");
}


-----------------------------------------------------------------------------------------------------------------

helppane26.js

-----------------------------------------------------------------------------------------------------------------

//helppane.js Version 2.6
var H_URL_BASE='',H_TOPIC='',H_KEY='',L_H_TEXT='',H_FILTER='',H_BRAND='',bSearch=false;
var H_CONFIG='',L_H_APP='',L_CONTACTUS_URL='';
var H_BURL='helppane.htm',H_TARG='',H_VER='2.6';
var h_win,H_OTHER='',bResize=true,bOptNoResize=false;
function DoHelp(iNm) {
    var sQP,W,H,sWD,sc=screen.width,bIE4PC;
    var agent = navigator.userAgent.toLowerCase();
    var app = navigator.appName.toLowerCase();
    var agent_isMac = (agent.indexOf('mac') > -1);
    var agent_isIE = (agent.indexOf("msie")>-1 && parseInt(navigator.appVersion.substring(0,1))>=4);
    var agent_isMSN = false, vi = agent.indexOf('msn '), agent_isMacMSN = false;

    if (vi > -1) {
        agent_isMSN = agent.substring(vi+4);
        agent_isMSN = parseFloat(agent_isMSN.substring(0,agent_isMSN.indexOf(";")));
        agent_isMSN = (agent_isMSN != NaN && agent_isMSN >= 6)
    }
    agent_isMacMSN = agent.indexOf('ppc mac os x') > -1  && agent.indexOf('msn explorer') > -1 ;
        sQP =(H_BURL.indexOf("?")>-1) ? "&":"?";       
    sQP+='H_VER='+H_VER;
    sQP+='&INI='+H_CONFIG;
        if (agent_isMSN && !agent_isMacMSN){
    sQP+='&H_APP='+encodeURIComponent(L_H_APP);   
    sQP+=(bSearch) ? '&SEARCHTERM='+escape(H_KEY)+'&S_TEXT='+encodeURIComponent(L_H_TEXT):'&TOPIC='+H_TOPIC;
        } else {
    sQP+='&H_APP='+escape(L_H_APP);   
    sQP+=(bSearch) ? '&SEARCHTERM='+escape(H_KEY)+'&S_TEXT='+escape(L_H_TEXT):'&TOPIC='+H_TOPIC;
        }
    if (H_BRAND!='') sQP+='&BrandID='+H_BRAND;
    if (H_FILTER!='') sQP+='&Filter='+H_FILTER;
    if (L_CONTACTUS_URL!='') sQP+='&ContactUS='+L_CONTACTUS_URL;
    if (typeof(v1)!="undefined") sQP+='&v1='+escape(v1);
    else sQP+='&v1='+escape(document.location.protocol + "//" + document.location.hostname);
    sQP+='&v2='+escape(document.location.search);
    if (typeof(H_CONFIG) != "undefined" && (self.name == null || self.name == "" || self.name == "msnMain")) self.name = H_CONFIG.substring(0,H_CONFIG.indexOf("."));
    sQP+='&tmt='+escape(window.name);
    if (sc<=800) sQP+="&sp=1";
    if (bOptNoResize) sQP+='&bOptNoResize=1';   
    W=(sc<= 800)?180:230;
    if (agent_isMac && agent_isIE) W=224;
    H=(agent.indexOf("windows")>0 && agent.indexOf("aol")>0) ? screen.availHeight-window.screenTop-22:screen.availHeight//*AOL
    sWD="toolbar=0,status=0,menubar=0,resizable=1,top=0,width="+W;
   
    if (agent_isMSN){
        window.external.showHelpPane(H_URL_BASE+'/frameset.asp'+sQP,W)
    }       
    else if (agent.indexOf('webtv')>0 || agent.indexOf('msn companion')>0){
        top.location.replace(H_URL_BASE+'/frameset.asp'+sQP)
    }
    else if (app.indexOf('netscape')>-1 && navigator.appVersion.indexOf('4.')>-1) {
        var fw;
        if (agent_isMac) {
            sWD+=",height="+(H-38)+",left="+(sc-W-16);fw=30;
        } else {
            sWD+=",height="+(H-30)+",left="+(sc-W-12);fw=12;
        }
        if (!bOptNoResize) top.window.resizeTo(screen.availWidth - W - (window.outerWidth - window.innerWidth)-fw, screen.availHeight - (window.outerHeight-window.innerHeight));
        if (!bOptNoResize) top.window.moveTo(0,0);
        h_win=window.open(H_URL_BASE+'/frameset.asp'+sQP,'_help',sWD);
    }   
    else if (agent.indexOf("opera")>-1) {
        sWD+=",height="+H+",left="+(sc-W - (agent_isMac ? 5 : 0));
        if (!bOptNoResize) window.resizeTo(screen.availWidth - W - (agent_isMac ? 20 : 0), screen.availHeight);
        if (!bOptNoResize) window.moveTo(0,0);
        h_win=window.open(H_URL_BASE+'/frameset.asp'+sQP,'_help',sWD);
    } else if (agent.indexOf("aol")>-1) {
        sWD+=",height="+(H-115);
        window.open(H_URL_BASE+'/frameset.asp'+sQP,'_help',sWD);
    } else if (agent_isIE || agent.indexOf('netscape6')>-1) {
        sWD+=",height="+H+",left="+(sc-W);
        bResize=false;
        bIE4PC = agent.indexOf("msie 4")>0;
        if (H_TARG=='') H_TARG = (bIE4PC)?'_help26':'_help';
        if (iNm != null) H_TARG+=iNm;
        if (bIE4PC) {
            window.open(H_BURL+sQP,H_TARG,sWD);
        }
        else h_win=window.open(H_BURL+sQP,H_TARG,sWD);
        if (h_win && !agent_isMac && app.indexOf("netscape")<0) h_win.opener=self; //*IE5+PC
    } else {
        window.open(H_URL_BASE+'/frameset.asp'+sQP,'_help');   
    }
}

----------------------------------------------------------------------------------------------------------------

hdr35.js

----------------------------------------------------------------------------------------------------------------


function getMSID(){function getMSID(s){var s=document.cookie;var i=s.indexOf("MC1=");var c=s.substring(i+4,s.indexOf(";",i));var m=c.substring(c.indexOf("GUID=")+5);l=m.indexOf("&");if(l>-1)return m.substring(0,l);else return m;}}
function getPartnerId(){var s=document.cookie + ";";var i=s.indexOf("mh=");var p="";if(i>=0)p=s.substring(i+3,s.indexOf(";",i));if(null==p)p="";return p.substring(0,4);}
function logoImg(s){document.write("<img border=\"0\" width=\"118\" height=\"35\" src=\""+s+"/global/c/lg/"+getPartnerId()+"_118x35.gif\" alt=\"go to  MSN.com\" title=\"go to MSN.com\"/>");}

------------------------------------------------------------------------------------------------------------------



jeg ved ikke rigtig hvorfor de kommer eller hvordan, men måske har jeg noget andet inde der har overtaget IE, og hver gang jeg siger jeg skal ind på den søge siger smider mig igennem dens side førest, men jeg ved det som sagt ikke,,,,


The Toastmaster

Så må vi hellere tjekke din PC.
Gå ind her og hent Spybot og Hijackthis.
http://www.spywarefri.dk/vaerktoj.htm
Installer og kør Spybot, opdater online, scan, afhjælp valgte problemer, genstart.
Derefter udpakker og kører du Hijackthis, scan, save log og kopier logfilen herind, så kigger vi på den.
Lad være med at slette noget selv med Hijackthis, det kan skade mere end det gavner.

ok,,,,

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\AVPersonal\AVGUARD.EXE
C:\Programmer\Apache Group\Apache\Apache.exe
C:\Programmer\AVPersonal\AVWUPSRV.EXE
C:\Programmer\Ahead\InCD\InCDsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\Programmer\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Logitech\Video\LogiTray.exe
C:\Programmer\AVPersonal\AVGNT.EXE
C:\Programmer\ICQLite\ICQLite.exe
C:\Programmer\Ahead\InCD\InCD.exe
C:\Programmer\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\LVComsX.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\BHODemon 2\BHODemon.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Logitech\Video\FxSvr2.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\haijack\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programmer\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programmer\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmer\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmer\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programmer\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmer\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Programmer\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programmer\ICQLite\ICQLite.exe -trayboot
O4 - Startup: BHODemon 2.0.lnk = C:\Programmer\BHODemon 2\BHODemon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\FoxServ\mysql\bin\winmysqladmin.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1.62-big/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1E719C1-C47A-45D6-8AC6-8E810AC84E31}: NameServer = 81.19.224.134,81.19.224.67

hopper i seng,,, kigger igen imorgen,,,

Hijackthis loggen er ren, den anden log kunne for min skyld være på kinesisk.

ok,,
mange tak

men du skal have noget for dit arbejde,,,

så jeg giver lige mig selv 1 point da
jeg så kan give dig lidt mere for hjælpen

hov det kan man ikke ? jeg trode jeg kunne sætte de point op hvis der skulle fordeles mellem flere, ?

det kunne de godt tage med.......

Det kan du også, men pyt med det.
Tak for point.*S*