Hjælp til win32 dialer

-- Hent denne fil, og pak den ud til en mappe på skrivebordet:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Dobbeltklik på filen, og lad den pakke sig ud til en mappe i roden af din harddisk (typisk: c:\SDfix)

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Gå så ind i mappen SDFix, som du fik oprettet tidligere. Dobbeltklik på filen RunThis.bat, for at starte værktøjet. Tryk "y" for at bekræfte, at du kører værktøjet på egen risiko. Så vil værktøjet gå i gang med at fjerne trojanservicen, og lave et par reparationer af registreringsdatabasen. På et tidspunkt vil det bede dig om at trykke en taste for at genstarte computeren. Det skal du gøre, hvorefter computeren vil genstarte efter 15 sekunder.

Genstarten vil tage lidt længere end sædvanligt, idet værktøjet skal have tid til at udføre sit arbejde. Når skrivebordet dukker op, vil værktøjet skrive "Finished". Tryk herefter en taste for at indlæse dine skrivebordsikoner igen.

Åben så SDFix-mappen, find filen Report.txt, og kopier indholdet af denne fil herind, sammen med en ny log fra Hijackthis.

Her er filen fra SDFix men virusen er der stadig

Filen:

SDFix: Version 1.63

01-02-2007 - 16:43:02,50

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows Messenger

Path:
"C:\WINDOWS\msnmsgr.exe"

Windows Messenger Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


C:\WINDOWS\system32\Microsoft\backup.ftp Found...
C:\WINDOWS\system32\Microsoft\backup.tftp Found...

Checking files:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp

Dummy:
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Dummy:


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

SDFix: Version 1.63

01-02-2007 - 16:43:02,50

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows Messenger

Path:
"C:\WINDOWS\msnmsgr.exe"

Windows Messenger Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


C:\WINDOWS\system32\Microsoft\backup.ftp Found...
C:\WINDOWS\system32\Microsoft\backup.tftp Found...

Checking files:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp

Dummy:
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Dummy:


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\msnmsgr.exe - Deleted
C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted
C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

                                Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\CONFIG.SYS
C:\hiberfil.sys
C:\Documents and
Settings\Pernille\Skrivebord\Pernille\skole\Psykologi\Psykoanalysen &
udviklingen i den tidlige barndom\~WRL0001.tmp
C:\Documents and
Settings\Pernille\Skrivebord\Pernille\usb\Gymnasie\Naturfag\~WRL2038.tmp
C:\Documents and
Settings\Pernille\Skrivebord\Pernille\usb\Gymnasie\Naturfag\~WRL2223.tmp
C:\Documents and
Settings\Pernille\Skrivebord\Pernille\usb\Gymnasie\Naturfag\~WRL2280.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5eedc3c82662693f38dd584f932988b9\download\BIT5F.tmp

                                Finished

Jeg skulle egentlig også have haft en log fra Hijackthis, men prøv lige følgende, inden du laver den:

Hent AVG Anti-Spyware herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1.htm
Installer og kør AVG Anti-Spyware - opdater programmet.

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

Kør en fuld scanning med AVG Anti-Spyware. Programmet laver en lille log, som du skal kopiere herind i dit næste svar.

Genstart herefter til normal tilstand, og lav en ny log med Hijackthis, som du lægger herind.

AVG Anti-Spyware rapport fil:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:    23:03:47 01-02-2007

+ Scan result:   



C:\Programmer\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : No action taken.
C:\SDFix\backups\backups.zip/backups/msnmsgr.exe -> Backdoor.Rbot : No action taken.
C:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\CNRVY2AC\dk[1].exe -> Dialer.Agent.b : No action taken.
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : No action taken.
C:\Programmer\LogMeIn\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : No action taken.
C:\WINDOWS\system32\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : No action taken.
[288] C:\WINDOWS\system32\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@ehg-lexmark.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Pernille\Cookies\pernille@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.


::Report end



HiJackThis rapportfil:



Logfile of HijackThis v1.99.1
Scan saved at 23:24:04, on 01-02-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Programmer\ThinkPad\Utilities\TpKmapMn.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programmer\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Comodo\Firewall\CPF.exe
C:\Programmer\LogMeIn\LogMeInSystray.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Messenger\MSMSGS.EXE
C:\Programmer\DAEMON Tools\daemon.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Comodo\Firewall\cmdagent.exe
C:\Programmer\LogMeIn\RaMaint.exe
C:\Programmer\LogMeIn\LogMeIn.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pernille\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Programmer\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NPDTray] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmer\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programmer\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170244497560
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmer\Comodo\Firewall\cmdagent.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programmer\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programmer\LogMeIn\LogMeIn.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe

Du kan lige se om du kan finde denne fil, og hvis ja, så slet den:
C:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\CNRVY2AC\dk[1].exe

Derudover var det mest falske positiver, og mindre alvorlige ting, som blev fundet i AVG-Antispyware.

Får du stadig melding om at du er inficeret, og hvis ja, hvilket program melder om det, og hvad er den præcise besked (hvilken fil bliver du advaret om (navn og placering))?

ejvindh får point