totour.exe

[johny12]

mam problem s timto souborem avast mi ho hlasi pri kazdym spusteni jako vir nekolikrat uz jsem to cele projel ale furt me tam stve: jestli pomuze log tak tady je:


Logfile of HijackThis v1.99.1
Scan saved at 16:21:15, on 8.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Libor\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8FB5762-5579-4844-A061-C8BA59944DEF}: NameServer = 213.180.36.130,213.180.36.131
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

jo a ten totour.exe je umisten v system32

[fredik]

Co se týče logu ten je v pořádku jen fixni tyto drobnosti:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Jen by mě zajímalo jestli tam máš to Kerio běží ti od něho služba ale ve spuštěných procesech tam není?

No zkus ho otestovat na VirusTotall a dej sem výsledek.

Když ho avast smaže tak se ti tam objevuje znovu jestli sem to dobře pochopil?

[johny12]

Kód: Vybrat vše

Antivirus	Version	Update	Result
AntiVir	7.3.1.41	03.08.2007	TR/Agent.afg.1
Authentium	4.93.8	03.07.2007	no virus found
Avast	4.7.936.0	03.08.2007	Win32:Agent-ERY
AVG	7.5.0.447	03.08.2007	Generic3.GBE
BitDefender	7.2	03.08.2007	Trojan.Agent.AFG
CAT-QuickHeal	9.00	03.08.2007	Trojan.Agent.uwz
ClamAV	devel-20060426	03.08.2007	no virus found
DrWeb	4.33	03.08.2007	Trojan.MulDrop.5516
eSafe	7.0.14.0	03.07.2007	suspicious Trojan/Worm
eTrust-Vet	30.6.3464	03.08.2007	no virus found
Ewido	4.0	03.07.2007	Dropper.Small
FileAdvisor	1	03.08.2007	no virus found
Fortinet	2.85.0.0	03.08.2007	W32/Agent.AFG!tr
F-Prot	4.3.1.45	03.07.2007	no virus found
F-Secure	6.70.13030.0	03.08.2007	Trojan.Win32.Agent.afg
Ikarus	T3.1.1.3	03.08.2007	Trojan.Win32.Agent.afg
Kaspersky	4.0.2.24	03.08.2007	Trojan.Win32.Agent.afg
McAfee	4979	03.07.2007	no virus found
Microsoft	1.2204	03.08.2007	no virus found
NOD32v2	2102	03.08.2007	no virus found
Norman	5.80.02	03.07.2007	no virus found
Panda	9.0.0.4	03.08.2007	Adware/WebAttaker
Prevx1	V2	03.08.2007	Trojan.SystemPoser
Sophos	4.15.0	03.07.2007	no virus found
Sunbelt	2.2.907.0	03.07.2007	Trojan.Agent.AFG
Symantec	10	03.08.2007	Trojan Horse
TheHacker	6.1.6.072	03.07.2007	no virus found
UNA	1.83	03.07.2007	no virus found
VBA32	3.11.2	03.07.2007	Trojan.MulDrop.5516
VirusBuster	4.3.19:9	03.07.2007	Trojan.Agent.GFK

Aditional Information
File size: 39936 bytes
MD5: b33029ba154f2c880c6f5bef279f14cb
SHA1: f1d807be59bd3e9cc3fafec1863c68b01e32689a
packers: UPX
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=9ffc74625582

tak tady je ten vypis jo a to kerio sem zrovna nemel zaply kvuli jedny hre tak tady je kdyztak dalsi log jo a ten totour se zapina vzdy pri startu systemu i kdyz ho vymazu tady je ten log:

Kód: Vybrat vše

Logfile of HijackThis v1.99.1
Scan saved at 16:55:32, on 8.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Libor\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8FB5762-5579-4844-A061-C8BA59944DEF}: NameServer = 213.180.36.130,213.180.36.131
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

[fredik]

Zkus to projet tímto: Mwav
Spustíš ho dáš Update a spustíš kontrolu přes tlačítko Scan & Clean po skončení co najde to odstraní ale možná bude chtít restart tak to povol.

Kdyby i potom to blblo tak dej vědět vymyslíme něco jiného.

[franticek]

Spusť si lspfix a koukmni se, jestli tam nemáš msnetax.dll, popř. jinde v systému.
Koukni zde:

Kód: Vybrat vše

http://fileinfo.prevx.com/spyware/qq9ffc74625582-TOTO34367007/TOTOUR.EXE.html

[fredik]

V logu po tom souboru msnetax.dll není vidu ale můžeš se po něm podívat měl by se nacházet ve Win. v adresáři system32

To franticek: Pokud se podíváš na výsledky z VirusTotal, tak pokud je daný testovaný vzorek v databázi PrevX tak ti dá automaticky odkaz na informace k němu:
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=9ffc74625582
ale snaha pomoci se cení

[Damned]

Ten MWAV by ti ho měl odstranit. Pak si pro jistotu naplánuj kontrolu avastem po restartu a nech jí udělat.

[franticek]

No jo, jak se ale mám dívat na výsledky virustotalu, když nejsem mezi šťastnými majitely totour.exe? Jen jsem googlil.

[fredik]

Výsledek z VirusTotal uživatel johny12 vložil v příspěvku číslo #3 zároveň s nový logem. Tam je daný odkaz zmíněný.

[franticek]

No jo, 4 oči mám a furt je to málo.

[johny12]

tak to nepomohlo je tam furt

[franticek]

Zkus vzít hdd k někomu jinému a projet ho v jeho systému a pohledat tu knihovnu - tvůj systém nebude aktivní a nic se nebude různě schovávat.