Hej igen mortimer

Du skal nu til at i gang med at fixe. Først skal du slå systemgendannelse fra. Hvis du ikke ved, hvordan du gør det så kig her:  http://www.spywarefri.dk/virusscannere.htm#alle

Kør en scanning med Hijackthis, så du kan se alle filer.
Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte en vinge ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet. Husk også at lukke dette vindue, når du har markeret filerne. Nu må du fixe. Klik på Fix checked. Efter fix skal du genstarte din computer.

Det er disse, som skal fixes:

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://homepage.com @www.e-finder.cc/hp/ (obfuscated)
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

O4 - HKLM/../Run: [QuickTime Task] “C:/Programfiler/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [TkBellExe] “C:/Programfiler/Fellesfiler/Real/Update_OB/realsched.exe” -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30ced6d2e080f2f98a18/netzip/RdxIE601.cab

Dem her kan du også med fordel fixe. De forsvinder ikke, kun fra run, og her ligger de bare og sluger dine kræfter:

O4 - HKLM/../Run: [SiS KHooker] C:/WINDOWS/System32/khooker.exe
O4 - HKLM/../Run: [SiSUSBRG] C:/WINDOWS/sisUSBrg.exe
O4 - HKLM/../Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe
O4 - HKLM/../Run: [NeroFilterCheck] C:/WINDOWS/system32/NeroCheck.exe

Genstart din computer.
Du skal også lige hente og installere programmet Ad-aware. Opdater det straks efter installationen, og inden du kører en scanning med denne. Fjern alt hvad den finder. Programmet samt brugervejledning på dansk finder du her: http://www.spywarefri.dk/vaerktoj.htm#adaware

Genstart din computer, kør en ny scanning med HijackThis, kopier en ny log herind til tjek.

Logfile of HijackThis v1.97.7
Scan saved at 21:54:37, on 04.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccSetMgr.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccEvtMgr.exe
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/System32/gearsec.exe
C:/Programfiler/Fellesfiler/Microsoft Shared/VS7DEBUG/MDM.EXE
C:/Programfiler/Norton AntiVirus/navapsvc.exe
C:/Programfiler/Norton AntiVirus/SAVScan.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/system32/sistray.EXE
C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe
C:/Programfiler/iTunes/iTunesHelper.exe
C:/Programfiler/Logitech/iTouch/iTouch.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programfiler/iPod/bin/iPodService.exe
C:/Programfiler/Internet Explorer/IEXPLORE.EXE
C:/Programfiler/Messenger/msmsgs.exe
C:/Documents and Settings/Morten/Skrivebord/hijackthis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:/Programfiler/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:/WINDOWS/Downloaded Program Files/googlenav.dll
O4 - HKLM/../Run: [SiS Tray] C:/WINDOWS/system32/sistray.EXE
O4 - HKLM/../Run: [ccApp] “C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe”
O4 - HKLM/../Run: [NAV CfgWiz] C:/Programfiler/Fellesfiler/Symantec Shared/CfgWiz.exe /GUID NAV /CMDLINE “REBOOT”
O4 - HKLM/../Run: [iTunesHelper] C:/Programfiler/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programfiler/Logitech/iTouch/iTouch.exe
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:/Programfiler/Fellesfiler/Adobe/Calibration/Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google; Search - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links; - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed; Snapshot of Page - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/OFFICE11/EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar; Pages - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsimilar.html
O9 - Extra button: Oppslag (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/no/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.2279050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Oooops!
Det gikk litt fort der gitt, men her kommer den rette.
Problemet er der fortsatt, jeg vet ikke hva dette kan være.

mvh
Morten

Logfile of HijackThis v1.97.7
Scan saved at 22:01:34, on 04.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccSetMgr.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccEvtMgr.exe
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/System32/gearsec.exe
C:/Programfiler/Fellesfiler/Microsoft Shared/VS7DEBUG/MDM.EXE
C:/Programfiler/Norton AntiVirus/navapsvc.exe
C:/Programfiler/Norton AntiVirus/SAVScan.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/system32/sistray.EXE
C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe
C:/Programfiler/iTunes/iTunesHelper.exe
C:/Programfiler/Logitech/iTouch/iTouch.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programfiler/iPod/bin/iPodService.exe
C:/Programfiler/Messenger/msmsgs.exe
C:/Programfiler/Internet Explorer/IEXPLORE.EXE
C:/Documents and Settings/Morten/Skrivebord/hijackthis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:/Programfiler/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:/WINDOWS/Downloaded Program Files/googlenav.dll
O4 - HKLM/../Run: [SiS Tray] C:/WINDOWS/system32/sistray.EXE
O4 - HKLM/../Run: [ccApp] “C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe”
O4 - HKLM/../Run: [NAV CfgWiz] C:/Programfiler/Fellesfiler/Symantec Shared/CfgWiz.exe /GUID NAV /CMDLINE “REBOOT”
O4 - HKLM/../Run: [iTunesHelper] C:/Programfiler/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programfiler/Logitech/iTouch/iTouch.exe
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:/Programfiler/Fellesfiler/Adobe/Calibration/Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google; Search - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links; - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed; Snapshot of Page - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/OFFICE11/EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar; Pages - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsimilar.html
O9 - Extra button: Oppslag (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/no/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.2279050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Din log er ren og du kan slå systemgendannelse til igen. Dit problem er vel forsvundet?

Du skal lige have et par gode råd om sikker surfing med på vejen:

http://www.spywarefri.dk/pakken.htm

God fornøjelse

Hej Mortimer

Nej helt ren er den nu ikke. Prøv at genstarte i fejlsikret tilstand.
Du må stadig ikke have din systemgendannelse slået til.

Kør en scanning med Hijackthis. Fix denne her:
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)

Se om det ikke hjælper på det. Ny log til tjek.

Beklager - jeg overså den som aovergaard peger på.

Du har en CoolWebSearch “infektion”.

Hent CWSschredder her:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Kør programmet, luk alle vinduer, undtaget CWSschredder, klik på “Fix”, den scanner nu, når den er færdig klik på “Next”, klik på “Finsih”.

Genstart din computer, kør HijackThis, scan og læg en frisk log herind.

Nå ser det ut til at det er iorden. Dere er helt utrolige,
tusen takk for all hjelp..
mvh
Morten

Logfile of HijackThis v1.97.7
Scan saved at 01:18:54, on 05.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccSetMgr.exe
C:/Programfiler/Fellesfiler/Symantec Shared/ccEvtMgr.exe
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/System32/gearsec.exe
C:/WINDOWS/system32/sistray.EXE
C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe
C:/Programfiler/Fellesfiler/Microsoft Shared/VS7DEBUG/MDM.EXE
C:/Programfiler/iTunes/iTunesHelper.exe
C:/Programfiler/Logitech/iTouch/iTouch.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programfiler/Norton AntiVirus/navapsvc.exe
C:/Programfiler/Norton AntiVirus/SAVScan.exe
C:/Programfiler/Messenger/msmsgs.exe
C:/Programfiler/iPod/bin/iPodService.exe
C:/Documents and Settings/Morten/Skrivebord/hijackthis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.startsiden.no/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:/Programfiler/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:/WINDOWS/Downloaded Program Files/googlenav.dll
O4 - HKLM/../Run: [SiS Tray] C:/WINDOWS/system32/sistray.EXE
O4 - HKLM/../Run: [ccApp] “C:/Programfiler/Fellesfiler/Symantec Shared/ccApp.exe”
O4 - HKLM/../Run: [NAV CfgWiz] C:/Programfiler/Fellesfiler/Symantec Shared/CfgWiz.exe /GUID NAV /CMDLINE “REBOOT”
O4 - HKLM/../Run: [iTunesHelper] C:/Programfiler/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programfiler/Logitech/iTouch/iTouch.exe
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:/Programfiler/Fellesfiler/Adobe/Calibration/Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google; Search - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links; - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed; Snapshot of Page - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/OFFICE11/EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar; Pages - res://C:/WINDOWS/Downloaded Program Files/googlenav.dll/cmsimilar.html
O9 - Extra button: Oppslag (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/no/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.2279050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Din log er ren og du kan aktivere systemgendannelse igen.

Du skal lige have et par gode råd om sikker surfing med på vejen:

http://www.spywarefri.dk/pakken.htm

God fornøjelse