Velkommen!

Hent CWShredder her:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Kør programmet, tjek for updates, luk alle vinduer, undtagen CWShredder, klik på Fix. Programmet scanner nu. Når det er færdigt, så klik på Next og Exit.

Genstart og derefter sender du en ny HijackThis-log herind.

Logfile of HijackThis v1.97.7
Scan saved at 22:43:37, on 18-05-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/SYSTEM/KERNEL32.DLL
C:/WINDOWS/SYSTEM/MSGSRV32.EXE
C:/WINDOWS/SYSTEM/MPREXE.EXE
C:/WINDOWS/SYSTEM/MSTASK.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMA32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMB32.EXE
C:/WINDOWS/EXPLORER.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FCH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/FSBWSYS.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/BACKWEB-7791805.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FAMEH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSGK32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/DFW/PROGRAM/FSDFWD.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSSM32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSAV32.EXE
C:/WINDOWS/TASKMON.EXE
C:/WINDOWS/SYSTEM/SYSTRAY.EXE
C:/WINDOWS/LOADQM.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSM32.EXE
C:/WINDOWS/STARTUPMONITOR.EXE
C:/PROGRAMMER/MSN MESSENGER/MSNMSGR.EXE
C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE
C:/PROGRAMMER/WINZIP/WZQKPICK.EXE
C:/WINDOWS/SYSTEM/WMIEXE.EXE
C:/WINDOWS/SKRIVEBORD/HIJACKTHIS.EXE

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/PROGRAMMER/ADOBE/ACROBAT 5.0/READER/ACTIVEX/ACROIEHELPER.OCX
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/SYSTEM/MSDXM.OCX
O4 - HKLM/../Run: [Skan registreringsdatabase] C:/WINDOWS/scanregw.exe /autorun
O4 - HKLM/../Run: [Job-oversigt] C:/WINDOWS/taskmon.exe
O4 - HKLM/../Run: [SystemTray] SysTray.Exe
O4 - HKLM/../Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKLM/../Run: [F-Secure Manager] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSM32.EXE” /splash
O4 - HKLM/../Run: [F-Secure TNB] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/TNB/TNBUtil.exe” /CHECKALL
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM/../RunServices: [Planlægningsagent] C:/WINDOWS/SYSTEM/mstask.exe
O4 - HKLM/../RunServices: [fsaa] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/fsaa.exe
O4 - HKLM/../RunServices: [F-Secure Management Agent] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSMA32.EXE
O4 - HKCU/../Run: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../Run: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - HKCU/../RunServices: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../RunServices: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O4 - Global Startup: WebSpeed Sikkerhedspakke.lnk = C:/Programmer/WebSpeed Sikkerhedspakke/backweb/7791805/Program/backweb-7791805.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related; Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.3337731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Følg vejledningen her: http://www.spywarefri.dk/hjtanv.htm (punkt 5-6). Fix disse med HijackThis:

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php

Genstart og ny log fra HijackThis - tak

Så ser det sådan her ud:

ogfile of HijackThis v1.97.7
Scan saved at 23:13:55, on 18-05-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/SYSTEM/KERNEL32.DLL
C:/WINDOWS/SYSTEM/MSGSRV32.EXE
C:/WINDOWS/SYSTEM/MPREXE.EXE
C:/WINDOWS/SYSTEM/MSTASK.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMA32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMB32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/FSBWSYS.EXE
C:/WINDOWS/EXPLORER.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/BACKWEB-7791805.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FCH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FAMEH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSGK32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/DFW/PROGRAM/FSDFWD.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSSM32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSAV32.EXE
C:/WINDOWS/TASKMON.EXE
C:/WINDOWS/SYSTEM/SYSTRAY.EXE
C:/WINDOWS/LOADQM.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSM32.EXE
C:/WINDOWS/STARTUPMONITOR.EXE
C:/PROGRAMMER/MSN MESSENGER/MSNMSGR.EXE
C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE
C:/PROGRAMMER/WINZIP/WZQKPICK.EXE
C:/WINDOWS/SYSTEM/WMIEXE.EXE
C:/WINDOWS/SKRIVEBORD/HIJACKTHIS.EXE
C:/PROGRAMMER/INTERNET EXPLORER/IEXPLORE.EXE
C:/WINDOWS/SYSTEM/PSTORES.EXE

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/PROGRAMMER/ADOBE/ACROBAT 5.0/READER/ACTIVEX/ACROIEHELPER.OCX
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/SYSTEM/MSDXM.OCX
O4 - HKLM/../Run: [Skan registreringsdatabase] C:/WINDOWS/scanregw.exe /autorun
O4 - HKLM/../Run: [Job-oversigt] C:/WINDOWS/taskmon.exe
O4 - HKLM/../Run: [SystemTray] SysTray.Exe
O4 - HKLM/../Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKLM/../Run: [F-Secure Manager] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSM32.EXE” /splash
O4 - HKLM/../Run: [F-Secure TNB] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/TNB/TNBUtil.exe” /CHECKALL
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM/../RunServices: [Planlægningsagent] C:/WINDOWS/SYSTEM/mstask.exe
O4 - HKLM/../RunServices: [fsaa] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/fsaa.exe
O4 - HKLM/../RunServices: [F-Secure Management Agent] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSMA32.EXE
O4 - HKCU/../Run: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../Run: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - HKCU/../RunServices: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../RunServices: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O4 - Global Startup: WebSpeed Sikkerhedspakke.lnk = C:/Programmer/WebSpeed Sikkerhedspakke/backweb/7791805/Program/backweb-7791805.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related; Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.3337731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Vi prøver igen. Fix disse med HijackThis:

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php

Genstart og ny log.

Hvis de ikke er forsvundet fra næste HijackThis-log, så prøv at fixe dem fra fejlsikret tilstand (F8 i opstart).

Har prøvet i normal og fejlsikret tilstand. Noget andet jeg kan prøve??

ogfile of HijackThis v1.97.7
Scan saved at 23:43:18, on 18-05-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/SYSTEM/KERNEL32.DLL
C:/WINDOWS/SYSTEM/MSGSRV32.EXE
C:/WINDOWS/SYSTEM/MPREXE.EXE
C:/WINDOWS/SYSTEM/MSTASK.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMA32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMB32.EXE
C:/WINDOWS/EXPLORER.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FCH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/FSBWSYS.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/BACKWEB-7791805.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FAMEH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSGK32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/DFW/PROGRAM/FSDFWD.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSSM32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSAV32.EXE
C:/WINDOWS/TASKMON.EXE
C:/WINDOWS/SYSTEM/SYSTRAY.EXE
C:/WINDOWS/LOADQM.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSM32.EXE
C:/WINDOWS/STARTUPMONITOR.EXE
C:/PROGRAMMER/MSN MESSENGER/MSNMSGR.EXE
C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE
C:/PROGRAMMER/WINZIP/WZQKPICK.EXE
C:/WINDOWS/SYSTEM/WMIEXE.EXE
C:/WINDOWS/SKRIVEBORD/HIJACKTHIS.EXE

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/PROGRAMMER/ADOBE/ACROBAT 5.0/READER/ACTIVEX/ACROIEHELPER.OCX
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/SYSTEM/MSDXM.OCX
O4 - HKLM/../Run: [Skan registreringsdatabase] C:/WINDOWS/scanregw.exe /autorun
O4 - HKLM/../Run: [Job-oversigt] C:/WINDOWS/taskmon.exe
O4 - HKLM/../Run: [SystemTray] SysTray.Exe
O4 - HKLM/../Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKLM/../Run: [F-Secure Manager] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSM32.EXE” /splash
O4 - HKLM/../Run: [F-Secure TNB] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/TNB/TNBUtil.exe” /CHECKALL
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM/../RunServices: [Planlægningsagent] C:/WINDOWS/SYSTEM/mstask.exe
O4 - HKLM/../RunServices: [fsaa] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/fsaa.exe
O4 - HKLM/../RunServices: [F-Secure Management Agent] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSMA32.EXE
O4 - HKCU/../Run: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../Run: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - HKCU/../RunServices: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - HKCU/../RunServices: [IE Privacy Keeper] “C:/PROGRAMMER/UNH SOLUTIONS/IE PRIVACY KEEPER/IEPRIVACYKEEPER.EXE” -stcleanup
O4 - Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O4 - Global Startup: WebSpeed Sikkerhedspakke.lnk = C:/Programmer/WebSpeed Sikkerhedspakke/backweb/7791805/Program/backweb-7791805.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related; Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.3337731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Hej jesper21

Det er da noget sejlivet skidt det der. Og du har prøvet af fjerne det fra fejlsikret tilstand.

Jeg har her et program, det er normalt ikke noget vi bruger til den slags filer her, men noget skal vi jo forsøge. Det er helt sikkert et forsøg værd, for væk skal det snavs der.

Hent det prg. her, samt læs brugsanvisningen som fbj har skrevet. Du skal ikke tage R0 og R1 med i linjen. Men som sagt, jeg lover ikke at den kan tage den slags filer.

http://home8.inet.tele.dk/fbj/TheKillBox.exe
http://home8.inet.tele.dk/fbj/TheKillBoxBrugsanvisning.htm

Og så er jeg spændt på om det her kan lade sig gøre eller ej. Ny log herind

Du skal lige sørge for at du kan se, og lede efter alle filer og mapper:

Gå i denne computer
Op i Vis – Mappeindstillinger.
Fanebladet vis
Prik i vis alle filer.

Hej igen

Jeg har prøvet hvad du foreslog både i normal og fejlsikret tilstand, intet har hjulpet.

Dog er jeg lidt i tvivl om jeg har gjort det rigtigt: Den sti jeg copy/paste over i TKB var disse:
HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php

Alle de seks du skrev tidligere

Er det rigtigt som jeg har gjort?

og for god ordens skyld en ny log:  (ik meget anderledes end før desværre)

Logfile of HijackThis v1.97.7
Scan saved at 09:41:26, on 19-05-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/SYSTEM/KERNEL32.DLL
C:/WINDOWS/SYSTEM/MSGSRV32.EXE
C:/WINDOWS/SYSTEM/MPREXE.EXE
C:/WINDOWS/SYSTEM/MSTASK.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMA32.EXE
C:/WINDOWS/EXPLORER.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMB32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FCH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/FSBWSYS.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/BACKWEB-7791805.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FAMEH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSGK32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/DFW/PROGRAM/FSDFWD.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSSM32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSAV32.EXE
C:/WINDOWS/TASKMON.EXE
C:/WINDOWS/SYSTEM/SYSTRAY.EXE
C:/WINDOWS/LOADQM.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSM32.EXE
C:/PROGRAMMER/MSN MESSENGER/MSNMSGR.EXE
C:/PROGRAMMER/WINZIP/WZQKPICK.EXE
C:/WINDOWS/SYSTEM/WMIEXE.EXE
C:/WINDOWS/SYSTEM/PSTORES.EXE
C:/WINDOWS/SYSTEM/DDHELP.EXE
C:/WINDOWS/SKRIVEBORD/HIJACKTHIS.EXE

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = http://jksearch.biz/redir.php
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/PROGRAMMER/ADOBE/ACROBAT 5.0/READER/ACTIVEX/ACROIEHELPER.OCX
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/SYSTEM/MSDXM.OCX
O4 - HKLM/../Run: [Skan registreringsdatabase] C:/WINDOWS/scanregw.exe /autorun
O4 - HKLM/../Run: [Job-oversigt] C:/WINDOWS/taskmon.exe
O4 - HKLM/../Run: [SystemTray] SysTray.Exe
O4 - HKLM/../Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKLM/../Run: [F-Secure Manager] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSM32.EXE” /splash
O4 - HKLM/../Run: [F-Secure TNB] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/TNB/TNBUtil.exe” /CHECKALL
O4 - HKLM/../RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM/../RunServices: [Planlægningsagent] C:/WINDOWS/SYSTEM/mstask.exe
O4 - HKLM/../RunServices: [fsaa] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/fsaa.exe
O4 - HKLM/../RunServices: [F-Secure Management Agent] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSMA32.EXE
O4 - HKCU/../Run: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O4 - Global Startup: WebSpeed Sikkerhedspakke.lnk = C:/Programmer/WebSpeed Sikkerhedspakke/backweb/7791805/Program/backweb-7791805.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related; Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.3337731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Den er sejlivet, så må vi prøve lidt andet:

1. Download og installer følgende programmer:

Reglite - http://www.resplendence.com/reglite
Adaware - http://www.lavasoft.de/support/download/
SpyBot S&D - http://www.safer-networking.org/index.php?lang=en&page=download

2. Download og pak følgende programmer ud til deres egne mapper:

CWShredder - http://www.spywareinfo.com/downloads/tools/CWShredder.exe
TheKillBox - http://home8.inet.tele.dk/fbj/TheKillBox.exe

3. Kør Reglite og skriv

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows//AppInit_DLLs

ind i “Adress” feltet, tryk <Enter>.

4. Dobbeltklik på AppInit_DLLs for at åbne “Data Editor”, hvis det nederste felt kaldet “Value” indeholder en .dll fil er det den vi leder efter.

5. Den kan ikke slettes endnu, skriv stien og navnet ned på et stykke papir, det skal bruges senere.

6. I venstre vindue, højreklik på mappen “Windows”(Den er fremhævet med lilla), vælg “Rename” og omdøb den til “Notwindows”.

7. Klik på AppInit_DLLs igen, slet værdien der indeholder .dll’en klik OK, så burde den være væk.

8. Omdøb “Notwindows” tilbage til “Windows”

9. Kør Spybot, Ad-aware og CWShredder, husk at opdatere online inden du kører programmet.

10. Nu er det tid til at slette den .dll fil.

11. Kør TheKillBox (skal være pakket ud til sin egen mappe). I tekstfeltet skriver du stien til den fil du skrev ned tidligere (eksempelvis c:/windows/system23/dllha.dll). Nu skal du vælge Action -> Delete on reboot. Nu dukker der et lille vindue op - vælg File -> Add file. Vælg Action -> Process and reboot

12. Genstart din PC i Fejlsikret tilstand (ved at taste F8 under opstart). Kør Spybot, Ad-aware og CWShredder igen. Genstart i Normal mode og læg en frisk HijackThis log herind.
______________________________________________

Hvis pkt. 11 ikke virker: Gå i Start -> Kør og skriv cmd og klik OK. Du er nu i et DOS-vindue. Skriv attrib -r “stien til filen du skal slette” (eksempelvis attrib -r c:/windows/system23/dllha.dll)

Gentag pkt. 11 - 12.

Ok, jeg har installeret programmerne.

Starter reglite og skriver i adresselinien:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows//AppInit_DLLs

Så skal jeg dobbeltklikke appinit dlls, men det er der ikke noget der hedder.
Der kommer disse tre ting frem:

drivers.desc
drivers32
ab (default)

Hvad gør jeg?

Lader dem være og går videre i vejledningen.
Vi leder på højtryk efter en metode til din infektion.

Efter at have kørt hvad i har foreslået igennem op til flere gange ser det ud til der er noget der lykkedes nu. Det hele har været lidt besværligt af at computeren hele går ned når jeg klikker på denne computer. Nå men her er den nye log:
Logfile of HijackThis v1.97.7
Scan saved at 11:45:31, on 19-05-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/SYSTEM/KERNEL32.DLL
C:/WINDOWS/SYSTEM/MSGSRV32.EXE
C:/WINDOWS/SYSTEM/MPREXE.EXE
C:/WINDOWS/SYSTEM/MSTASK.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMA32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSMB32.EXE
C:/WINDOWS/EXPLORER.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FCH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/FSBWSYS.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/BACKWEB/7791805/PROGRAM/BACKWEB-7791805.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FAMEH32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/DFW/PROGRAM/FSDFWD.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSGK32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSSM32.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/ANTI-VIRUS/FSAV32.EXE
C:/WINDOWS/TASKMON.EXE
C:/WINDOWS/SYSTEM/SYSTRAY.EXE
C:/WINDOWS/LOADQM.EXE
C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/COMMON/FSM32.EXE
C:/PROGRAMMER/MSN MESSENGER/MSNMSGR.EXE
C:/PROGRAMMER/WINZIP/WZQKPICK.EXE
C:/WINDOWS/SYSTEM/WMIEXE.EXE
C:/HIJACK/HIJACKTHIS.EXE

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.spywarefri.dk/
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/PROGRAMMER/ADOBE/ACROBAT 5.0/READER/ACTIVEX/ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHELPER.DLL
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/SYSTEM/MSDXM.OCX
O4 - HKLM/../Run: [Skan registreringsdatabase] C:/WINDOWS/scanregw.exe /autorun
O4 - HKLM/../Run: [Job-oversigt] C:/WINDOWS/taskmon.exe
O4 - HKLM/../Run: [SystemTray] SysTray.Exe
O4 - HKLM/../Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKLM/../Run: [F-Secure Manager] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSM32.EXE” /splash
O4 - HKLM/../Run: [F-Secure TNB] “C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/TNB/TNBUtil.exe” /CHECKALL
O4 - HKLM/../RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM/../RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM/../RunServices: [Planlægningsagent] C:/WINDOWS/SYSTEM/mstask.exe
O4 - HKLM/../RunServices: [fsaa] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/fsaa.exe
O4 - HKLM/../RunServices: [F-Secure Management Agent] C:/PROGRAMMER/WEBSPEED SIKKERHEDSPAKKE/Common/FSMA32.EXE
O4 - HKCU/../Run: [MsnMsgr] “C:/Programmer/MSN Messenger/MsnMsgr.Exe” /background
O4 - Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O4 - Global Startup: WebSpeed Sikkerhedspakke.lnk = C:/Programmer/WebSpeed Sikkerhedspakke/backweb/7791805/Program/backweb-7791805.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related; Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.3337731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab