Avatar billede gentle_foxsvig Nybegynder
22. maj 2004 - 22:40 Der er 17 kommentarer og
3 løsninger

Hijackthis log fra en ven

Hej. Jeg sidder og prøver at hjælpe en ven med sin "langsomme" computer. Han siger der kommer en masse trælse pop-ups hver gang han åbner explorer. Ydermere skriver Ad-aware ofte advarsler om registry key modifications.

Han har nu kørt Spybot, fundet 227 emner og markeret/slettet det hele. Så har han kørt hijackthis, og loggen følger her:

Logfile of HijackThis v1.97.7
Scan saved at 22:30:26, on 22-05-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMER\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\PROGRAMMER\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMER\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SKRIVEBORD\CS4P028.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SKRIVEBORD\NY MAPPE\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {51FBC1EC-1CB1-4C28-74F2-87D242AE21D1} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAMMER\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\programmer\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [HotVideo_dk] c:\program files\dialers\hotvideo_dk\hotvideo_dk.exe /noconnect
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmer\Fælles filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Kangaroo (HKLM)
O12 - Plugin for .mts: C:\Programmer\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf[1]: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.251.67.30/live/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.4853587963
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab


På forhånd tak for hjælp til alle der svarer.
Avatar billede arlet Juniormester
22. maj 2004 - 22:47 #1
løber den igennem
Avatar billede arlet Juniormester
22. maj 2004 - 22:50 #2
Flyt først filen Hijackthis til en mappe oprettet kun til den.

Du skal nu til at i gang med at fixe:

Deaktiver systemgendannelse:
http://www.arlet.dk/systemgendannelsen.htm

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {51FBC1EC-1CB1-4C28-74F2-87D242AE21D1} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAMMER\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O4 - HKLM\..\Run: [HotVideo_dk] c:\program files\dialers\hotvideo_dk\hotvideo_dk.exe /noconnect

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab


Find og slet i fejlsikret(f8 ved opstart):


c:\program files\dialers <-hele mappen


Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.
Først når din log er endelig godkendt, må du aktiver din systemgendannelse igen.
Avatar billede gentle_foxsvig Nybegynder
22. maj 2004 - 22:53 #3
Vi prøver, vender tilbage snarest...
Avatar billede gentle_foxsvig Nybegynder
22. maj 2004 - 23:37 #4
Så, det tog lidt tid med messenger-korrespondance o.l. men nu har vi en ny log:

Logfile of HijackThis v1.97.7
Scan saved at 23:33:41, on 22-05-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMER\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\PROGRAMMER\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMER\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SKRIVEBORD\NY MAPPE\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\programmer\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [HotVideo_dk] c:\program files\dialers\hotvideo_dk\hotvideo_dk.exe /noconnect
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmer\Fælles filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Kangaroo (HKLM)
O12 - Plugin for .mts: C:\Programmer\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf[1]: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.251.67.30/live/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.4853587963
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

Der er stadig noget der driller... :(
Avatar billede nimoha Nybegynder
22. maj 2004 - 23:49 #5
Hent CWSHredder: http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Som det første skal du trykke på check for update så skal du lukke alle åbne vinduer, på nær CWSHredder, klik på Fix, den scanner nu, når den er færdig klik på Next, til sidst klik på Exit.

Genstart, og derefter ny log
Avatar billede gentle_foxsvig Nybegynder
22. maj 2004 - 23:59 #6
Når den vil checke for updates kan den ikke forbinde til serveren. Kan vi godt køre det uden updates?
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 00:22 #7
Nå, sengetid, kæmper videre med det i morgen.
Avatar billede nimoha Nybegynder
23. maj 2004 - 00:37 #8
Den jeg linker til skulle være nyeste version, så du kan godt køre den uden at opdatere.
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 09:22 #9
CWShredder kørt, men synes stadig der er for mange R0- og R1-ere i loggen :(

Logfile of HijackThis v1.97.7
Scan saved at 09:21:00, on 23-05-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMER\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\PROGRAMMER\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMER\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMER\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SKRIVEBORD\NY MAPPE\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAMMER\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmer\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\programmer\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\PROGRAMMER\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [HotVideo_dk] c:\program files\dialers\hotvideo_dk\hotvideo_dk.exe /noconnect
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmer\Fælles filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Programmer\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [MessengerPlus2] "C:\Programmer\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAMMER\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Kangaroo (HKLM)
O12 - Plugin for .mts: C:\Programmer\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf[1]: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.251.67.30/live/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.4853587963
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

Hvad kan vi ellers gøre?
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 11:45 #10
Undrer mig lidt at Hijackthis ikke har fået fjernet disse linjer

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

da jeg på flere sider har set andre få det fjernet.

http://www.computing.net/windowsxp/wwwboard/forum/93460.html
http://www.netrn.net/archives2/000252.html

Jeg synes det er en håbløs kamp...
Avatar billede fromsej Praktikant
23. maj 2004 - 11:58 #11
Du har ikke deaktiveret systemgendannelse -> O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
Hent TheKillBox:
http://home8.inet.tele.dk/fbj/TheKillBox.exe
http://home8.inet.tele.dk/fbj/TheKillBoxBrugsanvisning.htm

Fixes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAMMER\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [HotVideo_dk] c:\program files\dialers\hotvideo_dk\hotvideo_dk.exe /noconnect

Den her, er det noget du har brug for, ellers fix den.
O4 - HKLM\..\Run: [reminder.exe] C:\programmer\BackWeb\tuner\reminder.exe

Brug Thekillbox til at slette det hele, kig i manualens underpunkt, Sletning ved næste genstart.
Slettes:
C:\WINDOWS\2_0_1browserhelper2.dll
C:\PROGRAMMER\LYCOS\IEAGENT\CSIE.DLL
C:\WINDOWS\SYSTEM\BRIDGE.DLL
C:\WINDOWS\BXXS5.DLL
c:\program files\dialers\ <- Mappen.


Hvis du fixer linien skal den her slettes.
C:\programmer\BackWeb\tuner\reminder.exe

Derefter genstart og en, forhåbentlig, sidste log til tjek.
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 12:11 #12
Det er altså mærkeligt. Han siger han har deaktiveret systemgendannelse.
Hans styresystem er forresten Win ME. Kan der være noget der automatisk slår systemgendannelse til?
Avatar billede fromsej Praktikant
23. maj 2004 - 12:47 #13
Der bliver jeg dig svar skyldig, jeg kender næsten ikke ME.
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 12:52 #14
Ok, det er der ikke noget at gøre ved. Vi overvejer lidt bare at følge dette råd, og så ellers lave en genoprettelse hvis noget går galt (taget fra http://www.netrn.net/archives2/000252.html)

I posted this, and its been 2 months later and its still gone from my system:

Run regedit

Search and delete all instances of www.default-homepage-network.com

Search and delete all instances of http://server224.smartbotpro.net/7search

Search and delete all instances of nCase

Search and delete all instances of http://my.uo.com/fonts/tdserver.cab

I did this a week ago and since then I have had no further troubles


Så må det briste eller bære.
Avatar billede fromsej Praktikant
23. maj 2004 - 13:11 #15
Prøv lige metoden med Hijackthis og TheKillBox først.
I kan jo altid tage backup af registreringsdatabasen, inden i piller.
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 13:15 #16
Vi har kørt ad-aware scans tre gange nu, og er gået fra 35 til 18 fundne ting, men der er en IST service, der hvert sekund (!) laver en registry key modification, så ad-watch går lidt i selvsving. Prøver hijackthis igen senere, men tror stadig ikke at den får fjernet smartbotpro.net og default-homepage-network...
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 14:36 #17
Ad-aware scan finder ingenting nu. Ad-watch går stadig amok, og hijackthis fjerner ikke de ting vi sætter den til. :( Vi går i krig med registreringsdatabasen....!
Avatar billede gentle_foxsvig Nybegynder
23. maj 2004 - 15:32 #18
Det hjalp heller ikke at rode med registreringsdatabasen, så vi kaster håndklædet i ringen, og han går i gang med genoprettelsesdisk...

Vi undrer os stadig meget over hvorfor systemgendannelse aktiverede sig selv... :(

n_jay og fromsej læg et svar og modtag point.
Avatar billede fromsej Praktikant
23. maj 2004 - 19:01 #19
OK.
Avatar billede nimoha Nybegynder
23. maj 2004 - 19:38 #20
Okay hvis du synes.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester