Hijack hvis i vil være så venlige og fjern gerne spyware quake

1. Hent og pak SmitfraudFix.zip ud til dit Skrivebord.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Programmet pakker sig ud i en mappe, der hedder SmitfraudFix.


2. Hent denne scanner http://www.superantispyware.com/downloads/SUPERAntiSpyware1241.exe

Installer scanneren, og opdater den manuelt. OBS, ved installationen bliver det foreslået at du registrerer med din email. Det behøver du ikke at gøre.

Du skal ikke scanne endnu.


3. Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:

http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1


4. Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Hvis fixet genstarter computeren, så skal du bagefter starte op i fejlsikret igen, og fortsætte proceduren med SuperAntiSpyware.


5. Start SuperantiSpyware, og klik "Scan your computer". Sæt flueben i dine drev, ovre til venstre i vinduet. Ovre til højre i vinduet, sætter du prik i "Perform Complete Scan". Klik "næste", nu scanner den. Når den er færdig, så markerer du det den finder, og lader scanneren fjerne det.

Genstart til normal tilstand (scanneren tilbyder måske at gøre det).


6. Åbn scanneren igen, og klik "preferences"-> "stastics/logs". Marker loggen, og klik "View log". Kopier loggen her ind i tråden, sammen med en frisk HijackThis log. SmitfraudFix laver også en lille tekstfil (log). Kopier også denne log ind.

Den næste Hijackthis log du kommer med, må meget gerne være "samlet", tak.

hvad mener du med samlet?

Uden mellemrum mellem linierne, som f,eks dette:

O23 - Service: iPodService - Apple Computer, Inc. -

C:\Programmer\iPod\bin\iPodService.exe

ok prøver det imorgen men på forhånd tak for hjælpen

Tak det virkede
Superanti log:
SUPERAntiSpyware Scan Log
Generated 04/25/2006 at 10:05 PM

Core Rules Database Version : 2894
Trace Rules Database Version: 1037

Memory threats detected  : 0
Registry threats detected : 9
File threats detected    : 32

Trojan.Homepage
    HKLM\Software\Classes\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}
    HKCR\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}
    HKCR\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}
    HKCR\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\InprocServer32
    HKCR\CLSID\{EDBF1BC8-39AB-48EB-A0A9-C75078EB7C8E}\InprocServer32#ThreadingModel
    C:\WINDOWS\system32\hpCA3C.tmp

Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\administrator@www.webstat[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@pacificpoker[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@as1.falkag[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@adserver.filefront[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ad[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ads.gameforgeads[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@track.adform[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@xml.bravenetmedianetwork[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt

Trojan.Security Toolbar
    C:\Documents and Settings\All Users\Menuen Start\Online Security Guide.url
    C:\Documents and Settings\All Users\Skrivebord\Security Troubleshooting.url
    C:\Documents and Settings\All Users\Skrivebord\Online Security Guide.url

Adware.ClickSpring/Yazzle
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#.Owner
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#{74CD40EA-EF77-4BAD-808A-B5982DA73F20}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx [
]

Malware.SpywareQuake
    C:\Documents and Settings\Administrator\Lokale indstillinger\Temp\temp.fr4BD3\Spyware-Quake.exe
    C:\Documents and Settings\Administrator\Skrivebord\Downloads\SpywareQuakeInstaller.exe
    C:\WINDOWS\Prefetch\SPYWAREQUAKEINSTALLER.EXE-0CBF6204.pf

smit log:
SmitFraudFix v2.34

Scan done at 21:35:58,21, 25-04-2006
Run from C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\interf.tlb Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\xenadot.dll Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ADMINI~1\FORETR~1\Antivirus Test Online.url Deleted
C:\Programmer\SpywareQuake.com\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End

hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 22:35:15, on 25-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Analog Devices\SoundMAX\Smax4.exe
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\SHARKOON Technologies GmbH\SHARKOON STATION\Majestic.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\VideoraiPodConverter\VideoraiPodConverter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Google\Google Talk\googletalk.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programmer\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programmer\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOKALE~1\Temp\Rar$EX00.078\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SHARKOON STATION] C:\Programmer\SHARKOON Technologies GmbH\SHARKOON STATION\Majestic.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Programmer\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Programmer\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Ventrilo.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140111120031
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_dk.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Tak for hjælpen

hvis du så lige kunne svare istedet for en kommentar, så jeg kan give dig dine point smidder jeg lige 10 ekstra i som tak for hjælpen

Vi er desværre ikke færdige endnu. Der er lidt mere skidt som skal væk.

Hent denne cleaner, som du skal bruge senere http://www.eksperten.dk/spm/704720

Download og gem denne scanner på skrivebordet. Du skal ikke aktivere den endnu.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Kig denne vejledning grundigt igennem.
http://fromsej.dk/Vejledninger/html/drweb.html

Start op i fejlsikret tilstand (tast f8 flere gange under opstart)

Kør så drwebcureit. Når du har dobbeltklikket filen laver den en kort memoryscan. Når den er færdig markerer du dine drev, og klikker på ikonet nede i højre hjørne. Lad den kurere, eller slette, det den finder.

Kør en scanning med HijackThis, så du kan se alle filer. Luk alle vinduer, sæt flueben ved disse linier, og klik fix checked.

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe"  -osboot
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_dk.cab
O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll

Slet denne fil:

C:\WINDOWS\SYSTEM32\winzoa32.dll

Kør cleaneren. Sæt flueben i "select all" (du kan undlade cookies) og klik "empty selected".

Genstart Til normal tilstand.

Klik så på Start->Søg, find filen drweb32w.log kopier det nederste af teksten herind, startende med:
Total session statistics.

Og en frisk HijackThis log.

Forkert link til ATF Cleaner. Den er her http://www.atribune.org/content/view/19/2/