Hvordan fjerne denne Spywaren ?

[capoeirista]

Søk med Panda :

Incident Status Location

 

Adware:adware/xpasswordmanager Not disinfected c:\windows\system32\regperf.exe

Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ld4F40.tmp

Adware:adware/xplugin Not disinfected Windows Registry

Adware:adware/cws.aboutblank Not disinfected Windows Registry

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Hakon\Desktop\smitRem\Process.exe

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Janicke\Cookies\janicke@statcounter[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Janicke\Cookies\janicke@atdmt[2].txt

[capoeirista]

Scannet i tillegg med Hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:37:24, on 25.06.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

D:\Programmer\ProShow Gold\ScsiAccess.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Telenor\ecc\ecc.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

D:\Programmer\Itunes\iTunesHelper.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\rundll32.exe

D:\Programmer\Itunes\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Messenger\msmsgs.exe

E:\Virus Motstander\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AdobeCS2\Acrobat Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ecc] C:\Program Files\Telenor\ecc\ecc.exe

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmer\Itunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [updateMgr] "D:\AdobeCS2\Acrobat Reader\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\AdobeCS2\Acrobat Reader\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Filter: text/html - {02448AF5-A3FC-48B1-8231-66A8F3BA0A08} - C:\WINDOWS\System32\ohmp.dll

O18 - Filter: text/plain - {02448AF5-A3FC-48B1-8231-66A8F3BA0A08} - C:\WINDOWS\System32\ohmp.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - D:\AdobeCS2\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - D:\Programmer\Itunes\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: ScsiAccess - Unknown owner - D:\Programmer\ProShow Gold\ScsiAccess.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Håper noen kan se på det. På forhånd takk.

[Inc]

jeg kan ikke helt se at der en noe virus der, men så ser jeg litt dårlig da . fjernet ikke Hijackthis viruset?

[Pozzolan]

Du kan prøve med å laste ned CWShredder

for så å kjøre denne. Jeg tror denne tar seg av Home Search Assistant som det ser ut at du har.

 

Fjern så disse med hijackthis

 

 

O18 - Filter: text/html - {02448AF5-A3FC-48B1-8231-66A8F3BA0A08} - C:\WINDOWS\System32\ohmp.dll

O18 - Filter: text/plain - {02448AF5-A3FC-48B1-8231-66A8F3BA0A08} - C:\WINDOWS\System32\ohmp.dll

 

Så poster du en ny hijackthis log.

Endret 26. juni 2006 av stealthy

[berxter]

Klart, og så ta seg av restene av Spywarequake med SmitFraudFix (SmitRem har ikke tatt alt, virker det som i Pandaloggen). Sjekk med alternativ 1 om den finner

c:\windows\system32\1024\ld4F40.tmp , og hvis den finner den, kjører du alternativ 2(clean) i safe mode.

 

Denne må slettes:

c:\windows\system32\regperf.exe , sannsynligvis må du i safe mode for å ta den.

 

Bernt K

[capoeirista]

Tusen takk for hjelpen. Fjernet regperf.exe i safemode, lastet ned Ewido antimalware (som jeg skal kjøpe) Utrolig bra program. Det fant hele 132 "farer" og trojaner og tok hånd om dem. Alle var lokalisert i Windows system32 katalogen i en subfolder som het 1024. Slettet hele folderen. Alt er clean nå. Men har ikke slettet .dll filene nevnt over da de ikke ble identifisert av Ewido.