Errorsafe (få bort skiten)

tack mannengbg, verkar fungera utmärkt!

Jag sitter på en linux burk och får upp skiten titt som tätt, oftast på väldigt kassa sidor. det enda som står är lite varningar att den kommer scanna min dator sen händer det inte så mycket mer =/

Hej,

jag begick ett stort misstag här om dagen. Jag skulle se en windowsmedia-fil, fönstret sade att jag behövde "Golden codec". Jag installerade och efter det brakade skiten loss.

Jag haft stora problem med fönster som poppar upp i tid och otid, även om jag inte ens öppnar explorer. Jag har för mig att det stod èrror-safe` på ett av fönstren som kommer upp. De som kommer upp är oftast varningar från listen nere till höger som skriker virus, samt websidor som poppar upp. Startsidan har också blivit "yourieprotect.com" trots att det står "blank" i inställningarna.

Jag har kört ad aware och prövat ett från microsoft, men utan resultat. Jag prövade att skriva in som tidigare tipsades i hosts-filen men även det utan resultat.

Har jag så mycket virus som fönstren säger?
Vågar jag mata in lösenord o dyl?
Hur i hela världen ska jag bli av med skiten?

tackam för all hjälp som jag kan få.


EDITERAD AV MODERATOR: Tagit bort aktiv länk till "yourieprotect.com", då man kan bli smittad där.

Immortalis > Hämta hem HiJack This 1.99.1 från nedanstående länk

http://www.thespykiller.co.uk/files/HJTsetup.exe

Spara ner den till skrivbordet.
Dubbelklicka nu på HJTsetup som du sparade ner till skrivbordet för att starta installationen.
Det här är en komplett (automatisk) installation som installerar HiJack This på din dator i C:\Program\Hijackthis\HijackThis.exe (C:\Program Files\Hijackthis\HijackThis.exe) samt att den skapar en programicon i startmenyn och möjliggör att skapa en genväg på ditt skrivbord under installationen (Läs/följ instruktionerna under installationens gång):
Kasta HJTsetup då du är klar med installationen:

Byt nu namn på Hijackthis till kapat.exe eller något

Använd HiJack This (HJT) så här:
Bara dubbelklicka på HiJack This (HJT) så öppnas den. Klicka *Do a System Scan and Save a Logfile*
Lägg den någonstans (EX: Skrivbordet) och en textfil kommer upp, kopiera den hit, så får du hjälp att tolka den. Det mesta i logfilen är nödvändiga komponenter, så fixa inget själv.

Skapa en ny tråd och posta i den.

Ny tråd?
Jag antog att det var ErrorSafe eftersom det står så på vissa av sidorna jag fått upp och jag ville inte skräpa ner med fler trådar eftersom jag inte riktigt vet var som är felet. Jag är inte helt hemma på området..

Logfilen:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Gold Codec\isamonitor.exe
C:\Program\Gold Codec\pmsngr.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Dell\Media Experience\PCMService.exe
C:\Program\Gold Codec\isamini.exe
C:\Program\Gold Codec\pmmon.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program\Winamp\winampa.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program\DELADE~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
C:\Program\Winamp\winamp.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/s...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/s...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = telia1.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Program\Gold Codec\isaddon.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program\Gold Codec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [MMTray] C:\Program\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093080902781
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.239.32.130/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Då ska vi se, du blir tvungen att ta ner en del program nu. Hoppas du kan engelska

Please download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder

• Double-click smitfraudfix.cmd
• Select option #1 - Search by
  • typing 1
  • pressing "Enter"
• A text file will appear which lists infected files (if present).
• Please copy/paste the content of that report into this thread.

:!: Note :!:
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. (See http://www.beyondlogic.org/consulting/proc...processutil.htm )

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4

· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.

Byt namn på Hijackthis till kapat.exe till exempel och posta loggorna från den och SmitfraudFix

Hoppsan, låter allvarligt...
..engelskan är nog mitt minsta problem i sammanhanget!

Jag bytte namn på Hijack, loggen blev följande:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Gold Codec\isamonitor.exe
C:\Program\Gold Codec\pmsngr.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Dell\Media Experience\PCMService.exe
C:\Program\Gold Codec\isamini.exe
C:\Program\Gold Codec\pmmon.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program\Winamp\winampa.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program\DELADE~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
C:\Program\Winamp\winamp.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program\Hijackthis\kapat.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/s...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/s...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = telia1.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Program\Gold Codec\isaddon.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program\Gold Codec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [MMTray] C:\Program\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093080902781
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.239.32.130/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

SmitFraudFix v2.124 logfil:

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dcvwaah.dll FOUND !

»»»»»»»»»»»»»»»» C:\Documents and Settings\Connor


»»»»»»»»»»»»» C:\Documents and Settings\Connor\Application Data


»»»»»»»»»»»»»»Start Menu

C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»» C:\DOCUME~1\Connor\FAVORI~1


»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»» C:\Program

C:\Program\Gold Codec\ FOUND !

»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="Min aktuella startsida"

»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»» Scanning wininet.dll infection


» End

Seriöst, säger mannenGbg att du ska starta en ny tråd så starta en ny tråd. Du har samma problem som alla andra som besöker ES hemsidorna , det betyder inte att du är smittad!

Det här med Codecs är ett helt annat problem.

Då fortsätter vi

Starta om datan i felsäkert läge, tryck F8 under uppstarten och välj utan nätverk

Open the SmitfraudFix folder

• Double-click smitfraudfix.cmd file to start the tool.
• Select option #2 - Clean by typing 2 and press Enter.
  [color=Red]Warning : running option #2 on a uninfected computer will remove your Desktop background.[/color]
• Wait for the tool to complete and disk cleanup to finish.
• You will be prompted : "Registry cleaning - Do you want to clean the registry?"
  • Answer Yes by typing Y
  • Hit Enter.
• The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file?" by typing Y
  • Hit Enter.
• A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.
• The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log here

Kör igång Hijackthis, bocka för dessa rader och tryck "fix"
Vissa av dom kan vara borta nu

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Program\Gold Codec\isaddon.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program\Gold Codec\iesplugin.dll

O4 - HKLM\..\Run: [Shellapi32] svcnet.exe

O4 - HKCU\..\Run: [Shellapi32] svcnet.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Fixa även dessa ipnummer med Hijackthis om du inte använder dom

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FD65E43-5DB3-4B0E-85EE-67B34A4EA72F}: NameServer = 212.33.64.2,212.33.64.18

Starta om datan som vanligt och sök igenom den med Panda. Posta loggen här om den hittar något tillsammans med en från SmitFraudFix och Hijackthis
http://www.pandasoftware.com/products/ActiveScan.htm

Done and done!

Kan man göra samma sak med andra spywareadresser tex. SmileyCentral och SpywareStormer? Kan det vara så enkelt att man bara, helt sonika byter namen?

Tacksam för svar.

Lägg bara till en ny rad på dokumentet med

0.0.0.0 www.spywarehemsida.com

Logfile of HijackThis v1.99.1
Scan saved at 11:02:39, on 2006-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\PROGRAM\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRAM\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\Program\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRAM\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\system32\svchost.exe
C:\totalcmd\TOTALCMD.EXE
c:\highjack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpeedStartup] C:\Program\Speed Startup\speedstartup.exe bootup
O4 - HKLM\..\RunOnce: [SpeedStartup] C:\Program\Speed Startup\speedstartup.exe runonce
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nicke\Start-meny\Program\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\tmproxy.exe

Ser något galet ut