Min I.E skriver underlige tegn foran alle websider?

Du har en browser hijacker (coolWebSearch). Hvis du un-escaper strengen bliver det til  'ehttp.cc/?www.eksperten.dk'

Hent programmet hijackThis http://www.spychecker.com/program/hijackthis.html og fjern alt hvad der lugter af ehttp.
Eller fjern den manuelt, hvis du har nogenlunde styr på registreringsdatabasen. Instruktioner f.eks. her:
http://www.kephyr.com/spywarescanner/library/coolwebsearch.ehttp/index.phtml

M.v.h.
Kim

1) Cwshredder (+ vejledning på dansk): http://www.arlet.dk/special.htm

2) Følg vejledningen for Spybot og HijackThis her: http://www.arlet.dk/spybothjt.htm

Smid loggen herind, i dette spm, så vil vi kigge på den. Husk at indsætte *alle* linier fra loggen herinde.

(dette indlæg betyder ikke at jeg tager loggen)

Ok, så er det gjort, - her er loggen - kan I se noget der ikke skal være der?

Logfile of HijackThis v1.97.7
Scan saved at 21:54:55, on 21-04-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmer\Stofaon\ESCape.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Winamp\winamp.exe
C:\Documents and Settings\Smedegaard\Dokumenter\Programmer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.e-finder.cc/search/" target="_blank">http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.e-finder.cc/search/" target="_blank">http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.e-finder.cc/search/" target="_blank">http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\elf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.e-finder.cc/search/" target="_blank">http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.e-finder.cc/search/" target="_blank">http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B50162AC-A06D-45B9-8EFF-15721F044A15} - C:\WINDOWS\System32\pmfjc.dll (file missing)
O2 - BHO: (no name) - {D625C1B2-5CB3-4A21-9580-6E9516E79852} - C:\WINDOWS\System32\elf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Genvej til ESCape.lnk = C:\Programmer\Stofaon\ESCape.exe
O4 - Startup: MSN Messenger 6.1.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38095.0766550926
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe

ok tak for det, jeg har fundet ud af det :)

Det var bl.a disse der fuckede up i det:

O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?

Prøv lige cwshredder igen
Hent og kør CWSHredder herfra: http://www.arlet.dk/special.htm
genstart og ny hijackthis log