Fjerne WORM.ALCAN!

Det lyder som om det er mere end 0 point værd.

Please..!! har ikke flere! det er da også vigtigere at hjælpe mig med at fjerne en virus end point!

Ved du hvad sarkasme er? Husk på, at det er lørdag nat, sent.

Hent http://www.spychecker.com/program/hijackthis.html (HijackThis), og gem dem i mappen c:\et-eller-andet, som du opretter til dette formål.
Kør HijackThis, klik på scan, kopier loggens tekst og smidt den herind.

Logfile of HijackThis v1.99.1
Scan saved at 12:56:28, on 29-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sgtark.exe
C:\Programmer\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\msxct.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Programmer\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\cmd.exe
c:\programmer\apache group\apache\htdocs\gotoalias.exe
C:\WINDOWS\system32\cmd.exe
C:\Dev-Cpp\DevCpp.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\explorer.exe
C:\Programmer\ISTsvc\istsvc.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\programmer\180solutions\sais.exe
C:\Programmer\Winamp\winamp.exe
D:\Documents and Settings\Ejer\Dokumenter\NSExplorer.exe
C:\Programmer\BullsEye Network\bin\bargains.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\DOCUME~1\Ejer\LOKALE~1\Temp\Rar$EX00.172\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Ejer\Application Data\Mozilla\Profiles\default\3klkd7ur.slt\prefs.js)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programmer\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Programmer\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dpGe] C:\WINDOWS\sgtark.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Programmer\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [Á²# é"h'þ9ÓœU3rŲWC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\sgtark.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmer\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Programmer\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Programmer\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [kdaxmxqd] C:\WINDOWS\kdaxmxqd.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmer\SideFind\sidefind.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Apache - Unknown owner - C:\Programmer\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: R_dddtyermper - Realtek Semiconductor Corporation - (no file)

Siger det her dig noget?
O23 - Service: R_dddtyermper - Realtek Semiconductor Corporation - (no file)

(1)
Deaktiver systemgendannelse, ved at Højreklikke på "Denne Computer" på skrivebordet -> egenskaber -> Systemgendannelse -> sæt flueben i "Deaktiver systemgendannelse" -> Klik OK.

(2)
Hent scannereren http://www.spywareinfo.dk/download/mwav.exe, som vi skal bruge senere.

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programmer\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Programmer\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [dpGe] C:\WINDOWS\sgtark.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Programmer\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [Á ²# é"h'þ9ÓœU3rŲWC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\sgtark.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmer\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Programmer\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Programmer\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [kdaxmxqd] C:\WINDOWS\kdaxmxqd.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmer\SideFind\sidefind.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: Apache - Unknown owner - C:\Programmer\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: R_dddtyermper - Realtek Semiconductor Corporation - (no file)

Åbn en tilfældig mappe, i menuen klik på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

søg efter og slet følgende filer:
C:\WINDOWS\nem220.dll
C:\Programmer\SideFind\sfbho.dll
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\sgtark.exe
msxct.exe
p2pnetwork.exe
C:\Program Files\Media Access\MediaAccK.exe
kdaxmxqd.exe
C:\Programmer\Apache Group\Apache\Apache.exe
... og følgende mapper:
C:\Programmer\SideFind\
C:\Programmer\ISTbar\
C:\Programmer\MsConfigs\
C:\Programmer\ISTsvc\
C:\Program Files\Internet Optimizer\
C:\Programmer\BullsEye Network\
c:\programmer\180solutions\
C:\Programmer\Power Scan\

(4)
Start -> programmer -> tilbehør -> systemværktøjer -> diskoprydning -> Slet Temporary internet files, papirkurv og midlertidige filer.

(5)
Kør scanneren mwav.exe, og sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende: All local drives og Scan all files.
Tryk på Scan Clean
Scanningen kan godt tage et par timer.

(6)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind.

(7)
Når vi er helt færdige, så husk at aktiver systemgendannelse igen.

SHIT! i mwav fandt jeg over 11.500 virusser?
Så kan jeg fandme godt forstå det var derfor det gik langsomt..

Ja, din computer er meget hårdt ramt. Det fremgik tydeligt at hijackthis loggen. Bare af nysgerrighed, hvordan har du fået så meget snavs på den?

Ved det ikke.
Har aldrig haft en firewall..

Lad mig gætte: Bor du i en boligforening eller et kollegie med fælles netværk?

Ja

Her er en god og gratis firewall:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Klik på "Download FREE ZoneAlarm®".

Sun May 29 17:05:59 2005 => ***** Scanning complete. *****

Sun May 29 17:05:59 2005 => Total Number of Files Scanned: 166659
Sun May 29 17:05:59 2005 => Total Number of Virus(es) Found: 10175
Sun May 29 17:05:59 2005 => Total Number of Disinfected Files: 2
Sun May 29 17:05:59 2005 => Total Number of Files Renamed: 7
Sun May 29 17:05:59 2005 => Total Number of Deleted Files: 10086
Sun May 29 17:05:59 2005 => Total Number of Errors: 3
Sun May 29 17:05:59 2005 => Time Elapsed: 02:01:37
Sun May 29 17:05:59 2005 => Virus Database Date: 2005/05/17
Sun May 29 17:05:59 2005 => Virus Database Count: 130380

Sun May 29 17:05:59 2005 => Scan Completed.

Sun May 29 17:09:57 2005 => Virus Database Date: 2005/05/17
Sun May 29 17:09:57 2005 => Virus Database Count: 130380

Imponerende.