Hjælp til log-fil

-- Hent S!Ri's SmitfraudFix.zip og pak det ud til dit Skrivebord.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Programmet pakker sig ud i en mappe, der hedder SmitfraudFix.

NB: Filen "process.exe" som ligger i dette værktøj bliver af visse antivirus-programmer identificeret som "RiskTool". Det har dog ikke noget på sig!

-- Hent AVG Anti-Spyware herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1.htm
Installer og opdater programmet, men vent med at scanne.

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Det vil også checke om systemfilen wininet.dll er inficeret. Hvis den er det, vil du blive bedt om tilladelse til at erstatte den med en anden. Her skal du vælge "Yes", ved at taste "y".

Programmet bliver muligvis nødt til at genstarte undervejs. Herefter vil der dukke en liste med resultaterne af rensningen op . Kopiér denne liste ind i tråden.

-- Kør en fuld scanning med AVG Anti-Spyware, og tillad programmet at fixe de ting, som det finder. Programmet laver en lille log, som du skal kopiere herind.

-- Genstart og læg en frisk Hijackthislog herind, sammen med loggen fra AVG Anti-Spyware og loggen fra SmitfraudFix (C:\rapport.txt).

OK - jeg går i gang nu :-)

SmitFraudFix v2.128

Scan done at 20:57:15,68, 06-12-2006
Run from E:\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{F33812FB-F35C-4674-90F6-FD757C419C51}"="DDE"

[HKEY_CLASSES_ROOT\CLSID\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32]
@="C:\WINDOWS\system32\birdihuy32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32]
@="C:\WINDOWS\system32\birdihuy32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"

[HKEY_CLASSES_ROOT\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\cfltygd.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\cfltygd.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\birdihuy.dll Deleted
C:\WINDOWS\system32\oleext.dll Deleted
C:\WINDOWS\system32\ztoolbar.bmp Deleted
C:\WINDOWS\system32\ztoolbar.xml Deleted
C:\Documents and Settings\Jakob\Application Data\Shudder Global Limited\ Deleted
C:\DOCUME~1\ALLUSE~1\SKRIVE~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\SKRIVE~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\PopUp Blocker.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\Spyware Remover.url Deleted
C:\Programmer\Super Codec\ Deleted
C:\Programmer\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

HKLM\SOFTWARE\SHUDDERLTD Deleted

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:    21:46:55 06-12-2006

+ Scan result:   



C:\System Volume Information\_restore{77157554-416B-4C09-94A8-3DEB7BA881C9}\RP113\A0037276.dll -> Downloader.Agent.ns : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERSK_0001_N91M2407NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\Documents and Settings\Jakob\Cookies\jakob@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wflyumdzeho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wgkiulajmho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjkoehcjcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjkygicjelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjliemc5odo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjlikndzgco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjliugcjwco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@e-2dj6wjmysjazakp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Jakob\Cookies\jakob@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 21:53:19, on 06-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\FLLESF~1\INTERN~1\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\ckr\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmer\Fælles filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmer\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmer\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Hurtig start af Microsoft Office OneNote 2003.lnk = C:\Programmer\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\FLLESF~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Det blev loggen sådan set ren ved. Jeg kan se at du har valgt ikke at lade AVG-antispyware fixe denne fil:
C:\WINDOWS\Downloaded Program Files\UERSK_0001_N91M2407NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o

Det synes jeg nu du skal lade den gøre, for Winfixer er ikke noget du ønsker at få ned på din computer!!

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser disse artikler om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ejvindh.net/viewtopic.php?t=37