Hijacklogga snälla hjälp!!!

[Gäst idgadmin]

Min dator har fått superfnatt och jag skulle bli jätteglad om någon kunde kika på min hijacklogga.

 

 

 

 

Logfile of HijackThis v1.99.0

Scan saved at 19:23:01, on 2005-04-25

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\msole32.exe

C:\WINDOWS\popuper.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\intmonp.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program\Internet Explorer\iexplore.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html'>http://qfind.net/bar/index.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blocket.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\Program\VIRTUA~1\VIRTUA~1.DLL

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {3E51FDDE-9AB4-023D-DA54-7B73049D44A5} - http://216.118.71.185/1/rdgSE1828.exe

O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

 

[Zipp.]

Avinstallera via Kontrollpanelen

 

New.Net eller NewDotNet

 

Sen starta om datorn och ny Hijack logg med denna version

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

 

 

 

[Gäst idgadmin]

 

Verkar som om datorn fortfarande är lite vinglig. Det kommer upp gfind...på startsidan.

 

Detta är scannat med nya Hijackthis.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 19:47:55, on 2005-04-25

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\msole32.exe

C:\WINDOWS\popuper.exe

C:\windows\system\hpsysdrv.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\intmonp.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html'>http://qfind.net/bar/index.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\Program\VIRTUA~1\VIRTUA~1.DLL

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {3E51FDDE-9AB4-023D-DA54-7B73049D44A5} - http://216.118.71.185/1/rdgSE1828.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

 

[Zipp.]

> Det kommer upp gfind...på startsidan.<

 

Joo jag ser det...vänta lite jag ska skriva en resept.

 

 

 

[Zipp.]

Avinstallera via Kontrollpanelen om det finns

 

Security IGuard

Virtual Maid

Search Maid

 

Dolda filer synliga tita här hur man gör

 

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Sen Ctrl+Alt+Delete och avsluta dessa processer

 

C:\WINDOWS\System32\msole32.exe

C:\WINDOWS\popuper.exe

C:\WINDOWS\System32\intmonp.exe

 

Ladda ner KillBox

 

http://www.bleepingcomputer.com/files/spyware/KillBox.zip

 

Unzippa på skrivbordet och sen öppna den.

Bocka i Delete on Reboot.

Sen kopiera och klistra in alla rader nedan i KillBoxsen.

När du har klistrat in första raden så klicka Delete (röd med vit X på)

Svara Ja på första frågan och på andra frågan Reboot now svara No eller Nej

Sen nästa rad...osv

 

C:\wp.exe

C:\wp.bmp

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\System32\helper.exe

C:\Windows\System32\intmonp.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\System32\ole32vbs.exe

C:\Windows\system32\msole32.exe

C:\windows\system\BHOmod.dll

 

 

När du har klistrat in sista raden så svara Ja på bägge frågor och starta om datorn om den inte startas om automatiskt.

 

Gå sen direkt i felsäkert läge scanna med Hijackken bocka i och klicka Fix checked

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/'>http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s'>http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html'>http://qfind.net/bar/index.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\Program\VIRTUA~1\VIRTUA~1.DLL

O16 - DPF: {3E51FDDE-9AB4-023D-DA54-7B73049D44A5} - http://216.118.71.185/1/rdgSE1828.exe

 

 

Sen ta bort om det finns och använd inte sök funktionen

 

C:\Program\Search Maid < mappen

C:\Program\Virtual Maid < mappen

C:\Windows\System32\Log Files < mappen

C:\Program\Security IGuard < mappen

 

Starta sen normalt och ny Hijack logg

 

 

 

 

 

 

[Gäst idgadmin]

Tjena, först vill jag tacka för att du tar dig tid, mycket vänligt!

 

Jag har följt dina anvisningar till punkt och pricka.

 

de tre sista: 02-BHO....03-Toolbar...016-DPF... hittade jag inte igen.

 

När jag startade internet så var det "About Blank" som startsida ???

 

 

Här kommer den nu korta men nya loggen!

 

Logfile of HijackThis v1.99.1

Scan saved at 20:46:16, on 2005-04-25

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Messenger\msmsgs.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search &

 

Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

 

C:\WINDOWS\System32\nvsvc32.exe

 

 

 

 

[Zipp.]

> så var det "About Blank" som startsida <

 

Pröva att skiva in den startsida du vill ha.

Starta om datorn och ny logg.

 

Förresten har du gjort nåt spesiellt för att här ser din logg ut så här

 

http://pcsupport.idg.se/viewmsg.asp?EntriesId=427656

 

 

[inlägget ändrat 2005-04-25 21:04:32 av Zipp]

[Gäst idgadmin]

 

Nä, jag tror inte jag har gjort något speciellt, men helt säker kan man inte vara.

 

Det verkar till synes funka riktigt bra nu. Du ska ha ett jätte tack!

 

Här är nyaste loggan:

 

Logfile of HijackThis v1.99.1

Scan saved at 21:08:20, on 2005-04-25

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blocket.se/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search &

 

Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Program\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {5A9F4848-4947-4717-890F-360A5EE4848F} - (no

 

file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

 

{5A9F4848-4947-4717-890F-360A5EE4848F} - (no file) (HKCU)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

 

C:\WINDOWS\System32\nvsvc32.exe

 

 

mvh

//Janne

 

[Zipp.]

Fix:sa dom här

 

O9 - Extra button: Microsoft AntiSpyware helper - {5A9F4848-4947-4717-890F-360A5EE4848F} - (no

file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{5A9F4848-4947-4717-890F-360A5EE4848F} - (no file) (HKCU)