Kan ikke slippe af med startside (XP)

Hent og kør aboutBuster og CWShredder herfra : www.arlet.dk/special.htm
genstart og Hent en hijackthis : http://www.arlet.dk/hjt.htm

Hej arlet - jeg har kørt aboutbuster og CWShredder og de fandt ikke noget har genstartet og side er der desværre stadig! Hijackthis siger :

Logfile of HijackThis v1.98.2
Scan saved at 19:10:32, on 02-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\savedump.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
E:\Programmer\QuickTime\qttask.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmer\Messenger\msmsgs.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\WINDOWS\System32\gearsec.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Internet Explorer\IEXPLORE.EXE
F:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-search.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-search.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-search.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hot-search.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - E:\WINDOWS\System32\wer1306.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] E:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Restore] svcnet.exe
O4 - HKLM\..\Run: [winupd] E:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Jeg kigger lige loggen igennem.
Den skulle vi have haft fra start af. I stedet for at bruge aboutbuster i flæng.
Vi vil jo gerne se hvad vi er oppe imod inden vi finder våbene frem :O)

Følg vejledningen her: http://www.spywarefri.dk/hjtanv.htm (punkt 6). Fix disse med HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-search.biz/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-search.biz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-search.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-search.biz/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hot-search.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hot-search.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hot-search.biz/search.html
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - E:\WINDOWS\System32\wer1306.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - HKLM\..\Run: [System Restore] svcnet.exe
O4 - HKLM\..\Run: [winupd] E:\WINDOWS\System32\winupd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm

Vi skal kunne se dine skjulte filer for at finde snavs, der skal slettes manuelt. Det er en del af processen.

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".


Disse programmer skal slettes i fejlsikret tilstand. Du genstarter og trykker F8 når Windows starter op.

Søg efter disse filer

E:\WINDOWS\System32\wer1306.dll>>>>slet filen wer1306.dll
svcnet.exe>>>>slet filen svcnet.exe
E:\WINDOWS\System32\winupd.exe>>>>slet filen winupd.exe

Hent denne scanner:
http://www.mwti.net/antivirus/free_utilities.asp
Det er ligegyldigt hvilket af de 7 links du downloader fra.
Inde i opsætningen sætter du den til at scanne alt.
Kør scan/clean.

Du er meget sårbar uden opdateret windows xp. Hent SP1 her:
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/

Derefter henter du alle kritiske sikkerhedsopdateringer her:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D531BF00-D7BE-48E3-ABCC-961602BD72C2&displaylang=da
Til sidst går du i start -> programmer -> windows update og scanner for opdateringer. Installer dem du får anbefalet.

Derefter genstarter du og sender en ny log ind til check

Wow - foreløbig tak - det var en masse. Jeg går i gang og vender tilbaws.

Det er ok. God fornøjelse.
Bliver du i tvivl om noget skriver du bare ind.
:O)

Så kom jeg noget af vejen. Startsiden er nu VÆK!!! Det er fantastisk! Jeg kunne dog ikke slette følgende linie, der stadig er i Hijackthis-loggen :

O4 - HKLM\..\Run: [System Restore] svcnet.exe

Filen svcnet.exe kunne jeg ikke finde??

Anyway - mange tak! andersenph, smid et svar :)

Må jeg ikke lige se en ny log?
Bare for at være sikker :O)

Selvfølgelig :

Logfile of HijackThis v1.98.2
Scan saved at 20:46:27, on 02-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
E:\Programmer\QuickTime\qttask.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmer\Messenger\msmsgs.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\WINDOWS\System32\gearsec.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\Internet Explorer\IEXPLORE.EXE
E:\Programmer\SpywareGuard\sgmain.exe
E:\Programmer\SpywareGuard\sgbhp.exe
F:\Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] E:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - Startup: SpywareGuard.lnk = E:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Der kan du se. Den ligger der stadig:
O4 - HKCU\..\Run: [System Restore] svcnet.exe. Fix den med Hijack.

Det kan være den også ligger i systemgendannelsen og gemmer sig.
Du skal gøre følgende: Deaktiver din systemgendannelse.
Hvis du ikke ved, hvordan du gør, så kig her: http://www.spywarefri.dk/virusscannere.htm#alle
Genstart.
Aktiver den igen.


Kom med ny log til kontrol :O)

Så fik jeg den vist :

Logfile of HijackThis v1.98.2
Scan saved at 21:06:12, on 02-09-2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
E:\Programmer\QuickTime\qttask.exe
E:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\WINDOWS\System32\gearsec.exe
E:\Programmer\Messenger\msmsgs.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\SpywareGuard\sgmain.exe
E:\Programmer\SpywareGuard\sgbhp.exe
E:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Internet Explorer\IEXPLORE.EXE
F:\Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] E:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Programmer\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Jeps det hjalp :O)

Her er et par gode artikler om hvordan du beskytter dig optimalt.
http://www.eksperten.dk/artikler/144
http://www.eksperten.dk/artikler/254


Hvis du vil have Windows til at starte op lidt hurtigere kan du med fordel fixe disse linier:
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Du sletter dem ikke. De kan stadig nås fra Start -> programmer

Super! Tusind tak!!

Hent denne fil her, og gem den i C\Windows\System32 : http://home8.inet.tele.dk/fbj/SHELL.DLL
Den har aboutbuster slettet. Det betyder at du får problemer med at bruge ordbøger hvis ikke du installerer den igen.

Tak for point :O)