[Betamax]

Tegelikult oli mul ka see jama, et muutis lehekülje tagasi. Aga siis oli tegemist Ad-aware'i poolse jamaga - oli selline asi peal nagu seda on Block Possible Browser Hijack Attempts ja see muutis lehekülje kohe tagasi, kui midagi muudetud oli. Aitas see, et lülitasin selle optioni sisse, scannisin arvuti Ad-aware'iga üle ja panin need leitud kaks Possible Browser... värki Ignorelisti.

[Red_Label]

Lasin arvuti CWShredder 'ga üle, ei tea, kas nüüd kõik korras, igax juhux panin logi ka üles.


Minu hiJacki logi selline:

Logfile of HijackThis v1.97.7
Scan saved at 17:57:30, on 10.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\P2P.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\BOARD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\PROGRAMMID\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\P2P.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\P2P.EXE
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Winsock2 driver] SVCHOST.EXE
O4 - HKLM\..\Run: [NLS Keyboard] BOARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\SYSTEM\P2P.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [P2P Networking] C:\WINDOWS\SYSTEM\P2P.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] SVCHOST.EXE
O4 - HKCU\..\RunOnce: [NLS Keyboard] BOARD.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.6451851852
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab

[Elitegamer]

spy sweeper-iga saab homepage protectionit peale panna, samas on seal ka real-time protection igasuguse spyware vastu!

[HacaX]

Mis pole suurem asi: lihtsalt hoiatab ja pakub võimaluse põhiprogramm käima lasta et skänn ära korraldada
Muidu Red_Label: märgi HijackThisis ja paranda järgmised read -

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\P2P.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\P2P.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\SYSTEM\P2P.EXE
O4 - HKLM\..\RunServices: [P2P Networking] C:\WINDOWS\SYSTEM\P2P.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg

See on kahtlased:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe

[No_Limit]

Mul tuli see sama jama uuesti tagasi ja vähe sellest, ma avastasin, et see keerab ka notepad.exe metsa, Kuradi londid raisk kui ma need kuradima idiootsed värdjad kätte saan ma peksan neil sahtli puhtaks!

[kõva ketas]

Sama jama , hakkan asja uurima.

[No_Limit]

Sain korda, leidsin midagi kasulikku: http://www.daniweb.com/techtalkforums/thread5531.html

[Petz]

Maadlesin ka mitu päeva about:blank nuhtlusega ja mõlgutasin formatimõtteid... Lõpuks aitas ainult CWShredder v1.56.2

[Reixx]

hmm, aga mina ikka asjast lahti ei saanud

No_Limit, ehk tee dlyhidalt kokkuvõtte oma töökäigust, et kuidas sa selle kala välja said

[No_Limit]

Tegin google lahti, otsisin programmi mis selle kõrvaldab, panin selle peale tegin skänni ja puhastasin ära ja lasen programmi maha.

[Reixx]

ja mis oli selle programmi nimi?

[No_Limit]

Ei mäleta. Otsi googlest about:blank homepage

[Reixx]

proovisin kõike imetrikke, ikka kala sees sama mure edasi, mida teha

[No_Limit]

Kurat kas sa otsisid üldse netis, ega ma su emme pole.
Esimene link mis otsinguga tuli: http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

[Reixx]

seda ma juba proovisin, seal ma ei leidnud sellist asja :

The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.


ei saanud nagu sellest osast eriti arugi...

[No_Limit]

Otsi teisi õpetusi siis!

[tiki]

endal kogemus samasuguse asjaga, aitas Trendmicro Officescani corporate eddition. Äkki housecall.trendmicro.com aitab ka, seal samad viirusemustrid ja mootor ka sarnane.

[mesilased]

pange parem spybot search and destroy advanced mode ja siis tools-IE tweaks. Seal on valik: Lock IE start page settings....
pange sinna linnuke ette ja vaadake mis saab

[v2hja]

use firefox on lahenduseks

[204810]

minul sama asja olnud, ning probla lahendasid need: Ad-Aware, enda ajud, F-Prot, kahtlaste kaustade kustutamine (tunnen neid ideaalselt äära kui miski t6esti kahtlane on) ning nati käsitööd registris. W98SE plx sellele vastu pidanud, XP aga pidas

[No_Limit]

Mul tuli üle 1a see about:blank nüüd uuesti!
http://www.softwarepatch.com/tips/about-blank-adware.html
Aitasid:
CWShredder
Tracks Eraser Pro 5

Ennem Tracks Eraser Pro 5 üle ja siis CWShredder'iga! mul aitas