|
|
|
Troj/Adclick / Adware.Affilred / Adware.MultiClicker
Registry
Start -- Ausführen -- regedit
lösche:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
(0CDAAEC2-E245-44CC-8357-CAB70172D017)
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
(8E668361-C801-41B7-BF89-2FC2C8DE9167)
öffne das HijackThis -- Button "scan" -- Häkchen setzen -- Button "Fix checked" -- PC neustarten
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINNT\system32\userinit.exe, %SystemRoot%\iProtect.exe
O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINNT\system32\bhrw.dll (file missing)
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - Global Startup: dwin32.exe
O4 - Global Startup: screensaver.scr
04 - Global Startup: usbwin32.exe
|
PC neustarten
KillBox http://virus-protect.org/killbox.html
c:\registry.pif
C:\cab.exe
C:\WINNT\system32\bhrw.dll
C:\WINNT\System32\inetconnect.dll
c:\CriticalUpdate.exe
C:\winsecure.exe
C:\WINNT\system32\security32.exe
C:\WINNT\system32\iProtect.exe
C:\WINNT\system32\axe.exe
C:\WINNT\system32\memorymanager.pif
C:\WINNT\mshotfix.exe
C:\WINNT\System32\inetconnect.dll
C:\WINNT\system32\twain_32.exe
C:\WINNT\system32\msmsgs.exe
PC neustarten
suche/lösche:
Start-Menü\default.scr
Start-Menü\usbwin32.exe
highspeed-cable.exe
Troj/Clecker-A verändert die HOSTS-Datei, indem er die URL-zu-IP-Verknüpfungen für ausgewählte Websites verändert. Dadurch wird der normale Zugriff auf diese Websites blockiert.
öffne noch mal das HijackThis
Config - Misc Tools - Open Hosts file Manager - Delete line
lösche alles , lasse nur stehen:
127.1.1.0 localhost
CCleaner -- lösche alle *temp-Datein
http://sarc.com/avcenter/venc/data/pf/adware.affilred.html
http://www.sophos.de/virusinfo/analyses/trojcleckera.html
C:\CriticalUpdate.exe
C:\cab.exe
C:\winsecure.exe
registry.pif
%Windir%\twain_32.exe
%Windir%\mshotfix.exe
%Windir%\msupdate.exe
%System%\security32.exe
%System%\iProtect.exe
%System%\axe.exe
%System%\memorymanager.pif
usbwin32.exe
default.scr
highspeed-cable.exe
default.scr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MSUpdate" = "c:\criticalUpdate.exe"
"RegistryMonitor" = "c:\registry.pif"
"Microsoft Security Hot Fix Update" = "%SystemRoot%\mshotfix.exe"
"Microsoft Cab Manager" = "c:\exec.exe"
"Windows Security Manager" = "c:\winsecure.exe"
"Windows Security Update" = "%Windir%\security32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WinTask" = "c:\wintask.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8E668361-C801-41B7-BF89-2FC2C8DE9167}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{0CDAAEC2-E245-44CC-8357-CAB70172D017}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}
HKEY_CLASSES_ROOT\CLSID\{FD3A6AB4-5527-4B52-90AF-F90CD3270861}
HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
"Memory Manager" = "%System%\memorymanager.pif"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
Overwrites the hosts file with some of the following text:
127.0.0.1 www.redflagdeals.com
127.0.0.1 www.redflagdeals.ca
127.0.0.1 www.couponclock.com
127.0.0.1 www.1-online-coupons.com
127.0.0.1 www.smartqpon.com
127.0.0.1 www.jumpondeals.com
127.0.0.1 www.1-coupon.com
...
..
..
http://securityresponse.symantec.com/avcenter/venc/data/adware.affilred.html
|
|
|
