MultiClicker
|
Troj/Adclick / Adware.Affilred / Adware.MultiClicker• RegistryStart -- Ausführen -- regedit lösche: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components (0CDAAEC2-E245-44CC-8357-CAB70172D017) HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components (8E668361-C801-41B7-BF89-2FC2C8DE9167) 
öffne das HijackThis -- Button "scan" -- Häkchen setzen -- Button "Fix checked" -- PC neustarten
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINNT\system32\userinit.exe, %SystemRoot%\iProtect.exe
O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINNT\system32\bhrw.dll (file missing)
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - Global Startup: dwin32.exe
O4 - Global Startup: screensaver.scr
04 - Global Startup: usbwin32.exe
• Killbox
c:\registry.pif C:\cab.exe C:\WINNT\system32\bhrw.dll C:\WINNT\System32\inetconnect.dll c:\CriticalUpdate.exe C:\winsecure.exe C:\WINNT\system32\security32.exe C:\WINNT\system32\iProtect.exe C:\WINNT\system32\axe.exe C:\WINNT\system32\memorymanager.pif C:\WINNT\mshotfix.exe C:\WINNT\System32\inetconnect.dll C:\WINNT\system32\twain_32.exe C:\WINNT\system32\msmsgs.exe suche/lösche: Start-Menü\default.scr Start-Menü\usbwin32.exe highspeed-cable.exeTroj/Clecker-A verändert die HOSTS-Datei, indem er die URL-zu-IP-Verknüpfungen für ausgewählte Websites verändert. Dadurch wird der normale Zugriff auf diese Websites blockiert. • öffne noch mal das HijackThis Config - Misc Tools - Open Hosts file Manager - Delete line lösche alles , lasse nur stehen: 127.1.1.0 localhost • CCleaner -- lösche alle *temp-Datein C:\CriticalUpdate.exe C:\cab.exe C:\winsecure.exe registry.pif %Windir%\twain_32.exe %Windir%\mshotfix.exe %Windir%\msupdate.exe %System%\security32.exe %System%\iProtect.exe %System%\axe.exe %System%\memorymanager.pif usbwin32.exe default.scr highspeed-cable.exe default.scr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSUpdate" = "c:\criticalUpdate.exe" "RegistryMonitor" = "c:\registry.pif" "Microsoft Security Hot Fix Update" = "%SystemRoot%\mshotfix.exe" "Microsoft Cab Manager" = "c:\exec.exe" "Windows Security Manager" = "c:\winsecure.exe" "Windows Security Update" = "%Windir%\security32.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "WinTask" = "c:\wintask.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8E668361-C801-41B7-BF89-2FC2C8DE9167} HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{0CDAAEC2-E245-44CC-8357-CAB70172D017} HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B} HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C} HKEY_CLASSES_ROOT\CLSID\{FD3A6AB4-5527-4B52-90AF-F90CD3270861} HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3} HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load "Memory Manager" = "%System%\memorymanager.pif" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3} • Overwrites the hosts file with some of the following text: 127.0.0.1 www.redflagdeals.com 127.0.0.1 www.redflagdeals.ca 127.0.0.1 www.couponclock.com 127.0.0.1 www.1-online-coupons.com 127.0.0.1 www.smartqpon.com 127.0.0.1 www.jumpondeals.com 127.0.0.1 www.1-coupon.com ... .. .. • Link: Adware.Affilred • Link: Troj/Clecker Counter-Box.de |
