I-Worm.Bofra und Spyware |
|
---|---|
21.12.2004, 19:18
Member
Beiträge: 16 |
|
|
|
21.12.2004, 22:39
Member
Themenstarter Beiträge: 16 |
#2
hier sie haben einem nuen hijackthis log:
Logfile of HijackThis v1.99.0 Scan saved at 18:13:06, on 21/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Mouse\Amoumain.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\UserNew\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farejador.ig.com.br/ie/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\PROGRA~1\iGv6\igshop.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Discador iG] "C:\Program Files\iGv6\Discador iG.exe" boot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [discador] C:\Program Files\Speedy\Speedy 0.98\DISCADOR.EXE O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe -FastScan O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\PROGRA~1\iGv6\igshop.dll (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - WWW. Prefix: http://ehttp.cc/? O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB004C0-02E4-4D2D-95BB-A40FBDAF4F4F}: NameServer = 200.204.0.10 200.204.0.138 O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing) O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe --------- bitte hilfen mir danke schön aussurucq |
|
|
22.12.2004, 13:20
Ehrenmitglied
Beiträge: 29434 |
#3
Hallo@aussurucq
Já esta outra vez ???? #abre HijackThis-->> Button "scan" -->> marcar -->> Button "Fix checked" -->> PC reboot R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\PROGRA~1\iGv6\igshop.dll (file missing) O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe -FastScan O13 - WWW. Prefix: http://ehttp.cc/? reboot #deinstalar!!!!!) Spyware Begone #só não apage o index.dat ....todas as outras folder --->apaga tudo Start --> Ausfuehren --> typ ein: %systemroot%/temp Start --> Ausfuehren --> typ ein: %temp% #1.)abre o HijackThis: 2.) HijackThis-->Config-->Misc Tools-->Delete a file on reboot 3.) copy: C:\WINDOWS\ietlbass.dll 4.) PC reboot #download -->mwav.exe ftp://mwti.matrix.lv/download/tools/ #scan no modo de segurança com eScan (mwav.exe)--> esta versão apaga a Malware #Load--->Scann: #AdAware (free) http://www.lavasoft.de/support/download/ #ClaerProg..lade die neuste Version <1.4.0 Final <und saeubere den Browser. Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera: - Cookies (mit Ausschlußmöglichkeit beim IE) - Verlauf - Temporäre Internetfiles (Cache) - die eingetragenen URLs - Autovervollständigen-Einträge in Web-Formularen des IE (bisher nur Win9x/ME) - Download-Listen des Netscape/Opera http://www.clearprog.de/downloads.php Registry Start<Run <regedit Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix. apaga-->´http://ehttp.cc/?´ Depois manda o novo Log do HijackThis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 22.12.2004 um 13:31 Uhr von Sabina editiert.
|
|
|
22.12.2004, 20:10
Member
Themenstarter Beiträge: 16 |
#4
schade sabina, ich bin hier noch einmal, entschuldige dir, a culpa é toda minha, cometi um erro e fiquei infectado sem querer, ich machte alle dinge du sagte, danke schön für deine hilfe
o problema é que há um vírus que faz e refaz de novo o 'spyware & adware', temos que eliminar o vírus 1º, me parece esse vírus se chama 'I-Worm/Bofra' segundo o avg, agora o 'mwav.exe' confirmou com outro nome 'Exploit.HTML.lframeBof', deve ser o mesmo 'mwav.exe' também achou um 2º vírus 'Flooder.MailSpam.DirectBlaster.35' entendo o tu me dizes 'bitte nicht doppelt posten', creio que o problema é o vírus, antes que o 'spyware begone' vamos aos detalhes e abaixo está o hjt actualizado 1] hjt>scan>check>fix checked>reboot, feito, deletei os 6 items 2] desinstalar 'spyware begone', feito, deletei folder+4 files chamados 'irunin'+read me.txt 3] apagar tudo menos 'index.dat' en start>run> em '%systemroot%/temp, não me deixa deletar 'ZLT03ee2.tmp' em %temp%, não me deixa deletar 'Perflib_Perfdata_4b4:' 4] hjt>config>misc tools>delete a file on reboot, feito 5] mwav.exe detectou 2 vírus em 3 files, mas abre janela 'virus detected! you'll need to buy escan to eliminate this virus, click on buy button to go to web store': 5a] EM EXATAMENTE O MESMO FILE QUE HAVIA DETECTADO O AVG, que é 'C:\Documents and Settings\User New\Local Settings\Temporary Internet Files\Content.IE5\41URKLAJ\cnt1[1].htm', diz 'infected by virus 'Exploit.HTML.lframeBof'', que acho é o mesmo que 'I-Worm/Bofra' 5b] no file 'C:\Systems Volume Information\_restore{694C44C1.-C16A-4D9E-A3B1-0A8466213F1A}\RP132\A0055251.exe', infectado por vírus 'Flooder.MailSpam.DirectBlaster.35' 5c] no file 'C:\Systems Volume Information\_restore{694C44C1.-C16A-4D9E-A3B1-0A8466213F1A}\RP132\A0055254.exe', infectado por mesmo vírus 'Flooder.MailSpam.DirectBlaster.35' 6] adware, não achou nada, eu já havia feito vários scans 7] clearprog é a 2ª vez que não consigo download, clico em 'download' na versão 1.4.4 final, mas não faz o download 8] run>regedit>, cheguei bem ao 'default prefix', mas só havia 'http://', deletei 9] sabina abaixo vai o novo hjt: --------------------- Logfile of HijackThis v1.99.0 Scan saved at 15:31:14, on 22/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\slserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\UserNew\My Documents\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farejador.ig.com.br/ie/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [discador] C:\Program Files\Speedy\Speedy 0.98\DISCADOR.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\PROGRA~1\iGv6\igshop.dll (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB004C0-02E4-4D2D-95BB-A40FBDAF4F4F}: NameServer = 200.204.0.10 200.204.0.138 O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing) O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ------------ mfg, immer aussurucq |
|
|
22.12.2004, 20:38
Ehrenmitglied
Beiträge: 29434 |
#5
Hallo@
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms I-Worm.Bofra.a http://www.viruslist.com/en/viruses/encyclopedia?virusid=65410 This worm spreads via the Internet in the form of infected emails without an attachment. It utilizes a vulnerability in Internet Explorer to spread. The Security Focus site provides a description of the vulnerability. Bofra does not include a copy of itself in infected messages. Rather, it includes a link to an infected file which is located on the computer which generated the infected message. The infected file will automatically be called if the Internet Explorer vulnerability is exploited. This causes a buffer overflow and the infected file will automatically be launched. Infected messages are sent to all email addresses harvested from the victim machine. The worm itself is a Windows PE EXE file approximately 21KB in size, packed using MEW. The unpacked file is approximately 135KB in size. The worm contains a backdoor, which receives commands via IRC channels. Installation Once launched, the worm copies itself under a random name, which always ends in 32.exe to the Windows system directory. for example C:\WINDOWS\SYSTEM32\kfilaxm32.exe It then registers this file in the system registry; this ensures the worm will be launched each time the system is rebooted: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Rhino" = "%System%\<ëþáîé íàáîð ñèìâîëîâ>32.exe" Propagation via email The worm scans MS Windows address books for email addresses, and all files with the following extensions: The sender's domain will be either chosen at random from the domains in email addresses harvested from the victim machine, or a domain will be chosen from the list below: aol.com hotmail.com msn.com yahoo.com Message subject (chosen from the list below) funny photos hello hey! Message body (chosen from the list below) FREE ADULT VIDEO! SIGN UP NOW! Look at my homepage with my last webcam photos! Attachment Infected messages do not have any attachment. The worm simply sends a link to the victim machine which generated the infected message. The link will be in the following form: http://<IP-address of victim machine>:<port number>/<file name> The worm opens a TCP port on the victim computer. The port will be number 1639 or higher. This enables the worm to download files. Message signature (chosen from the list below) Remote administration The worm opens TCP port 6667 on the victim machine in order to receive commands via IRC channels. ------------------------------------------------------------------------------------------------ Não devias ter apagado: 'default prefix', 'http://', ...porque é o valore corecto..... Vais agora apagar o System Restore Deaktivieren Wiederherstellung «XP http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924 assim vão desaparecer: 'C:\Systems Volume Information\_restore{694C44C1.-C16A-4D9E-A3B1-0A8466213F1A}\RP132\A0055251.exe', infectado por vírus 'Flooder.MailSpam.DirectBlaster.35' 'C:\Systems Volume Information\_restore{694C44C1.-C16A-4D9E-A3B1-0A8466213F1A}\RP132\A0055254.exe', infectado por mesmo vírus 'Flooder.MailSpam.DirectBlaster.35' Datenträgerbereinigung: und Löschen der Temporary-Dateien <Start<Ausfuehren--> reinschreiben : cleanmgr apagar somente: Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k. Click:Temporäre Dateien, o.k ClearProg 1.4.1 Final Setup 03.12.2004 245.7 KB Download -->clique e espera um pouco http://www.clearprog.de/downloads.php ou: #TraXEx 2.2 ist ein zuverlässiges Sicherheits-Programm für alle aktuellen Internet-Browser und Windows. TraXEx löscht Spuren, die Ihr Internet-Browser beim Surfen auf Ihrem PC hinterläßt http://www.almisoft.de/traxex2.htm agora vai repetir o scan com eScan e depois conta __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 22.12.2004 um 20:53 Uhr von Sabina editiert.
|
|
|
23.12.2004, 15:27
Member
Themenstarter Beiträge: 16 |
#6
BOOOAAAS NOTÍÍÍCIAS!!!!! TU CONSEGUISTES MATAR O VÍRUS, ESTÁ RESOLVIDO
já prometi a mim mesmo e te prometo a ti que nunca mais eu vou me expôr a estas infecções, jamais na vida, tu podes crer bravo! tudo de bom, muitíssimo obrigado, te agradeço do fundo do coração tua boa vontade de me ajudar tão eficazmente, um grande e forte abraço! danke schön, vielen dankt, einem tausend dankt, mit freundlichem gruesse SEHR FROEHLICH WEINACHTEN UND EINES GUTES NEUE JAHRE 2005! BOM NATAL E UM BOM ANO NOVO 2005! ----------------- apenas para tua informação e registro, te conto como foi: 1] 'default prefix' deletado, eu não fiz mais nada 2] apagar 'system restore', com as instruções da symantec, fiz disable>reboot>enable, não busquei os 2 files infectados pois nem sabia como fazê-lo 3] start>run>cleanmgr, deletei tudo que tu dizeste, só não apagou 32 Kb do 'web client/ publish temporary files' 4] clearprog, desta vez consegui download, checked: cookies, temporary internet files [cache], history, typed url's, autocomplete-entries in webforms, not checked "empty 'index.dat' on reboot" que tu dizeste era para não tocar deleted : 4 ie cookies, 471 ie cache files, 1.020 ie history entries, 25 ie url's entries, 0 ie autocomplete-entries, total 1.250=1.5 Gb 5] escan com mwav.exe em safe mode, eScan antivirus toolkit utility ver 4.7.5, scan checked: memory, starting folders, drive, all local drives, folder, registry, system folders, services, and scan all files files scanned 20.633 viruses found 0 [detectou 2 'tagged as not-a-avirus'] disinfected files 0 deleted files 0 files renamed 0 errors 30 -------------------------- pelo menos eu sou um bom aluno... obrigado de novo. |
|
|
23.12.2004, 17:15
Member
Themenstarter Beiträge: 16 |
#7
hallo sabina,
estou vendo que tenho que reescrever o 'http://' que deletei qual tipo de value é: string value binary dword multi-string expandable string? muito obrigado aussurucq |
|
|
23.12.2004, 18:09
Ehrenmitglied
Beiträge: 29434 |
#8
Hier das Reg-File, das die Standardwerte unter "DefaultPrefix" und "Prefixes" wieder herstellt.
defaultprefix.reg downloaden. http://www.wintotal.de/Tipps/Eintrag.php?TID=434 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
so, bitte 'do your best' für mit mir im englisch sprechen
vielen dankt
------------------------
i have been invaded by a spyware and browser hijacker
it all began when my grisoft avg antivirus told me i had a worm called 'I-Worm/Bofra', installed in file
'C:\Documents and Settings\User New\Local Settings\Temporary Internet Files\Content.IE5\41URKLAJ\cnt1[1].htm'
secondly, when i restarted i learnt that my opening homepage had been hijacked by some 'SPYWARE' software, i guess called 'Spyware be gone!', which offered to scan my system, i allowed the scanning
now it tells me that it found '4 spyware/adware infections':
alexa, kind: adware, found on: registry
cws, kind: browser hijacker, found on: registry
cws, kind: browser hijacker, found on: start up
side search, kind: browser hijacker, found on: registry
if someone of you friends could tell me or suggest me where could i search, i could try to enter start>run>regedit, and perhaps delete them in the 'registry editor'
well, i need urgent help, and you are the specialists in spyware & browser hijacker, so please be kind enough to help me remove this garbage
thank you very much, vielen dankt für ihre hilfe
below you find the log from hijackthis 1.99 beta version:
Logfile of HijackThis v1.99.0
Scan saved at 14:52:36, on 21/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Mouse\Amoumain.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\VITALS~1\Net.Medic\Program\syshook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\UserNew\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farejador.ig.com.br/ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\PROGRA~1\iGv6\igshop.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Program Files\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [discador] C:\Program Files\Speedy\Speedy 0.98\DISCADOR.EXE
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\PROGRA~1\iGv6\igshop.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB004C0-02E4-4D2D-95BB-A40FBDAF4F4F}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----------------------------------