Incredibar und Win 32/Somoto.A
Hallo "Gurus",
ja, so muss ich euch nennen :-)
Habe mir bei einem Download aus sonst sehr zuverlässiger Quelle (Schriftfonts) nicht nur die Incredibar sondern auch gleich den Win32/Somoto.A Virus gezogen.
Den Virus bin ich relativ schnell wieder los geworden, aber die sch**ss Incredibar hat mich Nerven gekostet.
"In der Ruhe liegt die Kraft" - nach dem (Lebens-)Motto bin ich vorgegangen und habe zum Glück dieses Forum gefunden. Habe mich durch die diversen Threads gelesen und bin dann eurer Anleitung gefolgt.
GMER: Nichts.
ESET: Nichts mehr (Virus erkannt und in die ewigen Jagdgründe geschickt).
MS Security Essentials (ja,ja, ich weiß): Nichts.
Nach der Analyse durch "AdwCleaner" hat's mir dann aber den Draht aus der Mütze gehauen. Ich schwöre, ich habe noch nie irgendwas bei dieser Drecksschleuder "Softtonic" runtergeladen; keine Ahnung wie der Mist auf meinen Rechner kam.
Muss mal meinen Neffen fragen...
Jedenfalls ist mein Rechner jetzt wieder sauber und die "Anti-Malware" werde ich mir dauerhaft zulegen.
Falls es interessiert, hier der Auszug von der "Müllabfuhr": Code:
# AdwCleaner v1.701 - Logfile created 07/13/2012 at 00:04:56
# Updated 02/07/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Vatta - VATTAS-NOTEBOOK
# Running from : C:\Users\Vatta\Downloads\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Users\Vatta\AppData\Local\Babylon
Folder Deleted : C:\Users\Vatta\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Vatta\AppData\Roaming\kikin
Folder Deleted : C:\Users\Vatta\AppData\Roaming\pdfforge
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Program Files (x86)\kikin
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
***** [Registry] *****
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4A71A41-BCC8-480a-9E69-0DA29CBA7ECA}
Key Deleted : HKLM\SOFTWARE\Web Assistant
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]
[x64] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
[x64] Key Deleted : HKLM\SOFTWARE\Web Assistant
***** [Registre - GUID] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
[x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://mystart.incredibar.com/mb167?a=6R8yEIXxuE&i=26 --> hxxp://www.google.com
-\\ Mozilla Firefox v13.0.1 (de)
Profile name : default
File : C:\Users\Vatta\AppData\Roaming\Mozilla\Firefox\Profiles\xjjaowou.default\prefs.js
C:\Users\Vatta\AppData\Roaming\Mozilla\Firefox\Profiles\xjjaowou.default\user.js ... Deleted !
Deleted : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb167?a=6R8yEIXxuE&loc=FF_NT");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar.babTrack", "affID=111304&tt=100512_2_");
Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 25);
Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", false);
Deleted : user_pref("extensions.BabylonToolbar.hmpg", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "96ab6573000000000000e4115bfbc61e");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15470");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.lastDP", 25);
Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1715:25:09");
Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "12.0");
Deleted : user_pref("extensions.BabylonToolbar.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 76512167);
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.ptch_0717", true);
Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1715:25:09");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111304&tt=100512_2_");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "96ab6573000000000000e4115bfbc61e");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "96ab6573000000000000e4115bfbc61e");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15470");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1715:25:09");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1342013619294");
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.afterInstallRpt", "sent");
Deleted : user_pref("extensions.incredibar.cntry", "DE");
Deleted : user_pref("extensions.incredibar.dfltLng", "EN");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.dfltlng", "EN");
Deleted : user_pref("extensions.incredibar.dfltsrch", "false");
Deleted : user_pref("extensions.incredibar.did", "10643");
Deleted : user_pref("extensions.incredibar.envrmnt", "production");
Deleted : user_pref("extensions.incredibar.excTlbr", false);
Deleted : user_pref("extensions.incredibar.hdrMd5", "0F2A58ECF8E1E4F7A6A3CE016DCA496A");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.hrdid", "0");
Deleted : user_pref("extensions.incredibar.id", "96ab65730000000000009439e532c544");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15532");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.instlday", "15532");
Deleted : user_pref("extensions.incredibar.instlref", "");
Deleted : user_pref("extensions.incredibar.isDcmntCmplt", false);
Deleted : user_pref("extensions.incredibar.isdcmntcmplt", "false");
Deleted : user_pref("extensions.incredibar.keywordurl", "");
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.1412:26:27");
Deleted : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.newtab", "false");
Deleted : user_pref("extensions.incredibar.newtaburl", "");
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "1");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.prtnrid", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.smplgrp", "none");
Deleted : user_pref("extensions.incredibar.srch", "");
Deleted : user_pref("extensions.incredibar.srchprvdr", "");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8yEIXxuE&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.tlbrid", "base");
Deleted : user_pref("extensions.incredibar.tlbrsrchurl", "hxxp://mystart.Incredibar.com/?a=6R8yEIXxuE&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6R8yEIXxuE");
Deleted : user_pref("extensions.incredibar.upn2n", "92824686308102488");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.11.1412:26:27");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnts", "1.5.11.1412:26:27");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10643");
Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
Deleted : user_pref("extensions.incredibar_i.id", "96ab65730000000000009439e532c544");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15532");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "1");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8yEIXxuE&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6R8yEIXxuE");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92824686308102488");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1412:26:27");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]
-\\ Google Chrome v20.0.1132.57
File : C:\Users\Vatta\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted : "icon_url": "hxxp://mystart.incredibar.com/mb167/favicon.ico",
Deleted : "keyword": "mystart.incredibar.com/mb167",
Deleted : "search_url": "hxxp://mystart.incredibar.com/mb167/?loc=IB_DS&search={searchTerms}&a=6R8yEIXxu[...]
*************************
AdwCleaner[R1].txt - [11894 octets] - [12/07/2012 23:55:05]
AdwCleaner[R2].txt - [11955 octets] - [13/07/2012 00:04:00]
AdwCleaner[S1].txt - [11452 octets] - [13/07/2012 00:04:56]
########## EOF - C:\AdwCleaner[S1].txt - [11581 octets] ##########
Nachdem der Sch**ss endlich runter war, habe ich noch den CCleaner laufen lassen und den restlichen Dreck aus der Registry entfernt. Nochmals ganz lieben Dank an euch! |
Incredibar und Win 32/Somoto.A
(https://www.trojaner-board.de/119364-incredibar-win-32-somoto-a.html)