nu pot sa accesez yahoo, google, msn

Salutare,
problema pe care o am este urmatoarea:
am avut ceva virusei prin calculator, cred ca am scapat de ei cu Ad-Aware, cu norton si cu ceva sters de mana prin registri dar acum nu mai pot sa accesez nici un motor de cautare: yahoo, google, msn, kapa...nimic.
Are cineva idee ce se intampla si cum pot rezolva problema cat mai repede.

Multzumesc anticipat pentru raspunsuri.

Salut !

Verifica daca in fisierul hosts din directorul C:\WINDOWS\system32\drivers\etc nu exista cumva si o lista cu motoarele mentionate de tine. Daca ele exista, stergele de acolo.

Daca nu rezolvi cu hosts file:

Download HijackThis! 1.98.2 de aici

Extrage hijackthis.exe intr-un folder al lui, de exemplu c:\hjt, executa HijackThis.exe, apasa SCAN si apoi SAVE LOG. Posteaza log-ul aici.

Nu fixa nimic cu HJT, cele mai multe intrari de acolo sunt legitime !

Mai exista si un fix automat pentru hosts file (recomandat):
Download Hoster de aici: Hoster Download. Extrage programul undeva, pe Desktop de exemplu. Executa Hoster.exe Apasa Restore Original Hosts si apoi OK.

Inchide programul si REBOOT.

merci pt respunsuri. am incercat cu hoster.exe si nimic.
in fisierul hosts nimic.

Uitati si logul de la HJ:

Logfile of HiJackThis v1.97.7
Scan saved at 13:45:40, on 09.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\netcb32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HTML\HJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insse.ro/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC6A839-B691-49C9-8530-BB70481C2E38}: NameServer = 209.47.15.118,64.157.143.38


Atasaez si pagina care apare in loc de paginile mele. mentionez ca linkurile spre care poti ajunge de acolo nu au nici o legatura cu msn (nu am urmat linkul, am vazut in status bar)

Cred ca ai un hijack via DNS. Vezi ce DNS are providerul tau sau vorbeste cu sysadmin sa faca modificarile.

ARIN WHOIS:
64.157.143.38
Level 3 Communications, Inc. LC-ORG-ARIN (NET-64-152-0-0-1)
                                  64.152.0.0 - 64.159.255.255
EVENTURES NV LVLT-EVENT-2-64-157-143 (NET-64-157-143-0-1)
                                  64.157.143.0 - 64.157.143.255



209.47.15.118
UUNET Technologies, Inc. UUNETCA4-A (NET-209-47-0-0-1)
                                  209.47.0.0 - 209.47.255.255
Colosseum Online COLOSS-UUBLK5 (NET-209-47-15-0-1)
                                  209.47.15.0 - 209.47.15.255
Colosseum Online Inc. COLOSS-VLAN155-BLK1 (NET-209-47-15-64-1)
                                  209.47.15.64 - 209.47.15.127

Ai si un proces suspect:
C:\WINNT\system32\netcb32.exe <-- acest fisier

Daca poti trimite-l te rog la [email protected], intr-o arhiva ZIP cu parola.


Download si executa Silent Runners.vbs: http://www.silentrunners.org/

Daca ai un script blocking program permite scriptului sa fie executat

Posteaza log-ul te rog. Uita-te in el sa nu apara informatii confidentiale. Inlocuieste-le cu XXXXXX daca exista.

Edited by cryo, 09 December 2004 - 14:10.

Posteaza te rog si un nou log HJT. Ai o versiune veche. Vad ca la softpedia exists 1.99, dar e beta si nu ti-l recomand.

Download de aici 1.98.2:
http://www.bleepingcomputer.com/files/hijackthis.php

Uite un log nou:

Logfile of HiJackThis v1.98.2
Scan saved at 14:29:44, on 09.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\netcb32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HTML\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insse.ro/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC6A839-B691-49C9-8530-BB70481C2E38}: NameServer = 209.47.15.118,64.157.143.38

Mail nu am sa-ti trimit suspectul. Doar sa-mi fac un cont nou pe undeva....
Cu scriptul ala de vb ce trebuie sa fac ? Cum se ruleaza ?

Merci

Quote

Foarte simplu, urmezi linkul asta: http://www.silentrunners.org/ si de pe pagina, unde scrie "Click here for Revision 27", faci click dreapta si salvezi scriptul pe desktop. Faci dublu click pe el, ii dai voie de fie executat, daca Norton protesteaza si va produce un log. Deschizi log-ul si postezi continutul.

Edited by cryo, 09 December 2004 - 14:44.

ai avut dreptate. adresa DNS era schimbata. am pus adresa buna si acum merge.
multzumesc mult de ajutor.

totusi, cum aflu ce virus am in calculator si cul il scot ?

o sa-ti trimit fisierul pe care l-ai cerut prin mail. parola zipului este: 'suspect'

pe scriptul ala am dat dublu-click si nu se intampla nimic ?!

Este un trojan: Win32.Agent.bq

Download System Security Suite:
System Security Suite Download & Tutorial. Unzip pe desktop.
Instaleaza programul. Nu il folosi inca.

Scaneaza HDD aici: BitDefender Free Online Virus Scan
Bifeaza toate casutele din stanga si elimina tot ce gaseste. Ce nu poate scoate, noteaza undeva, REBOOT in SafeMode, asigura-te ca toate fisierele si folderele sunt vizibile si strege tot ce zice BitDefender ca e infectat.

In SafeMode:
Cu toate ferestrele si browserele inchise.
Goleste temp si Temporary Internet Files.
A. Porneste System Security Suite.
B. In tab-ul Items to Clear bifeaza:
- Internet Explorer (stanga): Cookies & Temporary files
- My Computer (dreapta): Temporary files
Apasa butonul Clear Selected Items.

Inchide programul.

REBOOT normal si posteaza un nou log HJT ca sa ne asiguram ca a disparut.

Quote

E salvat cu extensie vbs ? Daca il opreste Norton selecteaza "Allow entire script to run". Scriptul nu face nimic rau, citeste niste valori de prin Windows Registry si creaza un log in acelasi folder cu scriptul.

Edited by cryo, 09 December 2004 - 15:49.

da, scriptul este cu extensia vbs.

am facut tot ce ai zis mai sus.
uite un nou log:

Logfile of HiJackThis v1.98.2
Scan saved at 16:58:25, on 09.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HTML\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Clock] C:\WINNT\label.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC6A839-B691-49C9-8530-BB70481C2E38}: NameServer = 194.102.255.2

Multzumesc mult pentru rabdare si ajutor.
Sper ca acum sa fie bine  

Pe asta nu-l vede BitDefender.
Trimite-mi te rog si acest trojan: C:\WINNT\label.exe <-- acest trojan
Am vazut ca in ultimele zile au aparut unii cu protectie. Sa nu fie unul din ala.

Cred ca ai nevoie urgent de protectie. Prea le culegi repede.
Citeste asta si i-a masuri urgente:
How did I get infected ? With steps so it does not happen again!


Este o idee buna sa printezi sau sa copiezi aceste instructiuni pentru ca nu ai acces la net in SafeMode.

Asigura-te ca poti vedea hidden files & folders:
A. In meniulTools din Windows Explorer, click Folder Options.
B. Click tab-ul View tab.
C. La Hidden files and folders, click Show hidden files and folders.
D. Debifeaza Hide extensions for known filetypes si Hide protected operating system files.
Detalii aici

REBOOT in SafeMode si ramai aici.

Daca intr-o etapa ai dificultati, treci la urmatoarea si spune-mi ce nu a mers.

Executa HiJackThis si bifeaza cele de mai jos:

O4 - HKCU\..\Run: [Clock] C:\WINNT\label.exe

Foarte important: Inchide toate celelalte ferestre si browsere, in afara de HijackThis, si apasa Fix Checked.

Sterge urmatoarele fisiere, daca mai sunt prezente:
C:\WINNT\label.exe  <-- acest fisier

Cu toate ferestrele si browserele inchise.
Goleste temp si Temporary Internet Files.
A. Porneste System Security Suite.
B. In tab-ul Items to Clear bifeaza:
- Internet Explorer (stanga): Cookies & Temporary files
- My Computer (dreapta): Temporary files
Apasa butonul Clear Selected Items.
Inchide programul.

REBOOT NORMAL.

Executa HijackThis si posteaza un nou log te rog.

Edited by cryo, 09 December 2004 - 17:30.

Nu stiu rezolvarea la problema ta, dar iti pot da un sfat pentru viitor: foloseste si tu un Firefox. Se stie ca IE-ul (si variantele lui: Maxthon=MyIE, Avant, etc) e plin de gauri de securitate.
Instaleaza-ti, de asemenea un Ad-Aware (cred ca te-ar ajuta si in situatia in care esti acum!).

Bafta!

facut. am trimis si mailu cu aceeasi parola la zip.

Logfile of HiJackThis v1.98.2
Scan saved at 17:58:58, on 09.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HTML\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC6A839-B691-49C9-8530-BB70481C2E38}: NameServer = 194.102.255.2

@danic: ai dreptate dar nu pot face nimic pentru ca este un pc instalat temporar intr-un punct de lucru temporar la care are acces mai multa lume. ma chinui sa-l rezolv pentru ca mai avem nevoie de el cateva zile si nu putem sa-l reinstalam. cand o sa revenim la sediu o sa-l formatam si o sa intre intr-o retea ceva mai protejata. merci oricum.

LOL, mi-ai trimis un fisier Microsoft.

Fisierul pe care trebuie sa mi-l trimiti era in WINNT folder. Mi l-ai trimis pe ala din system32 care e legitim .

Daca l-ai sters pe ala din system32 pune-l la loc. Daca nu il mai ai ti-l trimit inapoi .


Mai curata si asta:
Executa HiJackThis si bifeaza cele de mai jos:

R3 - Default URLSearchHook is missing

Foarte important: Inchide toate celelalte ferestre si browsere, in afara de HijackThis, si apasa Fix Checked.

REBOOT.

In rest logul e curat.

Edited by cryo, 10 December 2004 - 00:32.

L-am depistat si pe asta: netcb32.exe.

Se instaleaza ca serviciu si instaleaza apoi CoolWebSearch_NS3 aka Home Search Assistant, unul din cei mai agresivi CoolWebSearch hijackeri.
Detalii despre CWS_NS3 aici: http://www.bleepingcomputer.com/forums/tutorial85.html

Probabil ca nu a reusit sa o faca la tine.

Salveaza continutul QuoteBox de mai jos ca repair.reg, fa dublu click pe el si confirma.

Va sterge intrarile pe care le-a facut netcb32.exe in Windows Registry:

Quote

cryo, on Dec 9 2004, 19:11, said:

ups, am sters ambele fisiere . o sa-l iau pe ala din sys32 de pe alt PC si o sa-l pun la loc.
din pacate nu mai am de unde sa iau fisieru infectat si sa ti-l trimit.

am executat repair.reg de mai sus. fisierul netcb32.exe l-am sters eu ieri in safe mode pentru ca bitdefenderu' nu putuse.

thanx again

OK, ia masuri de protectie. Pe afara bantuie doua(?) noi variante Look2Me pentru care nu exista fix automat, iar fixul manual da mari batai de cap. Ultimele variante nu mai respecta nici o regula sau model si pot face stricaciuni.

Happy surfing !

Edited by cryo, 10 December 2004 - 09:30.