אני מתחרפן!

האקספלורר כותב לי בשורת כתיבה הזאתי שכותבים אתרים http://www.incredifind.com/index.cfm?action=lookup&pc=msifj&Keywords=http://www.tapuz.co.il/?h=100&uid=576388A7-61A7-44A5-B561-31A1C2353EF9&version=1.7.0

מה זה??? הוא כותב לי את זה כשאני כותב את וואלה... הצילו!

מה זה???

ספיוור סביר להניח

תוריד hijackthis

http://files.webattack.com/localdl834/HijackThis.exe

לחץ על scan ועל save log וצרף להודעה

Logfile of HijackThis v1.97.7

Scan saved at 00:22:49, on 16/11/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus 2005\navapsvc.exe

C:\Program Files\Norton AntiVirus 2005\IWP\NPFMntor.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\gsicon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\webHancer\Programs\whSurvey.exe

C:\WINDOWS\system32\wrcjiz.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\Program Files\webHancer\Programs\whAgent.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

C:\temp\salm.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

D:\תוכנות\firefox\firefox.exe

D:\תוכנות\Azureus\Azureus\Azureus.exe

C:\Program Files\Java\j2re1.4.2_05\bin\javaw.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\תוכנות\priza\eliserver-2004.exe

D:\תוכנות\priza\rAdMin [nOpAsS] sCaNnOr.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

D:\תוכנות\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tapuz.co.il/?h=100

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\system32\ATPART~1.DLL

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus 2005\NavShExt.dll

O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\תוכנות\icq 4.12\ICQToolbar\toolbaru.dll (file missing)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus 2005\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\תוכנות\דימון טולס\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [Hebrew] d:\תוכנות\הפוך על 4הפוך\Hebrew.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks pro 2005\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton SystemWorks 2005 p\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks 2005 p\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [iCQ Lite] D:\תוכנות\icq4\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [oouahqayfopop] C:\WINDOWS\system32\wrcjiz.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [babylon Client] D:\תוכנות\מילון בבילון\Babylon\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [ohyhsvmh] C:\WINDOWS\ohyhsvmh.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\תוכנות\חפש והשמד (תוכנה לגילוי מרגלים במחשב)\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: הפעל את Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html

O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\תוכנות\icq 4.12\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: מחקר (HKLM)

O9 - Extra button: ICQ 4 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/iw/big/1.1.62-big/GoogleNav.cab

O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38164.286875

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{341527CF-8234-4AEF-9031-738C3877DCEA}: NameServer = 212.150.49.10 206.49.94.234

O17 - HKLM\System\CS1\Services\Tcpip\..\{341527CF-8234-4AEF-9031-738C3877DCEA}: NameServer = 212.150.49.10 206.49.94.234

למה לסבך??

תוריד ותריץ את AD-AWARE

www.lavasoftusa.com

אין צורך לעבור על LOGים..

התוכנה המורדת ביותר מDOWNLOAD.COM כבר המון זמן.

למה לסבך??

תוריד ותריץ את AD-AWARE

www.lavasoftusa.com

אין צורך לעבור על LOGים..

למה לדבר שטויות? יש צורך לעבור על לוגים, תוכנות נגד ספיוור לא מזהות הכול

בנוסף לא תמיד מסירות לגמרי את הספיוור שנמצא

לחץ ctrl+alt+del וסגור את הפרוססים

wrcjiz.exe,WebRebates0.exe,WebRebates1.exe,WinAdTools.exe,WinRatchet.exe,salm.exe,updmgr.exe

כנס ל c:\program files ומחק את התיקיות updmgr/Web_Rebates/Windows AdTools

חפש את salm.exe,wrcjiz.exe ומחק אותם

תריץ hijackthis וסמן

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [ohyhsvmh] C:\WINDOWS\ohyhsvmh.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [oouahqayfopop] C:\WINDOWS\system32\wrcjiz.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

*סגור את אינטרנט אקספלורר ולחץ בhijackthis על fix checked*

נשארו עוד כמה דברים להסיר,הwebhancer קצת קשה

http://www.doxdesk.com/parasite/Transponder.html

http://www.pestpatrol.com/PestInfo/w/win32_trojandownloader_rameh_c_trojan.asp

http://www.pestpatrol.com/pestinfo/t/trojandownloader_win32_keenval_e.asp

http://www.pestpatrol.com/PestInfo/b/blazefind_variant.asp

http://www.pestpatrol.com/pestinfo/t/tv_media_display.asp

http://www.pestpatrol.com/PestInfo/t/trojandownloader_win32_stubby_c.asp

*profilepath=c:\documents and settings\user*

* unregister dll's howto - http://www.pestpatrol.com/pestinfo/About.asp#UnregisterDLLs *

webhancer

~~~~~~~~

http://www.cexx.org/webhancer.htm

http://www.pestpatrol.com/PestInfo/w/webhancer.asp