Malware Removal Information

Ga naar de inhoud

Hoofdmenu

Switch-dialer

Infecties > Archief O - S

Startportal of MS-Connect of…. is een dialer die tevens de startpagina overneemt (oa 24start.com).
Eigenaar van deze dialer is ConnectSwitch.
Het is een zeer lastige dialer aangezien deze regelmatig van naam verandert.

Herkenning van besmetting.

Als je last hebt van deze dialer zie je oa dit in een hijackthislog.

MS-Connect:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe

Startportal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe

QuickPage:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe

OnlineDirect:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe

NowOnline:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe

FirstEnter:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe

First2Enter

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/First2Enter/Portal/portal.html
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe

Plus18Point

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe

MStartEnter

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\mstar2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe

MStart2Page

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe

EnterOne

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe

PageOn1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/PageOn1/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe

Make125

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Make125/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Make125/Portal/portal.html
O4 - HKLM\..\Run: [sVideo2] C:\WINDOWS\system32\vxdrun6.exe

eMakeSV

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emakesv.exe
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emake2b.exe

NIEUW2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
O4 - HKLM\..\Run: [NIEUW] C:\WINDOWS\system32\emake2b.exe

Hoe verwijderen:

1. Ga naar Start - Configuratiescherm - Software - Programma's wijzigen en verwijderen.
Deïnstalleer Switch.

2. Lukt de uninstallfunctie niet, gebruik dan HijackThis.
Actieve proces beëindigen, zoek de bewuste entries op en laat ze door HijackThis repareren.

Verwijder in veilige modus de exe-file en ook de map in c:\Program Files\ waarin Portal zich bevindt.

Andere varianten gerelateerd aan Switch:


AtivOpen

In een hijackthislog zie je:
O4 - HKLM\..\Run: [AtivOpen] C:\WINDOWS\system32\ativopen.exe
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012999} - http://a0e6.ffx23wl.nl/plugins/nl/ativopen.cab

Hoe verwijderen:
Ga naar Start - Configuratiescherm - Software - Programma's wijzigen en verwijderen.
Deïnstalleer AtivOpen.
Fix de O16 met HijackThis.

AdServerNow

In een hijackthislog zie je:
O4 - HKLM\..\Run: [Updater] C:\Windows\system32\adservernow.exe

Hoe verwijderen:
Ga naar Start - Configuratiescherm - Software - Programma's wijzigen en verwijderen.
Deïnstalleer AdServerNow

Anderen:

In een hijackthislog zie je:
O4 - HKLM\..\Run: [NAP32] "C:\WINDOWS\System32\NAP32.exe"
O16 - DPF: {62C9173E-C4C3-43B9-82F2-3DDD51663B00} - http://pms.localscripts.nl/plugins/nap32/nap32_nl.cab

Terug naar de inhoud | Terug naar het hoofdmenu