topantispyware lässt sich nicht entfernen

#16 nun gehe mit smitrem in den abgesicherten Modus und scanne noch mal und poste den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Voilà:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]

Running from
D:\Downloads\SmitRem\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 296 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll is missing!!

#18 es gibt genug wininet auf dem PC,...ich verstehe nicht, wieso sie als Missing angezeigt wird.
Kommst du ins net? Kannst du Onlinescans machen ?
__________
MfG Sabina

rund um die PC-Sicherheit

#19 komm leider noch immer nicht ins Netz. DFÜ-Verbindung baut sich normal auf, unter Eigenschaften der Verbindung werden Fehler gemeldet. Upload und Download belaufen sich auf ca. 400 bzw. 250 kb.
IE findet keinen Server.
Was tun?
lg
Alex
PS: Es sind nur 400 bzw. 250 Bytes!

PS: Ich hab noch mal eine genaue Anleitung zur Deinstallation der Uralt-Firewall von McAfee geholt:
http://ts.mcafeehelp.com/doconly.asp?docid=275987&CategoryId=&chat=
und alles so gemacht wie angegeben. Hat allerdings gar nichts gebracht. Die sporder.dll Meldungen habe ich noch immer und svchost.exe lastet die CPU immer noch bis zu 99 % aus.
Ein aktueller HijackThis log hat noch immer zwei Zeilen, die auf McAfee verweisen.

Logfile of HijackThis v1.99.1
Scan saved at 22:11:21, on 26.01.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Programme\Apoint\Apoint.exe
C:\WINNT\system32\ICONSPY.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Programme\HP CD-DVD\Umbrella\hpcdtray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programme\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\BatteryScope\Batmgr.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Sony\VAIO Action Setup\VAServ.exe
C:\Programme\PowerPanel\Program\PcfMgr.exe
D:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\Programme\iFinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Programme\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [HPCDTray] "C:\Programme\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [msci] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\200612523150_mcinfo.exe /insfin
O4 - Global Startup: D-Link AirPlus.lnk = C:\Programme\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Pinnacle PCTV Scheduler.lnk = C:\Programme\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
O4 - Global Startup: BatteryScope.lnk = C:\Programme\BatteryScope\Batmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Programme\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: PowerPanel.lnk = C:\Programme\PowerPanel\Program\PcfMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\System32\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cabO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - (no file)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

#20 es ist wegen der fehlenden wininet.dll ... sie ist geloescht worden, ich weiss nicht von welchem Tool.
Dir wird wohl nichts anderes uebrigbleiben und wirst formatieren muessen.
Eigentlich kopiert smitrem eine saubere dll in System32 um, aber hier scheint es keine zu finden...was ich eigenartig finde...aber ich weiss auch nichtwieso es das nicht tut...denn es ist ja eine vorhanden.....
Man koennte eine dll aus dem Net laden, aber man weiss nie, ob die auch sauber sind.
Oder man koennte aus dem cache die dll umkopieren in System32...was eigentlich smitrem tun sollte.

Nun, ich bin mit meinem latein ...fast...am Ende.

Lade den Firefox und berichte, wie es mit diesem Browser laeuft
http://virus-protect.org/firefox.html

Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

C:\WINNT\system32\ICONSPY.EXE
__________
MfG Sabina

rund um die PC-Sicherheit

#21 Hallo,
und gleichmal vielen, vielen Dank für die Unterstützung. Bin schon völlig fertig, weil ich mit dem Problem nicht mehr zum Arbeiten komme.

Also ein aktueller Zustandsbericht:
Firefox hab ich installiert, funktioniert nicht, irgendwo blockiert was den Internetzugang. Hast du eine Ahnung, wie ich die Fehler, die das Eigenschaften-Fenster der Verbindung anzeigt, einsehen kann?

Ich hab nun die inconspy.exe kopiert und am USB-Stick und hab sie dort von virustotal überprüfen lassen. Das Ergebnis sieht so aus:

This is a report processed by VirusTotal on 01/27/2006 at 10:25:57 (CET) after scanning the file "ICONSPY.EXE" file.
Antivirus Version Update Result
AntiVir 6.33.0.77 01.27.2006 no virus found
Avast 4.6.695.0 01.26.2006 no virus found
AVG 718 01.26.2006 no virus found
Avira 6.33.0.77 01.27.2006 no virus found
BitDefender 7.2 01.27.2006 no virus found
CAT-QuickHeal 8.00 01.27.2006 no virus found
ClamAV devel-20051123 01.26.2006 no virus found
DrWeb 4.33 01.27.2006 no virus found
eTrust-InoculateIT 23.71.61 01.27.2006 no virus found
eTrust-Vet 12.4.2058 01.27.2006 no virus found
Ewido 3.5 01.27.2006 no virus found
Fortinet 2.54.0.0 01.27.2006 no virus found
F-Prot 3.16c 01.26.2006 no virus found
Ikarus 0.2.59.0 01.27.2006 no virus found
Kaspersky 4.0.2.24 01.27.2006 no virus found
McAfee 4683 01.26.2006 no virus found
NOD32v2 1.1382 01.27.2006 no virus found
Norman 5.70.10 01.27.2006 no virus found
Panda 9.0.0.4 01.27.2006 no virus found
Sophos 4.01.0 01.27.2006 no virus found
Symantec 8.0 01.27.2006 no virus found
TheHacker 5.9.3.082 01.27.2006 no virus found
UNA 1.83 01.25.2006 no virus found
VBA32 3.10.5 01.26.2006 no virus found

lg
Alex

#22 fixe mit dem HijackThis:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

neustarten

kopiere das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#23 Hallo,
also dann auf ein Neues.
Hier ist der Log:
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"Apoint" = "C:\Programme\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"Mouse Suite 98 Daemon" = "ICONSPY.EXE" ["Primax Electronics Ltd."]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"HKSERV.EXE" = "C:\Programme\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"LoadQM" = "loadqm.exe" [MS]
"dla" = "C:\WINNT\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"DVDBitSet" = ""C:\Programme\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI" ["Hewlett-Packard Company"]
"HPCDTray" = ""C:\Programme\HP CD-DVD\Umbrella\hpcdtray.exe"" ["Hewlett-Packard Company"]

lg
Alex

#24 es ist nicht komplett...............

Entpacke das Programm Silentrunners in einen Ordner (z.B. "Eigene Dateien"). Doppelklicke auf das Symbol "Silent Runners" in diesem Ordner.
Die Option "Supplementary Searches" waehlen
__________
MfG Sabina

rund um die PC-Sicherheit

#25 sorry!
hier das vollständige:

Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"Apoint" = "C:\Programme\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"Mouse Suite 98 Daemon" = "ICONSPY.EXE" ["Primax Electronics Ltd."]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"HKSERV.EXE" = "C:\Programme\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"LoadQM" = "loadqm.exe" [MS]
"dla" = "C:\WINNT\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"DVDBitSet" = ""C:\Programme\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI" ["Hewlett-Packard Company"]
"HPCDTray" = ""C:\Programme\HP CD-DVD\Umbrella\hpcdtray.exe"" ["Hewlett-Packard Company"]
"HPAIO_PrintFolderMgr" = "C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe" [null data]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HP Software Update" = "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"StatusClient 2.6" = "C:\Programme\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto" ["Hewlett-Packard"]
"TomcatStartup 2.5" = "C:\Programme\Hewlett-Packard\Toolbox\hpbpsttp.exe" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "MSN Messenger 4.5"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msmsgs.inf,BLC.Remove.PerUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{A114D52B-870C-4F15-8021-B6D7F91A054B}\(Default) = "iFinger plugin / Browser helper object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\iFinger\plugins\IE.ifp" ["iFinger Ltd"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS]
"{e6084f70-beb9-11cf-9460-00aa002ce26c}" = "Citrix ICALink Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\icashell.dll" ["Citrix Systems, Inc."]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Eudora\EuShlExt.dll" ["Qualcomm Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"D-Link AirPlus" -> shortcut to: "C:\Programme\D-Link AirPlus\AirPlus.exe" ["D-Link"]
"Pinnacle PCTV Scheduler" -> shortcut to: "C:\Programme\Pinnacle\Shared Files\Programs\PCLEScheduler.exe" ["Pinnacle Systems"]
"BatteryScope" -> shortcut to: "C:\Programme\BatteryScope\Batmgr.exe" ["Phoenix Technologies Ltd. and Sony Corp."]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"VAIO Action Setup (Server)" -> shortcut to: "C:\Programme\Sony\VAIO Action Setup\VAServ.exe" ["Sony Corporation"]
"PowerPanel" -> shortcut to: "C:\Programme\PowerPanel\Program\PcfMgr.exe /launch" ["Phoenix Technologies Ltd."]


Enabled Scheduled Tasks:
------------------------

"{F897AA24-BDC3-11D1-B85B-00C04FB93981}_JORMA_Administrator" -> launches: "C:\WINNT\system32\mobsync.exe /Schedule="{F897AA24-BDC3-11D1-B85B-00C04FB93981}_JORMA_Administrator"" [MS]
"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
000000000###\PackedCatalogItem (contains) DLL [Company Name], (at) ### range:
C:\WINNT\System32\mclsp.dll ["McAfee.COM"], 01 - 038, 045
%SystemRoot%\system32\msafd.dll [MS], 039 - 041, 044, 046 - 100
%SystemRoot%\system32\rsvpsp.dll [MS], 042 - 043


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{0CBD5120-990B-11D3-8ABD-00C04FA95EE0}\ = "iFinger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\SHDOCVW.DLL" [MS]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\msjava.dll" [MS]

{4B30061A-5B39-11D3-80F8-0090276F843F}\
"ButtonText" = "Net2Phone"
"MenuText" = "Net2Phone"
"Exec" = "http://www.net2phone.com/" [file not found]

{936E5D60-596C-11D3-BB96-00600816DF55}\
"ButtonText" = "iFinger"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://205.134.182.164/1/" [file not found]
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\ati2evxx.exe" ["ATI Technologies Inc."]
Client Service für NetWare, NWCWorkstation, "C:\WINNT\system32\services.exe" [MS]
COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Message Queuing, MSMQ, "C:\WINNT\System32\mqsvc.exe" [MS]
RIP-Überwachung, Iprip, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\iprip.dll" [MS]}
SNMP-Dienst, SNMP, "C:\WINNT\System32\snmp.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
LPR Port\Driver = "lprmon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 161 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 173 seconds.
---------- (total run time: 513 seconds)

#26 Gehe in die registry
Start-->Ausfuehren--> regedit

bearbeiten--> suchen--> http://205.134.182.164/1

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

"blank" = "http://205.134.182.164/1/"<--loeschen

pc neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

Finditnt2000xp.zip
http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip
Double-click on find.bat --> output.txt --> kopiere das log hier
__________
MfG Sabina

rund um die PC-Sicherheit

#27 Hallo,
und eine schöne neue Woche.
Danke für die neuen Tipps.
Ich habe den Eintrag in der Registry gelöscht, neu gestartet und Hoster laufen lassen.
Beim Start kam die Meldung
"Host file does not exist, press OK to creat HOSTS file, Cancel to
Nun hab ich aber ein Problem mit finditnt200xp. Ich bekomme die Meldung "Das System konnte den angegebenen Pfad nicht finden"
Was kann ich tun?
lg
Alex

#28 lasse eine neue Host erstellen:

"Host file does not exist, press OK to creat HOSTS file

dann berichte, welche Virenmeldung dein Virenscanner noch ausgibt... am besten kopiere hier den Pfad.
__________
MfG Sabina

rund um die PC-Sicherheit

#29 das hab ich gemacht!
lg
Alex

#30

Zitat

dann berichte, welche Virenmeldung dein Virenscanner noch ausgibt... am besten kopiere hier den Pfad.

.... denn ich finde nichts mehr...bin allerdings auch kein Virenscanner
__________
MfG Sabina

rund um die PC-Sicherheit