Spyware Quake entfernen

#16 1.
wende vundofix an
http://virus-protect.org/artikel/tools/vundofixx.html

poste den report

2.
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

3.
Avenger:
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IpWins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins
HKEY_USERS\S-1-5-21-583907252-1644491937-682003330-1004\Software\TClock

Files to delete:

C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\nvapps.xml
C:\WINDOWS\system32\ixt2.dll
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ixt1.dll
C:\WINDOWS\system32\ixt0.dll
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\pmnqguh.dll
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\wvurspo.dll
C:\WINDOWS\system32\winetn32.dll
C:\Programme\InetGet2\stub_109_4_0_4_0.exe
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\services.dll
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\Update.exe
C:\WINDOWS\system32\components\flx5.dll
C:\Programme\TClock\tcdll.tclock
C:\Programme\TClock\tclock.exe
C:\Programme\TClock\tclock.ini
C:\Programme\TClock\tclock_install.exe
C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Programme\Save
C:\Programme\Save\ACM.dll
C:\Programme\Save\save.db
C:\Programme\Save\Save.exe
C:\Programme\Save\save.htm
C:\Programme\Save\SaveUninst.exe
C:\Programme\Save\saveupdate.exe
C:\Programme\Save\store.db
C:\WINDOWS\Temp\win1.tmp
C:\WINDOWS\Temp\win10.tmp
C:\WINDOWS\Temp\win11.tmp
C:\WINDOWS\Temp\win12.tmp
C:\WINDOWS\Temp\win5.tmp
C:\WINDOWS\Temp\win6.tmp
C:\WINDOWS\Temp\win7.tmp
C:\WINDOWS\Temp\win8.tmp
C:\WINDOWS\Temp\win9.tmp
C:\WINDOWS\Temp\winA.tmp
C:\WINDOWS\Temp\winB.tmp
C:\WINDOWS\Temp\winC.tmp
C:\WINDOWS\Temp\winD.tmp
C:\WINDOWS\Temp\winE.tmp
C:\WINDOWS\Temp\winF.tmp
C:\Programme\ipwins\count.dat
C:\Programme\ipwins\data.dat
C:\Programme\ipwins\date.dat
C:\Programme\ipwins\ipwins.exe
C:\Programme\ipwins\settings.dat
C:\Programme\ipwins\settingsDate.dat
C:\Programme\ipwins\Uninst.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**

poste das log vom Avenger, was erscheint

**
arbeite smitfraud.fix genau ab (Option 1 und 2 - lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html

**
desinstallieren ...loeschen:

C:\Programme\LeechGet 2005
C:\Programme\Save
C:\Programme\TClock
C:\Programme\ipwins
C:\Programme\InetGet2

loeschen:

C:\WINDOWS\system32\components
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}

---------------------------------------------------------------------------------------
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O4 - HKLM\..\Run: [IpWins] C:\Programme\ipwins\ipwins.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Programme\TClock\tclock_install.exe
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINDOWS\system32\pmnqguh.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysuh32.exe (file missing)

PC neustarten


**
scanne mit Counterspy
stelle alles auf "remove" und poste den report
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit

#17 1. Vundofix hat nichts gefunden.

2. Erledigt

3. Logfile:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tiutoeep

*******************

Script file located at: \??\C:\WINDOWS\pgrhaicn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ 11Fßä#·ºÄÖ`I deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ 11Fßä#·ºÄÖ`I deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11Fßä#·ºÄÖ`I not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11Fßä#·ºÄÖ`I failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11Fßä#·ºÄÖ`I
Status: 0xc0000034

File C:\WINDOWS\system32\ilkkj.ini deleted successfully.
File C:\WINDOWS\system32\nvapps.xml deleted successfully.
File C:\WINDOWS\system32\ixt2.dll deleted successfully.
File C:\WINDOWS\system32\ismon.exe deleted successfully.
File C:\WINDOWS\system32\mcrh.tmp deleted successfully.
File C:\WINDOWS\system32\ixt1.dll deleted successfully.
File C:\WINDOWS\system32\ixt0.dll deleted successfully.
File C:\WINDOWS\system32\issearch.exe deleted successfully.
File C:\WINDOWS\system32\ot.ico deleted successfully.
File C:\WINDOWS\system32\ts.ico deleted successfully.


File C:\WINDOWS\system32\pmnqguh.dll not found!
Deletion of file C:\WINDOWS\system32\pmnqguh.dll failed!

Could not process line:
C:\WINDOWS\system32\pmnqguh.dll
Status: 0xc0000034

File C:\WINDOWS\system32\isnotify.exe deleted successfully.
File C:\WINDOWS\system32\ishost.exe deleted successfully.
File C:\WINDOWS\system32\ilkkj.bak2 deleted successfully.
File C:\WINDOWS\system32\ilkkj.bak1 deleted successfully.
File C:\WINDOWS\system32\jkkli.dll deleted successfully.
File C:\WINDOWS\system32\wvurspo.dll deleted successfully.
File C:\WINDOWS\system32\winetn32.dll deleted successfully.

File C:\Programme\InetGet2\stub_109_4_0_4_0.exe not found!
Deletion of file C:\Programme\InetGet2\stub_109_4_0_4_0.exe failed!

Could not process line:
C:\Programme\InetGet2\stub_109_4_0_4_0.exe
Status: 0xc0000034



Could not open file C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\services.dll for deletion
Deletion of file C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\services.dll failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\services.dll
Status: 0xc000003a

Could not open file C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\Update.exe for deletion
Deletion of file C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\Update.exe failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}\Update.exe
Status: 0xc000003a

File C:\WINDOWS\system32\components\flx5.dll deleted successfully.
File C:\Programme\TClock\tcdll.tclock deleted successfully.
File C:\Programme\TClock\tclock.exe deleted successfully.
File C:\Programme\TClock\tclock.ini deleted successfully.
File C:\Programme\TClock\tclock_install.exe deleted successfully.
File C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini deleted successfully.


Error: C:\Programme\Save is a folder, not a file!
Deletion of file C:\Programme\Save failed!

Could not process line:
C:\Programme\Save
Status: 0xc00000ba



File C:\Programme\Save\ACM.dll not found!
Deletion of file C:\Programme\Save\ACM.dll failed!

Could not process line:
C:\Programme\Save\ACM.dll
Status: 0xc0000034

File C:\Programme\Save\save.db deleted successfully.


File C:\Programme\Save\Save.exe not found!
Deletion of file C:\Programme\Save\Save.exe failed!

Could not process line:
C:\Programme\Save\Save.exe
Status: 0xc0000034

File C:\Programme\Save\save.htm deleted successfully.
File C:\Programme\Save\SaveUninst.exe deleted successfully.


File C:\Programme\Save\saveupdate.exe not found!
Deletion of file C:\Programme\Save\saveupdate.exe failed!

Could not process line:
C:\Programme\Save\saveupdate.exe
Status: 0xc0000034

File C:\Programme\Save\store.db deleted successfully.
File C:\WINDOWS\Temp\win1.tmp deleted successfully.
File C:\WINDOWS\Temp\win10.tmp deleted successfully.
File C:\WINDOWS\Temp\win11.tmp deleted successfully.
File C:\WINDOWS\Temp\win12.tmp deleted successfully.
File C:\WINDOWS\Temp\win5.tmp deleted successfully.
File C:\WINDOWS\Temp\win6.tmp deleted successfully.
File C:\WINDOWS\Temp\win7.tmp deleted successfully.
File C:\WINDOWS\Temp\win8.tmp deleted successfully.
File C:\WINDOWS\Temp\win9.tmp deleted successfully.
File C:\WINDOWS\Temp\winA.tmp deleted successfully.
File C:\WINDOWS\Temp\winB.tmp deleted successfully.
File C:\WINDOWS\Temp\winC.tmp deleted successfully.
File C:\WINDOWS\Temp\winD.tmp deleted successfully.
File C:\WINDOWS\Temp\winE.tmp deleted successfully.
File C:\WINDOWS\Temp\winF.tmp deleted successfully.
File C:\Programme\ipwins\count.dat deleted successfully.
File C:\Programme\ipwins\data.dat deleted successfully.
File C:\Programme\ipwins\date.dat deleted successfully.
File C:\Programme\ipwins\ipwins.exe deleted successfully.
File C:\Programme\ipwins\settings.dat deleted successfully.
File C:\Programme\ipwins\settingsDate.dat deleted successfully.
File C:\Programme\ipwins\Uninst.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IpWins not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IpWins failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins failed!
Status: 0xc0000034



Registry key HKEY_USERS\S-1-5-21-583907252-1644491937-682003330-1004\Software\TClock not found!
Deletion of registry key HKEY_USERS\S-1-5-21-583907252-1644491937-682003330-1004\Software\TClock failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

4. Smitfraud Logfile:

SmitFraudFix v2.74

Scan done at 17:12:11,46, 19.07.2006
Run from C:\Dokumente und Einstellungen\razor\Desktop\smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\razor\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\razor\FAVORI~1

C:\DOKUME~1\razor\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme

C:\Programme\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


SmitFraudFix v2.74

Scan done at 17:20:25,65, 19.07.2006
Run from C:\Dokumente und Einstellungen\razor\Desktop\smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOKUME~1\razor\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

5.gelöscht:

C:\Programme\LeechGet 2005
C:\Programme\Save
C:\Programme\TClock
C:\Programme\ipwins
C:\Programme\InetGet2

6.gelöscht:

C:\WINDOWS\system32\components

nicht gelöscht werden könnte:
C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}
(Datei services.dll ist in verwendung und lässt sich nicht beenden)

7. HiJackthis:

Gefixt: O4 - HKCU\..\Run: [TClock.exe] C:\Programme\TClock\tclock_install.exe

Nicht gefixt, da kein Eintrag vorhanden:
O4 - HKLM\..\Run: [IpWins] C:\Programme\ipwins\ipwins.exe
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - C:\WINDOWS\system32\pmnqguh.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysuh32.exe (file missing)


8. Counterspy:

Lässt sich nicht updaten, da meine Lizenz abgelaufen ist (die 15 Tage Testversion hatte ich schonmal)
Soll ich versuchen ohne Update zu scannen?

#18 **
Pocket KillBox
http://virus-protect.org/killbox.html

Options: "Delete on Reboot" und "ALL Files"--> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klickeauf "yes"
reinkopieren:

C:\Programme\Gemeinsame Dateien\{E043B8CF-0708-1031-0827-040403110031}

PC neustarten

**
scanne mit counterspy ohne update und poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Killbox bringt nach klicken auf yes die Meldung

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

PC neugestartet und Counterspy scannen lassen:

Spyware Scan Details
Start Date: 21.07.2006 02:00:11
End Date: 21.07.2006 02:51:19
Total Time: 51 mins 8 secs

Detected spyware

Spyware.SearchAssistant Spyware more information...
Status: Quarantined


Adw.Afriz.Downloader Browser Hijacker more information...
Details: Adw.Afriz.Downloader silently travels to porn sites without displaying IE.
Status: Quarantined

Infected files detected
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-3b20a737-30a52726.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-3b28b8a0-76f71bfc.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-5a384b9-3e667c67.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6482d9dc-35e1284a.class


WhenU.SaveNow Adware more information...
Details: an advertising application that displays pop-up advertising on the desktop in response to users' surfing behavior.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\0\win32 C:\Programme\Save\ACM.dll
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0\HELPDIR C:\Programme\Save\
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}\1.0 ACM 1.0 Type Library
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0} IACMFactory
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086} IFetchExtractor
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842} IFetchData
HKEY_CLASSES_ROOT\AppID\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}
HKEY_CLASSES_ROOT\AppID\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB} ACM
HKEY_CLASSES_ROOT\AppID\ACM.DLL
HKEY_CLASSES_ROOT\AppID\ACM.DLL AppID {127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}


WhenU.WeatherCast Low Risk Adware more information...
Details: a local weather information program that sits in the desktop tray and offers current weather data, forecasts, and other weather information. Weathercast is often bundled with the Save advertising program and/or the WhenUSearch desktop toolbar.
Status: Ignored

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\WeatherCast
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\WeatherCast Order


NetPumper Adware Bundler more information...
Details: Bundles with a number of adware components such as cydoor, Save!, ClockSync, and WhenU Toolbar.
Status: Ignored

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}\1.1\0\win32 C:\NetPumper\NetPumperPro.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}\1.1\FLAGS 0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}\1.1\HELPDIR C:\NetPumper\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}\1.1 NetPumper Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\TypeLib {1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\TypeLib Version 1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B} IAddUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\TypeLib {1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\TypeLib Version 1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000} IAddPackage


Cok.ad.yieldmanager Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\razor\cookies\razor@ad.yieldmanager[1].txt

#20 razor_89

du solltest alles gefundene auf "remove" stellen, wozu den Rechner verseucht belassen mit Netpumper und WhenU.SaveNow ??

+
poste bitte das neue log vom HijacktHis
__________
MfG Sabina

rund um die PC-Sicherheit

#21 Da der Lizenzschlüssel von Counterspy abgelaufen ist, lässt sich damit auch nichts löschen.

Trotzdem das Log von Hijackthis posten?

#22 Avenger

Zitat

registry keys to delete:

HKEY_CLASSES_ROOT\AppID\ACM.DLL
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKEY_CLASSES_ROOT\AppID\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\WeatherCast
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000}

Files to delete:

C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-3b20a737-30a52726.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-3b28b8a0-76f71bfc.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-5a384b9-3e667c67.class
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6482d9dc-35e1284a.class

poste den report + das log vom hijackThis
__________
MfG Sabina

rund um die PC-Sicherheit