Jump to content


Photo

Adware SearchAid / Winshow on W2k-Terminal Server


  • Please log in to reply
3 replies to this topic

#1 hmp

hmp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 June 2004 - 02:42 AM

Hi, Folks!

I had a "very nice" morning today with Adware SearchAid / Winshow on a Windows 2000 Terminal Server.

Ad-Aware ignored it / couldn't find anything...

McAfee detected it as "Adware SearchAid" (and sometimes one file as "Adware ShowSearch" - but was only able to delete some files, but they came back soon after deleting them...

CWShredder is able to remove it as "Winshow" under the current session, but after opening a IE-Browser or after login with the same or another User it comes back for alle users and all sessions unter the terminal server... :-(

Does anybody know anything about complete (!) removal, maybe especially on WTS but also on clients?

Thanks'n'bye...

B. Wettstein

#2 hmp

hmp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 June 2004 - 06:53 AM

No idea?!? :-(

#3 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 13 June 2004 - 07:10 AM

please download and run Hijack This, available here:
http://www.spywarein.../HijackThis.exe

Scan your computer and hit "Save log." Copy and paste the contents of that notepad file to here.

#4 hmp

hmp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 03:54 AM

please download and run Hijack This, available here:
http://www.spywarein.../HijackThis.exe

Scan your computer and hit "Save log." Copy and paste the contents of that notepad file to here.

Hi,

thanks for your reply!

Well... before reading your message, I tried the following yesterday I found at google:

http://www.google.de...searchaid&hl=de


Therefore I developed a script which is now called per autologin in every session login on the WTS:

-----------------------------------------------------------------

@echo off
echo MalWare-Removal for AdWare-SearchAid/WinShow.G/WinShow.U
echo.
echo.
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Image" /FORCE
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Image" /FORCE

reg delete "HKCR\iefeatsl.ViewSource" /FORCE
reg delete "HKLM\Software\Classes\iefeatsl.ViewSource" /FORCE

reg delete "HKCR\Image.Image" /FORCE
reg delete "HKLM\Software\Classes\Image.Image" /FORCE

reg delete "HKCR\Image.Image.1" /FORCE
reg delete "HKLM\Software\Classes\Image.Image.1" /FORCE

reg delete "HKCR\CLSID\{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}" /FORCE
reg delete "HKCR\CLSID\{587DBF2D-9145-4c9e-92C2-1F953DA73773}" /FORCE

reg delete "HKLM\Software\Classes\ShowSearch.ViewSource.1\CLSID" /FORCE

reg delete "HKLM\Software\Classes\SearchHook.SearchHookObject" /FORCE

reg delete "HKLM\Software\Classes\ShowSearch.ViewSource" /FORCE

reg delete "HKLM\Software\Classes\ShowSearch.ViewSource.1" /FORCE

reg delete "HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks" /FORCE

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEFeatSL_Uninstall" /FORCE

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchHook" /FORCE

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShowSearch" /FORCE

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Image" /FORCE

reg update "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"="http://google.de"

reg update "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page"="http://google.de"


del %windir%\sdkqh32.dll


-----------------------------------------------------------------

reg is an external tool to manipulate the registry via script.

The files in the profile were killed manually after execution of this script.

This helped a lot but there is still one user, who get's the adware over and over again, although the script is executed (maybe I made a mistake or didn't see something important)...

VIWAS (a special version of McAfee) warns me again and I still found these files in the user profile of this user. Although I deleted them before they come back over and over again:

DatentrĄger in Laufwerk C: ist SYSTEM
DatentrĄgernummer: 3C92-F2EB

Verzeichnis von C:\Dokumente und Einstellungen\GĒthert\Anwendungsdaten\msir

09.06.2004 13:01 <DIR> .
09.06.2004 13:01 <DIR> ..
09.06.2004 13:01 27.136 advgk.dll
09.06.2004 16:37 27.136 advgk.dll.new
09.06.2004 16:37 942 bl.dat
09.06.2004 16:37 11.592 dict.dat
09.06.2004 13:01 29.184 ipen32.dll
09.06.2004 16:37 29.184 ipen32.dll.new
09.06.2004 16:37 11.335 keywords.dat
09.06.2004 13:01 48.128 msir32.dll
09.06.2004 16:37 48.128 msir32.dll.new
9 Datei(en) 232.765 Bytes
2 Verzeichnis(se), 11.353.870.336 Bytes frei


So after that I saw your message here at spywareinfo.com and downloaded HiJackThis...

Here's the LOG of HiJackThis (which is of course on a WTS a little big due the running sessions...):

------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 10:27:36, on 15.06.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Dokumente und Einstellungen\Administrator.DATEV\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
D:\Programme\Symantec\pcAnywhere\awhost32.exe
D:\DATEV\SYSTEM\PSNTSERV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
D:\Programme\Network Associates\Common Framework\FrameworkService.exe
D:\Programme\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
D:\DATEV\PROGRAMM\INSTALL\AdlServ.Exe
D:\DATEV\PROGRAMM\VIWAS\ViwaServ.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\Programme\Microsoft Money\System\reminder.exe
D:\Programme\Network Associates\VirusScan\SHSTAT.EXE
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
J:\intern\bin\wts\bin\WTSLogViewer.exe
D:\DATEV\PROGRAMM\WINAS\QSFUsr.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
D:\Programme\Network Associates\VirusScan\mcshield.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\spoolsv.exe
D:\DATEV\PROGRAMM\WINAS\QSFUsr.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
L:\DATEV\PROGRAMM\RZKOMM\ccsrv2.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\winlogon.exe
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\Programme\Microsoft Money\System\reminder.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
D:\DATEV\PROGRAMM\KAREWE\KAREWE.EXE
d:\datev\system\DVREWEDVSMSTR001.EXE
C:\WINNT\system32\W32MKDE.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
L:\DATEV\PROGRAMM\STEUERN\DsMain.exe
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
D:\Programme\Office2k\Office\EXCEL.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\Programme\Office2k\Office\WINWORD.EXE
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
D:\DATEV\PROGRAMM\KAREWE\KAREWE.EXE
d:\datev\system\DVREWEDVSMSTR001.EXE
C:\WINNT\system32\W32MKDE.EXE
D:\DATEV\PROGRAMM\KAREWE\KAREWE.EXE
D:\DATEV\PROGRAMM\IDVS\WKST\IDVS\PRG\IDVS.EXE
D:\DATEV\SYSTEM\NUKO\NKWLOGIN.EXE
L:\DATEV\PROGRAMM\STEUERN\DsMain.exe
L:\DATEV\PROGRAMM\STEUERN\DsMain.exe
D:\Programme\Office2k\Office\EXCEL.EXE
D:\Programme\Office2k\Office\EXCEL.EXE
L:\DATEV\PROGRAMM\WP\WPWIN.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Programme\Network Associates\Common Framework\UpdaterUI.exe
D:\Programme\Microsoft Money\System\reminder.exe
D:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPNRA.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPBOID.EXE
D:\DATEV\PROGRAMM\B0000000\DFUEMNGR\DfueMan.exe
D:\DATEV\PROGRAMM\DFUEWS\mnantb\mnantb.exe
D:\DATEV\PROGRAMM\B0000301\MP\MP.exe
D:\DATEV\PROGRAMM\B0000301\NC\NC.exe
D:\DATEV\PROGRAMM\B0000301\NF\NF.exe
D:\PROGRA~1\Office2k\Office\EXCEL.EXE
D:\Programme\Office2k\Office\EXCEL.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
D:\DATEV\PROGRAMM\VIWAS\viwas.exe
D:\Programme\Network Associates\VirusScan\SCAN32.EXE
C:\WINNT\System32\mstsc.exe
D:\Programme\Office2k\Office\EXCEL.EXE
D:\Programme\Office2k\Office\WINWORD.EXE
L:\DATEV\PROGRAMM\ANLAG\winanlag.EXE
C:\WINNT\system32\cmd.exe
V:\antitrojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.111.6:3128;http=192.168.111.6:3128;https=192.168.111.6:3128;socks=19
.168.111.6:1080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Dokumente und Einstellungen\Administrator.DATEV\Anwendungsdaten\ievd\ievd.dll (file missing)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [Reminder] D:\Programme\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [ShStatEXE] D:\Programme\Network Associates\VirusScan\SHSTAT.EXE\ /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] -
O4 - Startup: TerminalServer.bat.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\dokumente und einstellungen\administrator.datev\windows\system32\rnr20.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DATEV.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC7D7A3-1E79-4CC4-8F7B-83FAB526D31C}: NameServer = 192.168.111.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DATEV.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DATEV.local


------------------------------------------

The IPs on proxy and DNS and the domain are OK at all.. hmm... maybe I'm blind but I can't find anything alerting...

Well... what may I do now?!?!?

Bye.

B. Wettstein.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button