pop-up erscheint ständig im IE6

#1 hallo,

ich habe mir "VirusBurst" eingefangen. Das icon in der Systray habe ich entfernt bekommen - nach eurer Anleitung. Jedoch kommen immer mal wieder pop-ups vom IE6 mit nerviger Werbung.
Das hängt doch sicherlich mit VirusBurst zusammen oder? Wie bekomme ich die popups weg?

Ich habe den hijackThis drüber laufen lassen, mit folgendem Ergebnis:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:54, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\CyberArmor\casvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PCODEC\isamonitor.exe
C:\Program Files\PCODEC\pmsngr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ePOAgent\UpdaterUI.exe
C:\Program Files\iPass\iPassConnect iRAS\downloader\ipccheck.exe
C:\Program Files\PCODEC\isamini.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PCODEC\pmmon.exe
C:\Program Files\notes\NLNOTES.EXE
C:\Program Files\notes\ntaskldr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Utilities\SpywareGuard\sgmain.exe
C:\Program Files\Utilities\SpywareGuard\sgbhp.exe
C:\Program Files\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xyt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yxz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ccc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ccc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = pww*; cnsww*; 130.143.66.*;<local>
O2 - BHO: (no name) - -{202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Utilities\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\UTILIT~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect iRAS\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MLAgent] C:\Program Files\PhCST\MLAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Utilities\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://xcy
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114615502687
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://malvernevents.webex.com/client/T22L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccc.com
O17 - HKLM\Software\..\Telephony: DomainName = ccc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ccc.com,diamond.ccc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ccc.com,ccc.com,ccc.com,ccc.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - (no file)
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\VPNClient\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect iRAS\iPassConnectEngine.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\ePOAgent\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\P&A\Sygate\smc.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

---------------------

noch eine info:

das popup öffnet nich immer automatisch. Im systray erscheint ein blinkendes, gelbes dreieck mit ausrufezeichen. sobald man darauf klickt, öffnet sich der IE (den ich ansonsten nie benutze) mit einem werbe-popup.


kann mir jemand helfen?

gruß

goana

#2 1.
poste das log
http://virus-protect.org/artikel/tools/combofix.html

2.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

3.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

4.
echo.zip
entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren
http://virus-protect.org/bat/echo.zip
__________
MfG Sabina

rund um die PC-Sicherheit

#3 hallo sabrina,

hier der combofix file:

dep07619 - 06-09-11 14:27:33.31
ComboFix 06.09.11B - Running from: C:\Program Files\Utilities\Combofix

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-11 to 2006-09-11 ))))))))))))))))))))))))))))))))))


2006-09-11 09:18 2,031 --a------ C:\avexport.bat
2006-09-11 09:11 736 --a------ C:\backup.reg
2006-09-11 09:09 126,976 --a------ C:\zip.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-11 14:23 -------- d-------- C:\Program Files\Utilities
2006-09-11 12:52 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-11 12:05 -------- d-------- C:\Program Files\PCODEC
2006-09-11 10:12 60416 --a------ C:\WINDOWS\system32\drivers\ifihu^np.sys
2006-09-11 09:09 244 --a------ C:\Program Files\yuprwabg.txt
2006-09-11 08:57 -------- d-------- C:\Program Files\Common Files
2006-09-08 20:58 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-07 17:36 -------- d-------- C:\Documents and Settings\dep07619\Application Data\EndNote
2006-08-28 13:30 -------- d-------- C:\Program Files\notes
2006-08-14 12:39 -------- d-------- C:\Documents and Settings\dep07619\Application Data\Real
2006-08-14 12:35 -------- d-------- C:\Program Files\MediaPlayer
2006-08-14 12:35 -------- d-------- C:\Program Files\Common Files\Real
2006-08-10 08:50 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-24 12:15 -------- d-------- C:\Program Files\Windows Media Player
2006-07-24 11:27 51304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2006-07-24 11:27 -------- d-------- C:\Documents and Settings\dep07619\Application Data\webex
2006-07-24 11:25 188490 --a------ C:\WINDOWS\system32\atasnt40.dll
2006-07-21 10:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\ePOAgent\\UpdaterUI.exe\" /StartedFromRunKey"
"iPCCheck"="\"C:\\Program Files\\iPass\\iPassConnect iRAS\\downloader\\ipccheck.exe\" /startup"
@=""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"MLAgent"="C:\\Program Files\\PhCST\\MLAgent.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000bd
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Media"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"Btn_PrintPreview"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000
"NoInternetIcon"=dword:00000000
"NoNetHood"=dword:00000000
"NoDesktop"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoSetActiveDesktop"=dword:00000000
"NoWindowsUpdate"=dword:00000000
"NoChangeStartMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000001
"NoLogoff"=dword:00000000
"NoClose"=dword:00000000
"NoSetFolders"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoFileMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"EnforceShellExtensionSecurity"=dword:00000000
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoDrives"=dword:00000000
"NoNetConnectDisconnect"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000001
"NoThumbnailCache"=dword:00000001
"ConfirmFileDelete"=dword:00000001
"MaxRecentDocs"=dword:00000005
"NoStartMenuEjectPC"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"Intellimenus"=dword:00000001
"ForceClassicControlPanel"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoCDBurning"=dword:00000000
"NoDriveTypeAutoRun"=dword:000000b9

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"homepage.monitor.exe"="C:\\Program Files\\PCODEC\\isamonitor.exe"
"pmsngr.exe"="C:\\Program Files\\PCODEC\\pmsngr.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"BMWInfoAgent"="D:\\P&A\\BMWInfoRadio\\bmw_agent.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"SmcService"="D:\\P&A\\Sygate\\smc.exe -startgui"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-F400-7760-100000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\MediaPlayer\\Winamp\\winampa.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\SyncBack Projects to extHDD1.job
C:\WINDOWS\tasks\SyncBack Projects to pflar200-s.job
C:\WINDOWS\tasks\SyncBack Projects to svr01fas960.job
C:\WINDOWS\tasks\SyncBack Projects.job

Completion time: 11/09/2006 14:27:49.64
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

----

danach habe ich cleanup gemacht.

hier die 4 dateien von datfinder:

Volume in drive C is XP_System
Volume Seri*hier nicht!* Number is 3817-8BDC

Directory of C:\WINDOWS\system32

11/09/2006 11:46 2,206 wpa.dbl
08/09/2006 21:12 212,880 FNTCACHE.DAT
14/08/2006 12:35 176,167 rmoc3260.dll
14/08/2006 12:35 5,632 pndx5032.dll

#4 goana

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\drivers\ifihu^np.sys

poste den report

---------------------------------------------------------------

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als sheriff.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "sheriff.reg" auf dem Desktop doppelklicken.

Zitat

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktop"=-
"NoActiveDesktopChanges"=-
"NoInternetIcon"=-
"NoNetHood"=-
"NoDesktop"=-
"NoFavoritesMenu"=-
"NoFind"=-
"NoRun"=-
"NoSetActiveDesktop"=-
"NoWindowsUpdate"=-
"NoChangeStartMenu"=-
"NoFolderOptions"=-
"NoNetConnectDisconnect"=-
"NoDeletePrinter"=-
"NoAddPrinter"=-
"NoPrinterTabs"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoToolbarCustomize"=-
"NoBandCustomize"=-

**
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

**
avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein

Zitat

Files to delete:
C:\WINDOWS\system32\drivers\ifihu^np.sys

Folders to delete:
C:\Program Files\PCODEC

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: (no name) - -{202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - (no file)

PC neustarten

**
scanne mit smitrfaudfix
http://virus-protect.org/artikel/tools/smitfrautfix.html

**
scanne mit panda und poste den scanrpeort
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 hallo,

virustotal liefert folgendes:

Antivirus Version Update Result
AntiVir 7.1.1.16 09.11.2006 no virus found
Authentium 4.93.8 09.11.2006 no virus found
Avast 4.7.844.0 09.11.2006 no virus found
AVG 386 09.11.2006 no virus found
BitDefender 7.2 09.11.2006 no virus found
CAT-QuickHeal 8.00 09.11.2006 no virus found
ClamAV devel-20060426 09.11.2006 no virus found
DrWeb 4.33 09.11.2006 no virus found
eTrust-InoculateIT 23.72.121 09.10.2006 no virus found
eTrust-Vet 30.3.3071 09.11.2006 no virus found
Ewido 4.0 09.11.2006 no virus found
Fortinet 2.77.0.0 09.10.2006 no virus found
F-Prot 3.16f 09.11.2006 no virus found
F-Prot4 4.2.1.29 09.11.2006 no virus found
Ikarus 0.2.65.0 09.08.2006 no virus found
Kaspersky 4.0.2.24 09.11.2006 no virus found
McAfee 4848 09.08.2006 no virus found
Microsoft 1.1560 09.11.2006 no virus found
NOD32v2 1.1749 09.11.2006 no virus found
Norman 5.90.23 09.11.2006 no virus found
Panda 9.0.0.4 09.10.2006 no virus found
Sophos 4.09.0 09.11.2006 no virus found
Symantec 8.0 09.11.2006 no virus found
TheHacker 5.9.8.209 09.11.2006 no virus found
UNA 1.83 09.11.2006 no virus found
VBA32 3.11.1 09.11.2006 no virus found
VirusBuster 4.3.7:9 09.11.2006 no virus found

Aditional Information
File size: 60416 bytes
MD5: 4ad5d5229f85f42e873fda98190b2f19
SHA1: 7e1bc7c4f0324c0ad58b829b2524e0cb617ef158

----
Ansonsten habe ich die beiden dateien sheriff.reg und spyfalcon.reg in der reg gespeichert.
Avenger habe ich gestartet - es kamen fehlermeldungen, wie "could not create zip file". Habe ich einfach ignoriert und einen neustart gemacht.
Mit Hijack habe ich die einträge gelöscht + PC neustart.

Mit Smitfraudfix habe ich meine probleme, da mein virenscanner beim entzippen einen virus anmäkert. Das programm kann nicht gestartet werden, da eben eine datei fehlt. Den scan mit panda habe ich noch nicht gemacht, da ich nicht weiß welches programm ich genau brauche. Sind die nicht alle kostenpflichtig?

bis jetzt läuft alles prima. Pcodec ist auch von der C-Platte verschwunden.....vielleicht war es das schon?

gruß

goana

#6 die onlinescans sind alle free
scanne mit panda (es gibt keine programme zum Laden...., es sind Onlinescans)
http://virus-protect.org/onlinescan.html
http://www.pandasoftware.com/products/activescan.htm

und kopiere hier den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit