selbstständiger internetexplorer, warning popups und perfect codec

#1 hi, ich habe auch seit heute probleme mit ständigen trojaner/spyware/adware warnings, einem selbstständigen internetexplorer und perfect codec, das ich nicht vom rechner krieg (virusburst und antivermins hab ich schon weg bekommen(denk ich zumindest)).
mein aktuelles hijack this - log:

Logfile of HijackThis v1.99.1
Scan saved at 21:38:18, on 22.11.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\Winamp\Winampa.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\internat.exe
C:\Programme\Skype\Phone\Skype.exe
C:\WINNT\system32\svchost.exe
C:\temp\ipod\bin\iPodService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Programme\Perfect Codec\isamonitor.exe
C:\Programme\Perfect Codec\pmsngr.exe
C:\Programme\Perfect Codec\isamini.exe
C:\Programme\Perfect Codec\pmmon.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
E:\GAMES\World of Warcraft\BackgroundDownloader.exe
C:\Programme\Netscape\Netscape\Netscp.exe
C:\DOKUME~1\Sinux\LOKALE~1\Temp\Rar$EX00.562\avenger.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Sinux\LOKALE~1\Temp\Rar$EX00.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Programme\Perfect Codec\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AntiVerminsPro] C:\Programme\AntiVerminsPro\AntiVerminsPro.exe /h
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "E:\GAMES\HL2\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - C:\WINNT\system32\dcvwaah.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\temp\ipod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


ich hoffe ihr könnt mir helfen, wär echt super.
vielen dank schonmal im vorhinnein

#2 szemyq

1.
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 hi sabina,
danke für die rasche antwort.
folgend mein combofix report:

Sinux - Do 23.11.2006 0:50:34,04 Service Pack 4
ComboFix 06.11.22 - Running from: "C:\DOWNLOAD\temp"

((((((((((((((((((((((((((((((( Files Created from 2006-10-23 to 2006-11-23 ))))))))))))))))))))))))))))))))))


2006-11-22 17:56 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2006-11-22 14:04 77,824 --a------ C:\WINNT\system32\dcvwaah.dll
2006-11-22 14:04 <DIR> d-------- C:\Programme\Perfect Codec


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-22 18:26 -------- d-------- C:\Programme\Spybot - Search & Destroy
2006-11-08 00:37 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-10-18 23:49 -------- d-------- C:\Programme\3DO
2006-10-13 11:11 -------- d-------- C:\Programme\ICQToolbar
2006-10-11 08:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-27 14:14 -------- d-------- C:\Programme\KONAMI
2006-09-27 14:12 43520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2006-09-27 01:35 29392 --a------ C:\WINNT\system32\drivers\SECDRV.SYS


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"Skype"="\"C:\\Programme\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Steam"="\"E:\\GAMES\\HL2\\Steam.exe\" -silent"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"WinampAgent"="\"C:\\Programme\\Winamp\\Winampa.exe\""
"Zone Labs Client"="\"C:\\Programme\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINNT\\UpdReg.EXE"
"Jet Detection"="C:\\Programme\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"iTunesHelper"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ICQ Lite"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"AntiVerminsPro"="C:\\Programme\\AntiVerminsPro\\AntiVerminsPro.exe /h"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,a4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Programme\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{40dcff6e-af8d-4183-8ebe-a82270ac449e}"="gimmicks"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"isamonitor.exe"="C:\\Programme\\Perfect Codec\\isamonitor.exe"
"pmsngr.exe"="C:\\Programme\\Perfect Codec\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"gimmicks"="{40dcff6e-af8d-4183-8ebe-a82270ac449e}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: Thu 2006-11-23 0:50:51.20
C:\ComboFix.txt ... 06-11-23 00:50

#4 szemyq

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

AntiVerminsPro

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

Perfect Codec

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

-----------------------------------------------------------------------


Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Registry values to delete:
HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|gimmicks
HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{4fc003c3-87a0-489c-85cd-878246eb2d18}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run|isamonitor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run|pmsngr.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|AntiVerminsPro

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AntiVerminsPro.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiVerminsPro.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D45FFA6D-FA2F-4C0F-A291-7B9DB5786D48}
HKEY_LOCAL_MACHINE\SOFTWARE\AntiVerminsPro
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Codec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Perfect Codec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf1ced2c-4b3f-4079-a330-864eda5a4cff}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74a49269-9779-48b4-a0e6-3a5af2a3ade6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{192c5b4a-3efd-40c7-9f99-c472deb8efc0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96ebbe6a-2864-4345-b32b-26ee9be524b5}
HKLM\SOFTWARE\Classes\CLSID\{ab340860-fd81-4a65-b345-82eb77a66b5e}
HKLM\SOFTWARE\Classes\CLSID\{40dcff6e-af8d-4183-8ebe-a82270ac449e}
HKLM\SOFTWARE\Classes\CLSID\{4fc003c3-87a0-489c-85cd-878246eb2d18}
HKLM\SOFTWARE\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}
HKLM\SOFTWARE\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192c5b4a-3efd-40c7-9f99-c472deb8efc0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7F78A644-C4A7-4F71-BA4E-5323AA95E7D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F83E8F99-AE49-45D6-92B4-59854BF0A759}

Files to delete:
C:\WINNT\system32\dcvwaah.dll

Folders to delete:
C:\Programme\AntiVerminsPro
C:\Programme\Perfect Codec
C:\Programme\Virus-Bursters
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\~nsu.tmp

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

»»
lösche das Backup vom Avenger unter C:\Avenger\backup.zip + leere den Papierkorb

««
scanne mit smitfraudfix - Option 1 und 2 ( lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 so erstmals die logs

AntiVerminsPro:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 23.11.2006 12:42:33 for strings:
; 'antiverminspro'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\AntiVerminsPro]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AntiVerminsPro.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D45FFA6D-FA2F-4C0F-A291-7B9DB5786D48}\1.0\0\win32]
@="C:\\Programme\\AntiVerminsPro\\AntiVerminsPro.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D45FFA6D-FA2F-4C0F-A291-7B9DB5786D48}\1.0\HELPDIR]
@="C:\\Programme\\AntiVerminsPro\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiVerminsPro.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiVerminsPro.exe]
@="C:\\Programme\\AntiVerminsPro\\AntiVerminsPro.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiVerminsPro"="C:\\Programme\\AntiVerminsPro\\AntiVerminsPro.exe /h"

; End Of The Log...


Perfect Codec:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 23.11.2006 12:45:09 for strings:
; 'perfect codec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{192c5b4a-3efd-40c7-9f99-c472deb8efc0}\InprocServer32]
@="C:\\Programme\\Perfect Codec\\isaddon.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96ebbe6a-2864-4345-b32b-26ee9be524b5}\InprocServer32]
@="C:\\Programme\\Perfect Codec\\iesplugin.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Perfect Codec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"isamonitor.exe"="C:\\Programme\\Perfect Codec\\isamonitor.exe"
"pmsngr.exe"="C:\\Programme\\Perfect Codec\\pmsngr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006]
"UninstallString"="\"C:\\Programme\\Perfect Codec\\iesuninst.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Codec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Codec]
"DisplayName"="Perfect Codec 4.0"
"UninstallString"="C:\\Programme\\Perfect Codec\\uninst.exe"
"DisplayIcon"="C:\\Programme\\Perfect Codec\\uninst.exe"
"Publisher"="Perfect Codec Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03]
"UninstallString"="\"C:\\Programme\\Perfect Codec\\pmuninst.exe\""

; End Of The Log...


ich bedanke mich vorerst und werde in der zwischenzeit die weiteren schritte durchführen

lg

#6 jetzt wende den avenger an, ich habe editiert
__________
MfG Sabina

rund um die PC-Sicherheit

#7 hi sabina, ich hoff ich hab da jetzt keinen mist gebaut. hab den avenger schon angewendet, noch bevor du ihn editiert hast. dabei hat sich erstmals ein lächeln inmien gesicht gezaubert. die ganzen popupwarnings sind schon mal weg

hier mal das log vom avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\duyluvhq

*******************

Script file located at: \??\C:\bsicxgah.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\dcvwaah.dll deleted successfully.


Folder C:\Programme\AntiVerminsPro not found!
Deletion of folder C:\Programme\AntiVerminsPro failed!

Could not process line:
C:\Programme\AntiVerminsPro
Status: 0xc0000034

Folder C:\Programme\Perfect Codec deleted successfully.


Folder C:\Programme\Virus-Bursters not found!
Deletion of folder C:\Programme\Virus-Bursters failed!

Could not process line:
C:\Programme\Virus-Bursters
Status: 0xc0000034



Folder C:\Dokumente und Einstellungen\Sinux\Lokale Einstellungen\Temp\~nsu.tmp not found!
Deletion of folder C:\Dokumente und Einstellungen\Sinux\Lokale Einstellungen\Temp\~nsu.tmp failed!

Could not process line:
C:\Dokumente und Einstellungen\Sinux\Lokale Einstellungen\Temp\~nsu.tmp
Status: 0xc0000034

Registry value HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|gimmicks deleted successfully.


Could not delete registry value HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{4fc003c3-87a0-489c-85cd-878246eb2d18}
Deletion of registry value HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{4fc003c3-87a0-489c-85cd-878246eb2d18} failed!
Status: 0xc0000034

Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run|isamonitor.exe deleted successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run|pmsngr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|AntiVerminsPro deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Codec deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Perfect Codec deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf1ced2c-4b3f-4079-a330-864eda5a4cff} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf1ced2c-4b3f-4079-a330-864eda5a4cff} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74a49269-9779-48b4-a0e6-3a5af2a3ade6} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74a49269-9779-48b4-a0e6-3a5af2a3ade6} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{192c5b4a-3efd-40c7-9f99-c472deb8efc0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96ebbe6a-2864-4345-b32b-26ee9be524b5} deleted successfully.


Registry key HKLM\SOFTWARE\Classes\CLSID\{ab340860-fd81-4a65-b345-82eb77a66b5e} not found!
Deletion of registry key HKLM\SOFTWARE\Classes\CLSID\{ab340860-fd81-4a65-b345-82eb77a66b5e} failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Classes\CLSID\{40dcff6e-af8d-4183-8ebe-a82270ac449e} deleted successfully.


Registry key HKLM\SOFTWARE\Classes\CLSID\{4fc003c3-87a0-489c-85cd-878246eb2d18} not found!
Deletion of registry key HKLM\SOFTWARE\Classes\CLSID\{4fc003c3-87a0-489c-85cd-878246eb2d18} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70} not found!
Deletion of registry key HKLM\SOFTWARE\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f} not found!
Deletion of registry key HKLM\SOFTWARE\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f} failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192c5b4a-3efd-40c7-9f99-c472deb8efc0} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7F78A644-C4A7-4F71-BA4E-5323AA95E7D5} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7F78A644-C4A7-4F71-BA4E-5323AA95E7D5} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F83E8F99-AE49-45D6-92B4-59854BF0A759} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F83E8F99-AE49-45D6-92B4-59854BF0A759} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

ich bin mir jetzt nicht ganz sicher was als nächstes zu tun ist...nochmal den avenger laufen lassen oder gleich mit smitfraud weiter?

lg ein doch schon erleichterter s.

#8 zuerst smitfraudfix anwenden

aber vorher wende den avenger noch mal an, denn ich habe editiert - zu spaet...
es gibt noch eintraege, die raus muessen,
__________
MfG Sabina

rund um die PC-Sicherheit

#9 sabina, was soll ich sagen. du bist ein engel...passend zur bevorstehenden weihnachtszeit ))) *strahl*
scheint alles wieder so zu laufen wie es soll.
ich danke dir tausendmal

lg s.