IE AntiVir - System error

#61 Hallo, Jojo1020

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern

Zitat

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}]

File::
C:\Windows\System32\domview.dll

Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden.
cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen



danach: Combofix noch einmal anwenden
__________
MfG Sabina

rund um die PC-Sicherheit

#62 Wenn ich das mache, bekomme ich einen Bluescreen. Soll das so sein? Wenn ja was muss ich danach machen?

#63 Hallo, Jojo1020

«
loesche die dll
C:\Windows\System32\domview.dll
http://virus-protect.org/artikel/tools/undll.html

«
dann poste ein log vom HijackThis
http://virus-protect.org/hjtkurz.html

Beim Erststart:
Do a system scan and save a logfile - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und im Sicherheits-Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

#64 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\Windows\system32\domview.dll
O2 - BHO: PicLens plug-in for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\PicLens.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

edit (Sabina)

#65 Hallo, Jojo1020

lösche die domview.dll (siehe oben)

««
mit dem HijackThis löschen ("fixen")
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
der als zu "fixen" (löschen) empfohlen wurde) - keine anderen !!
und wähle fix checked. + starte den Rechner neu.

Zitat

O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\Windows\system32\domview.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

__________
MfG Sabina

rund um die PC-Sicherheit

#66 hallo ich versuche das domeview zu löschen ich bekomme auch so komische texte.

Zitat

06-29-2008 21:42:11 [SysLog]: UnDLL engine 1.0.0.2 initialized
06-29-2008 21:42:11 [SysLog]: OS: 6.0 build 6001 (Service Pack 1)
06-29-2008 21:43:23 [Action]: + Searching for infected threads...
06-29-2008 21:43:36 [Action]: Deleting file [C:\Windows\System32\domview.dll] - deferred at next reboot
06-29-2008 21:43:38 [Action]: + Searching in AppInit_DLLs...
06-29-2008 21:43:38 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
06-29-2008 21:43:38 [Action]: + Searching in Winlogon Notify...
06-29-2008 21:43:38 [Action]: + Searching in Browser Helper Objects...
06-29-2008 21:43:38 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho.1
06-29-2008 21:43:38 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho
06-29-2008 21:43:38 [Action]: Deleting Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}
06-29-2008 21:43:38 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\CLSID\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}
06-29-2008 21:43:38 [Action]: System Reboot
06-29-2008 21:46:44 [Action]: + Searching for infected threads...
06-29-2008 21:47:00 [Action]: Deleting file [C:\Windows\System32\domview.dll] - deferred at next reboot
06-29-2008 21:47:02 [Action]: + Searching in AppInit_DLLs...
06-29-2008 21:47:02 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
06-29-2008 21:47:02 [Action]: + Searching in Winlogon Notify...
06-29-2008 21:47:02 [Action]: + Searching in Browser Helper Objects...
06-29-2008 21:47:02 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho.1
06-29-2008 21:47:02 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho
06-29-2008 21:47:02 [Action]: Deleting Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}
06-29-2008 21:47:02 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\CLSID\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}
06-29-2008 21:47:02 [Action]: System Reboot

Aber das domeview.dll bleibt im windows/system32 ordner; ist das normal? Könnte ich das notfalls auch manuell löschen, papierkorp rein, löschen fertig??

Und noch was sind diese Meldungen auch normal? (englisch leider auch nicht das beste)







Ich weiß ich frag viel aber ich hab halt gar keine Ahnung.



ps: wie lösche ich was mit HJTI (hat sich erledigt wenn die dinger immer wieder kommen, weil ich die domview.dll nict weg bekomm.)


[EDIT] ich glaub es hat jetzt doch geklappt, bei UNDLL kam beim vierten verusch ein vistafenster das das programm meine administrations Rechte benötigt, und danach konnt ich das dann auch domview.dll endlich löschen.

Hier noch der bericht:

Zitat

06-29-2008 23:37:12 [SysLog]: UnDLL engine 1.0.0.2 initialized
06-29-2008 23:37:12 [SysLog]: OS: 6.0 build 6001 (Service Pack 1)
06-29-2008 23:37:39 [Action]: + Searching for infected threads...
06-29-2008 23:37:53 [Action]: Deleting file [C:\Windows\System32\domview.dll] - OK
06-29-2008 23:37:55 [Action]: + Searching in AppInit_DLLs...
06-29-2008 23:37:55 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
06-29-2008 23:37:55 [Action]: + Searching in Winlogon Notify...
06-29-2008 23:37:55 [Action]: + Searching in Browser Helper Objects...
06-29-2008 23:37:55 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho.1
06-29-2008 23:37:55 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\BhoNew.Bho
06-29-2008 23:37:55 [Action]: Deleting Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}
06-29-2008 23:37:55 [Action]: Deleting Registry key: HKEY_CLASSES_ROOT\CLSID\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}

aber da fehlte der reboot.
Auf jedenfall schein ich den schei* jetzt los zu sein. Danke, danke vielmals für alles.

#67 Hallo, Jojo1020
nach dem Neustart müsste die domview.dll entfernt sein.
HijackThis und alle anderen Programme musst du bei Vista so anwenden, wie beschrieben: Als Administrator ausführen: rechtsklick auf HijackThis-Symbol + "Run as administrator"
Wenn es noch Probleme gibt, melde dich . Popups sind weg ???
__________
MfG Sabina

rund um die PC-Sicherheit

#68 Hallo!
Hab mir dieses Problem heut auch eingefangen! Wäre sehr sehr nett wenn mir auch geholfen werden könnte!



((((((((((((((((((((((( Dateien erstellt von 2008-05-28 bis 2008-06-30 ))))))))))))))))))))))))))))))
.

2008-06-30 14:38 . 2008-06-30 14:38 2,037,114 --a------ C:\Users\Sven\ComboFix.exe
2008-06-30 14:34 . 2008-06-30 14:34 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 13:59 . 2008-06-30 13:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-30 13:26 . 2008-06-30 13:26 86 --a------ C:\Windows\wininit.ini
2008-06-30 13:10 . 2008-06-30 14:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-30 13:10 . 2008-06-30 14:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-30 13:10 . 2008-06-30 13:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-30 12:40 . 2008-01-21 04:23 6,144 --a------ C:\Windows\System32\beep.sys
2008-06-30 12:35 . 2008-06-30 12:35 26,624 --a------ C:\Windows\System32\xmlsys.dll
2008-06-30 11:40 . 2008-06-30 11:40 126,976 --a------ C:\Windows\lcmmfu.cpl
2008-06-30 11:40 . 2008-06-30 11:40 48,640 --a------ C:\Windows\mmfs.dll
2008-06-30 11:40 . 2008-06-30 11:40 2,560 --a------ C:\Windows\Runservice.exe
2008-06-30 11:40 . 2008-06-30 14:55 1,337 --ahs---- C:\Windows\System32\mmf.sys
2008-06-26 13:29 . 2008-06-26 13:29 <DIR> d-------- C:\Program Files\7-Zip
2008-06-26 12:19 . 2008-06-26 12:19 <DIR> d-------- C:\Windows\Downloaded Installations
2008-06-25 19:18 . 2008-06-25 19:18 <DIR> d-------- C:\Users\Sven\AppData\Roaming\vlc
2008-06-25 18:55 . 2008-06-25 19:54 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-06-25 18:51 . 2008-06-25 18:51 <DIR> d-------- C:\Users\Sven\AppData\Roaming\Ulead Systems
2008-06-25 18:17 . 2008-06-25 18:17 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-06-25 18:14 . 2008-06-25 18:14 682,232 --a------ C:\Windows\System32\drivers\sptd.sys
2008-06-25 17:29 . 2008-06-25 17:29 <DIR> d-------- C:\Users\Sven\AppData\Roaming\DesktopSMS
2008-06-25 17:25 . 2008-03-10 19:14 788,992 --a------ C:\Temp\SFDNWIN.exe
2008-06-25 17:24 . 2008-06-25 17:25 <DIR> d-------- C:\Temp
2008-06-25 17:24 . 2008-03-14 16:02 2,097,152 --a------ C:\Temp\autorun.bin
2008-06-25 16:58 . 2008-04-23 06:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-25 16:58 . 2008-04-23 06:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-25 16:58 . 2008-04-23 06:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-25 16:58 . 2008-04-23 06:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-25 16:57 . 2008-03-08 04:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-25 16:57 . 2008-03-08 06:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-06-25 16:57 . 2008-04-25 04:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-25 16:57 . 2008-04-25 06:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-25 16:52 . 2008-06-25 16:52 <DIR> d-------- C:\Users\All Users\IsolatedStorage
2008-06-25 16:52 . 2008-06-25 16:52 <DIR> d-------- C:\ProgramData\IsolatedStorage
2008-06-25 16:52 . 2008-06-25 16:52 <DIR> d-------- C:\Program Files\Toshiba TEMPRO
2008-06-25 16:52 . 2008-06-25 16:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 16:34 . 2008-06-25 16:41 <DIR> d-------- C:\Users\Sven\AppData\Roaming\Winamp
2008-06-25 16:34 . 2008-06-25 16:35 <DIR> d-------- C:\Program Files\Winamp
2008-06-25 16:34 . 2007-03-08 01:51 129,784 --------- C:\Windows\System32\pxafs.dll
2008-06-25 16:15 . 2008-06-25 16:15 <DIR> d-------- C:\Users\Sven\AppData\Roaming\myphotobook
2008-06-25 16:14 . 2008-06-25 16:14 <DIR> d-------- C:\Users\Sven\AppData\Roaming\TOSHIBA
2008-06-25 15:45 . 2008-06-25 15:45 <DIR> d-------- C:\Program Files\Opera
2008-06-25 15:44 . 2008-06-25 15:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-25 15:42 . 2008-06-25 15:42 <DIR> d-------- C:\Users\All Users\Avira
2008-06-25 15:42 . 2008-06-25 15:42 <DIR> d-------- C:\ProgramData\Avira
2008-06-25 15:42 . 2008-06-25 15:42 <DIR> d-------- C:\Program Files\Avira
2008-06-25 13:02 . 2008-06-25 13:02 0 --a------ C:\Users\Sven\AppData\Roaming\wklnhst.dat
2008-06-25 11:06 . 2008-06-25 11:06 <DIR> dr------- C:\Users\Sven\Searches
2008-06-25 11:06 . 2008-06-25 11:06 <DIR> d-------- C:\Users\Sven\AppData\Roaming\ATI
2008-06-25 11:06 . 2008-06-25 11:06 <DIR> d-------- C:\Users\All Users\ATI
2008-06-25 11:06 . 2008-06-25 11:06 <DIR> d-------- C:\ProgramData\ATI
2008-06-25 11:06 . 2008-06-25 11:06 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-06-25 11:05 . 2008-06-25 11:05 <DIR> dr------- C:\Users\Sven\Contacts
2008-06-25 11:03 . 2008-06-25 11:06 <DIR> dr------- C:\Users\Sven\Videos
2008-06-25 11:03 . 2008-06-25 11:06 <DIR> dr------- C:\Users\Sven\Saved Games
2008-06-25 11:03 . 2008-06-28 20:46 <DIR> dr------- C:\Users\Sven\Pictures
2008-06-25 11:03 . 2008-06-25 11:06 <DIR> dr------- C:\Users\Sven\Music
2008-06-25 11:03 . 2008-06-25 11:06 <DIR> dr------- C:\Users\Sven\Links
2008-06-25 11:03 . 2008-06-30 12:45 <DIR> dr------- C:\Users\Sven\Downloads
2008-06-25 11:03 . 2008-06-26 13:22 <DIR> dr------- C:\Users\Sven\Documents
2008-06-25 11:03 . 2006-11-02 14:37 <DIR> d-------- C:\Users\Sven\AppData\Roaming\Media Center Programs
2008-06-25 11:03 . 2008-06-25 11:03 <DIR> d--h----- C:\Users\Sven\AppData
2008-06-25 11:03 . 2008-06-30 14:54 <DIR> d-------- C:\Users\Sven
2008-06-25 11:03 . 2008-06-25 11:03 <DIR> d-------- C:\Users\All Users\ToshibaEurope
2008-06-25 11:03 . 2008-06-25 11:03 <DIR> d-------- C:\ProgramData\ToshibaEurope
2008-06-25 10:57 . 2008-06-25 10:58 <DIR> d-------- C:\Program Files\Common Files\Toshiba Shared
2008-06-25 10:57 . 2006-11-29 13:06 3,426,072 --a------ C:\Windows\System32\d3dx9_32.dll
2008-06-25 10:57 . 2008-01-21 15:42 285,184 --a------ C:\Windows\System32\drivers\tos_sps32.sys
2008-06-25 10:55 . 2008-06-25 10:55 <DIR> d-------- C:\Windows\System32\en
2008-06-25 10:54 . 2008-06-25 10:54 <DIR> d-------- C:\Program Files\Camera Assistant Software for Toshiba
2008-06-25 10:54 . 2007-12-17 11:45 18,432 --a------ C:\Windows\System32\drivers\UVCFTR_S.SYS
2008-06-25 10:54 . 2008-06-25 10:54 0 -rahs---- C:\Windows\System32\drivers\TOSHIBA_Satellite A300_06471-GR_PSAJ4E-04500.MRK
2008-06-25 10:50 . 2008-06-25 10:50 <DIR> d-------- C:\Windows\System32\DEU
2008-06-25 10:50 . 2008-06-25 10:50 <DIR> d-------- C:\Program Files\Synaptics
2008-06-25 10:50 . 2007-10-24 11:02 936,472 --a------ C:\Windows\System32\imsmudlg.exe
2008-06-25 10:50 . 2008-06-25 10:50 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-06-25 10:49 . 2008-06-25 10:50 <DIR> d-------- C:\Program Files\ATI Technologies
2008-06-25 10:49 . 2008-06-25 10:49 <DIR> d-------- C:\Program Files\ATI
2008-06-25 10:49 . 2008-06-25 10:49 0 --a------ C:\Windows\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 11:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 15:14 --------- d-----w C:\Program Files\Windows Mail
2008-06-25 15:10 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-25 14:16 --------- d-----w C:\Program Files\myphotobook
2008-06-25 14:12 --------- d-----w C:\ProgramData\McAfee
2008-06-25 14:10 --------- d-----w C:\Program Files\MAGIX
2008-06-25 14:07 --------- d-----w C:\Program Files\Google
2008-06-25 08:59 --------- d-sh--w C:\ProgramData\Vorlagen
2008-06-25 08:59 --------- d-sh--w C:\ProgramData\Startmenü
2008-06-25 08:59 --------- d-sh--w C:\ProgramData\Favoriten
2008-06-25 08:59 --------- d-sh--w C:\ProgramData\Dokumente
2008-06-25 08:59 --------- d-sh--w C:\ProgramData\Anwendungsdaten
2008-06-25 08:59 --------- d-sh--w C:\Program Files\Gemeinsame Dateien
2008-06-25 08:58 --------- d-----w C:\Program Files\Toshiba
2008-06-25 08:57 --------- d-----w C:\ProgramData\Toshiba
2008-06-25 08:50 --------- d-----w C:\Program Files\Intel
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_14.44.14,02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 12:14:43 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-30 12:55:29 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-30 12:13:48 699,536 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-30 12:54:39 699,536 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-06-30 12:14:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 12:55:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 12:55:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-30 12:17:01 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 12:58:19 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 12:58:19 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-30 12:17:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 12:58:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 12:58:24 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-30 12:20:20 122,842 ----a-w C:\Windows\System32\perfc007.dat
+ 2008-06-30 13:01:41 122,842 ----a-w C:\Windows\System32\perfc007.dat
- 2008-06-30 12:20:20 101,250 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-30 13:01:41 101,250 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-30 12:20:20 618,430 ----a-w C:\Windows\System32\perfh007.dat
+ 2008-06-30 13:01:41 618,430 ----a-w C:\Windows\System32\perfh007.dat
- 2008-06-30 12:20:20 587,178 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-30 13:01:41 587,178 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-30 12:17:59 3,210 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-788337792-2771033958-39454448-1000_UserData.bin
+ 2008-06-30 12:58:44 3,210 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-788337792-2771033958-39454448-1000_UserData.bin
- 2008-06-30 12:17:59 75,004 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 12:58:44 75,332 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-30 12:17:57 35,854 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 12:58:43 35,974 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1892F58-1116-4DEC-92AA-577872EC3D3D}]
2008-06-30 12:35 26624 --a------ C:\Windows\system32\xmlsys.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 04:23 1233920]
"TOSCDSPD"="TOSCDSPD.EXE" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NDSTray.exe"="NDSTray.exe" []
"ITSecMng"="C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 17:03 75136]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 18:58 1029416]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 17:41 413696]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 16:27 431456]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2007-10-31 23:01 54608]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 11:22 509816]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 14:25 712704]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"Toshiba TEMPO"="C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 10:22 103824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B}"= C:\Windows\system32\awttttRh.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"= {20D12FFA-FDFF-4156-9834-A2BAD1D20844} - C:\Windows\xvorfwbd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 04:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop SMS]
--a------ 2007-06-18 11:51 1507328 C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-15 19:06 1836544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-12-06 03:44 366400 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
--a------ 2008-02-20 18:58 21504 c:\tb_eula\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
--a------ 2007-07-10 10:24 581632 C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
--a------ 2007-05-04 12:05 571024 C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5454209F-AC6C-4037-B209-646565B9B833}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{580C17DA-89A6-4FDB-B90A-99E6536C7135}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

R2 ConfigFree Service;ConfigFree Service;"C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [2007-12-25 14:07]
R2 LicCtrlService;LicCtrl Service;C:\Windows\runservice.exe [2008-06-30 11:40]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 TempoMonitoringService;Notebook Performance Tuning Service ;"C:\Program Files\Toshiba TEMPRO\TempoSVC.exe" [2008-04-24 10:21]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;"C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe" [2007-12-03 17:03]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-30 17:24]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDART.sys [2008-02-01 12:46]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2media.sys [2008-01-15 11:34]
R3 QIOMem;Generic IO & Memory Access;C:\Windows\system32\DRIVERS\QIOMem.sys [2007-04-09 17:13]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 11:51]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 04:23]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 04:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{030669b9-42d2-11dd-9c14-001e686ec88d}]
\shell\AutoRun\command - H:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{764c0546-42c9-11dd-94de-001e686ec88d}]
\shell\verb1\command - desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db673247-42d4-11dd-9c10-001e686ec88d}]
\shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df3dc364-4292-11dd-88d3-806e6f6e6963}]
\shell\AutoRun\command - G:\SH3Autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 15:13:08
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-06-30 15:13:43
ComboFix-quarantined-files.txt 2008-06-30 13:13:40
ComboFix2.txt 2008-06-30 13:04:35
ComboFix3.txt 2008-06-30 12:44:34

11 Verzeichnis(se), 92,620,165,120 Bytes frei
19 Verzeichnis(se), 92,590,276,608 Bytes frei

237 --- E O F --- 2008-06-26 10:14:36

#69 Hallo Seemann

1.
deaktiviere kurzzeitig den Spybot - Search & Destroy\TeaTimer.exe

2.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern

Zitat

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1892F58-1116-4DEC-92AA-577872EC3D3D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"=-

File::
C:\Windows\system32\xmlsys.dll
C:\Windows\wininit.ini

Folder::
C:\Program Files\Enigma Software Group

Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden.
cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen


danach: Combofix noch einmal anwenden
__________
MfG Sabina

rund um die PC-Sicherheit

#70 hat leider nicht geklappt. hab nen bluescreen bekommen!

#71 Hallo Seemann

no problem
poste das log von HijackThis
http://virus-protect.org/hjtkurz.html

Beim Erststart:
Do a system scan and save a logfile - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und im Sicherheits-Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

#72 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05, on 2008-06-30
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Spybot-S&D IE Protection - {B1892F58-1116-4DEC-92AA-577872EC3D3D} - C:\Windows\system32\xmlsys.dll
O3 - Toolbar: (no name) - {B4B8E731-19DA-43DF-9E91-4B33E8478EF3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/707-44556-9400-3/4 (file missing)
O9 - Extra button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.de/exec/obidos/redirect-home?tag=Toshibadebholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O21 - SSODL: xvorfwbd - {20D12FFA-FDFF-4156-9834-A2BAD1D20844} - C:\Windows\xvorfwbd.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Notebook Performance Tuning Service (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8363 bytes

#73 Hallo, Seemann

0.
Gehe in die Registry
Start - Ausführen - regedit
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{84C53226-C282-41FE-A4B4-8F05CC5EC24B} - löschen

1.
mit dem HijackThis löschen ("fixen")
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked.

Zitat

O2 - BHO: Spybot-S&D IE Protection - {B1892F58-1116-4DEC-92AA-577872EC3D3D} - C:\Windows\system32\xmlsys.dll

O3 - Toolbar: (no name) - {B4B8E731-19DA-43DF-9E91-4B33E8478EF3} - (no file)

O21 - SSODL: xvorfwbd - {20D12FFA-FDFF-4156-9834-A2BAD1D20844} - C:\Windows\xvorfwbd.dll (file missing)

2.
lösche die xmlsys.dll mit diesem Programm
C:\Windows\system32\xmlsys.dll
http://virus-protect.org/artikel/tools/undll.html

3.
deinstalliere/lösche:
C:\Program Files\Enigma Software Group

kannst du machen mit:
http://virus-protect.org/artikel/tools/otmoveIt.html

Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to Move

Zitat

C:\Program Files\Enigma Software Group

Klicke auf den Roten MoveIt!
__________
MfG Sabina

rund um die PC-Sicherheit

#74 super, jetzt hat's geklappt! vielen vielen dank!

#75 hallo !
hab auch diesen mist. kannst du mir auch helfen ?

ComboFix 08-06-20.4 - Volkert 2008-06-30 17:48:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.325 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Volkert\Eigene Dateien\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((( Dateien erstellt von 2008-05-28 bis 2008-06-30 ))))))))))))))))))))))))))))))
.

2008-06-30 16:29 . 2008-06-30 17:27 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-30 16:29 . 2008-06-30 17:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-06-30 11:22 . 2008-06-30 11:58 <DIR> d-------- C:\Programme\SPYWAREfighter
2008-06-30 11:03 . 2008-06-30 11:11 <DIR> d-a------ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-06-28 19:58 . 2008-06-28 19:58 26,624 --a------ C:\WINDOWS\system32\xmlview.dll
2008-06-28 19:58 . 2008-06-28 19:58 26,624 --a------ C:\WINDOWS\system32\xmlsys.dll
2008-06-28 19:57 . 2008-06-28 19:57 26,624 --a------ C:\WINDOWS\system32\xmlwin.dll
2008-06-22 02:47 . 2008-06-28 20:03 <DIR> d-------- C:\Downloads
2008-06-12 08:56 . 2003-02-20 16:42 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-05-28 09:43 . 2008-06-30 10:34 <DIR> d-------- C:\Programme\Full Tilt Poker
2008-05-02 20:07 . 2004-08-03 21:10 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 21:55 --------- d-----w C:\Programme\Teamspeak2_RC2
2008-06-12 06:47 --------- d-----w C:\Programme\Java
2008-06-11 01:01 --------- d-----w C:\Programme\PartyGaming
2008-05-30 11:34 --------- d-----w C:\Programme\Soulseek
2008-05-28 07:43 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-05-02 18:08 --------- d-----w C:\Programme\ATI Technologies
.

------- Sigcheck -------

2001-08-23 16:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}]
2008-06-28 19:58 26624 --a------ C:\WINDOWS\System32\xmlsys.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-30 12:32 262401]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2005-09-27 13:16 2635472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-18 16:00 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Programme\HelDecPack\ffdshow.ax

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Volkert^Startmenü^Programme^Autostart^Microsoft Office-Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\Volkert\Startmenü\Programme\Autostart\Microsoft Office-Schnellstart.lnk
backup=C:\WINDOWS\pss\Microsoft Office-Schnellstart.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Volkert^Startmenü^Programme^Autostart^PowerReg Scheduler.exe]
path=C:\Dokumente und Einstellungen\Volkert\Startmenü\Programme\Autostart\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^DOKUME~1^Volkert^Startmenü^Programme^Autostart^PowerReg Scheduler.exe]
path=C:\DOKUME~1\Volkert\Startmenü\Programme\Autostart\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antispy]
C:\Programme\IEAntiVirus\ANTIVIR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2001-08-18 16:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 07:14 1077277 C:\Programme\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-30 16:01 98304 C:\Programme\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywarefighterguard]
C:\Programme\SPYWAREfighter\spftray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"BITS"=3 (0x3)
"Browser"=2 (0x2)
"UMWdf"=2 (0x2)

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys [2008-04-30 12:32]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-04-30 12:32]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 17:51:05
Windows 5.1.2600 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2008-06-30 17:53:53
ComboFix-quarantined-files.txt 2008-06-30 15:53:49

10 Verzeichnis(se), 1,161,383,936 Bytes frei
13 Verzeichnis(se), 2,356,805,632 Bytes frei