scvhost.exe (win32:ciadoor-21) u.a. Firewall und Registry ohne Funktion

#0
10.04.2006, 10:54
Member

Beiträge: 13
#1 guten morgen zusammen!

seit ein paar tagen habe ich das problem, dass ich nicht mehr in die registry komme und meine windows xp-firewall deaktiviert ist und sich auch nicht mehr aktivieren lässt. daraufhin habe ich versucht mit AntiVir einen virenscan zu machen, dieser wurde aber bereits nach ein paar sekunden abgebrochen. danach habe ich den antivir deinstalliert und die software avast! installiert. diese hat die dateien GsBEosu457.ini und scvhost.exe (beide win32:ciadoor-21) gefunden und natürlich sofort gelöscht.

nun wäre es natürlich super, wenn mir bitte jemand die weitere vorgehensweise erklären könnte.

mein hijackthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:36, on 10.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\PRISMSTA.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Trillian\trillian.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programme\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
c:\progra~1\gemein~1\instal~1\update~1\isuspm.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\agent.exe
C:\Programme\Alwil Software\Avast4\ashChest.exe
C:\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [ATIPTA] "C:\ATI-CPanel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133388519859
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76483465-4C23-40A9-BF72-994A32A8BA0B}: NameServer = 217.237.151.97 217.237.150.33
O18 - Protocol: bw+0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)


vielen, vielen dank im voraus!

grüße
frank_stoned
Dieser Beitrag wurde am 10.04.2006 um 10:59 Uhr von frank_stoned editiert.
Seitenanfang Seitenende
10.04.2006, 15:18
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 frank_stoned

win32:ciadoor
http://virus-protect.org/artikel/dienste/wsock32sys.html

--------------------------------------------------------------------

1.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

kann auch gefixt werden:..hat nichts im Autostart verloren...

O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O18 - Protocol: bw+0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1E5D6C8A-3C2F-49AC-9E3E-068506FEAFF0} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
PC neustarten

2.
gehe in die Registry...du müsstest nun eigentlich wieder in die Registry kommen....

Start->Ausführen --> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD
(Ohne den Schlüssel Policies)

Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein

------------------------

3.
Klick Start>> Ausführen>> schreibe Services.msc und Klick OK!
"Eigenschaften" >> Click "Stop">> Starttyp "deaktiviert"

Windows-Firewall/Gemeinsame Nutzung der Internetverbindung

----------------------

4.
Start --> Ausführen --> reinkopieren (wenn eine Fehlermeldung kommt...ignorieren) --> klicke O.K.

sc delete Windows-Firewall/Gemeinsame Nutzung der Internetverbindung

---------------------

5.
Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Gruppenrichtlinien auswählen > hinzufügen > Fertig stellen > schließen > ok >Benutzerkonfiguration > Aministrative Vorlagen > System > Doppleklick auf "Zugriff auf Eingabeaufforderung verhindern" > deaktivieren > OK > alle Fenster schliessen > neu anmelden > an der Kommandozeile

--------------------

6.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

7.
Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

ich suche die Viren raus:
..dann beginnt die Reinigung ;)
http://virus-protect.org/artikel/dienste/wsock32sys.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
10.04.2006, 16:50
Member

Themenstarter

Beiträge: 13
#3 hi sabina!

vielen dank für deine rasche antwort.

habe alle punkte abgearbeitet. bis auf punkt 2: diese von dir angegebenen registry-einträge waren nicht vorhanden. nachdem ich aber punkt 5 erledigt hatte, funktionierte auch die eingabeaufforderung wieder.

nun die angaben zu punkt 7:

Verzeichnis von C:\WINDOWS\system32

09.04.2006 20:53 310.283 ckl009.dat
09.04.2006 14:15 163.328 lollol.sys

09.04.2006 12:08 3.002 CONFIG.NT
07.04.2006 23:19 142 del32.bat
05.04.2006 00:32 7.006 jupdate-1.5.0_06-b05.log
04.04.2006 12:23 52.764 perfc009.dat
04.04.2006 12:23 380.350 perfh009.dat
04.04.2006 12:23 390.944 perfh007.dat
04.04.2006 12:23 63.534 perfc007.dat
04.04.2006 12:23 897.848 PerfStringBackup.INI
26.03.2006 05:51 664 d3d9caps.dat
17.03.2006 18:43 2.206 wpa.dbl
10.03.2006 02:10 4.799.320 MRT.exe
05.03.2006 13:39 98.304 CmdLineExt.dll
04.03.2006 07:14 134.072 FNTCACHE.DAT
06.02.2006 21:42 86.016 dpl100.dll
06.02.2006 21:42 593.920 dpuGUI11.dll
06.02.2006 21:42 200.704 dtu100.dll
06.02.2006 21:41 339.968 dpus11.dll
06.02.2006 21:41 57.344 dpv11.dll
06.02.2006 21:41 294.912 dpu11.dll
06.02.2006 21:41 294.912 dpu10.dll
06.02.2006 21:41 716.800 divxdec.ax
06.02.2006 21:41 574.976 DivX.dll
06.02.2006 21:41 679.936 divx_xx07.dll
06.02.2006 21:41 679.936 divx_xx0c.dll
06.02.2006 21:41 663.552 divx_xx11.dll
05.02.2006 13:56 37 getfile.dat
27.01.2006 23:38 503.296 aswBoot.exe
27.01.2006 23:30 90.112 AVASTSS.scr
21.01.2006 04:41 12.288 DivXWMPExtType.dll
21.01.2006 00:46 4.276 divxsm.tlb
21.01.2006 00:46 778.240 DivXsm.exe
21.01.2006 00:46 10.716 dsm_ja.qm
21.01.2006 00:46 15.331 dsm_de.qm
21.01.2006 00:46 15.172 dsm_fr.qm
21.01.2006 00:46 1.044.480 libdivx.dll
21.01.2006 00:46 200.704 ssldivx.dll
21.01.2006 00:46 245.408 unicows.dll
21.01.2006 00:46 421.888 pxdrv.dll
21.01.2006 00:46 108.544 pxcpyi64.exe
21.01.2006 00:46 109.568 pxinsi64.exe
21.01.2006 00:46 172.032 pxmas.dll
21.01.2006 00:46 372.736 px.dll
21.01.2006 00:46 56.832 pxcpya64.exe
21.01.2006 00:46 61.440 pxhpinst.exe
21.01.2006 00:46 56.320 pxinsa64.exe
21.01.2006 00:46 339.968 pxwave.dll
21.01.2006 00:46 28.672 vxblock.dll
21.01.2006 00:46 3.596.288 qt-dx331.dll
21.01.2006 00:46 8.523 dpude.qm
21.01.2006 00:46 53.248 dpuGUI10.dll
21.01.2006 00:46 3.136 dtu_de.qm
18.01.2006 12:45 352.256 PDFSpooler.exe
04.01.2006 05:35 68.096 webclnt.dll

Verzeichnis von C:\DOKUME~1\STEFAN\LOKALE~1\Temp

10.04.2006 16:27 206 jusched.log
21.04.2005 15:00 78 Desktop.ini

10.04.2006 16:16 60.819 jusched.log
09.04.2006 23:18 5.487 ionCubeInstallerLog_1144617135.txt
09.04.2006 23:04 3.902 ionCubeInstallerLog_1144616194.txt
09.04.2006 11:37 16.384 ~DF9247.tmp
08.04.2006 18:58 16.384 ~DFCBAA.tmp
08.04.2006 18:58 16.384 ~DFCBBA.tmp


Verzeichnis von C:\WINDOWS

10.04.2006 16:31 4.540 ModemLog_PCI SoftV92 Data Fax Modem with SmartCP.txt
10.04.2006 16:30 0 0.log
10.04.2006 16:30 1.956.886 WindowsUpdate.log
10.04.2006 16:30 50 wiaservc.log
10.04.2006 16:30 159 wiadebug.log
10.04.2006 16:29 2.048 bootstat.dat
10.04.2006 16:29 32.608 SchedLgU.Txt
10.04.2006 01:41 32.831 DirectX.log
09.04.2006 19:40 116 NeroDigital.ini
09.04.2006 13:19 502 ODBC.INI
08.04.2006 17:14 1.222 EventSystem.log
07.04.2006 16:34 22.587 wmsetup.log
04.04.2006 12:22 2.082 ModemLog_Standardmodem ber Bluetooth-Verbindung.txt
31.03.2006 18:31 816.998 setupapi.log
31.03.2006 14:42 673 cdplayer.ini
07.03.2006 12:57 855 win.ini
25.02.2006 14:15 349.215 setupact.log
20.02.2006 19:15 83 wwp.INI
18.02.2006 11:20 923 spupdsvc.log
18.02.2006 05:08 39.056 MedCtrOC.log
18.02.2006 05:08 19.349 ehOCGen.log
18.02.2006 05:08 109.488 comsetup.log
18.02.2006 05:08 380.043 iis6.log
18.02.2006 05:08 65.730 ntdtcsetup.log
18.02.2006 05:08 15.289 tabletoc.log
18.02.2006 05:08 1.374 imsins.log
18.02.2006 05:08 17.235 ocmsn.log
18.02.2006 05:08 142.451 tsoc.log
18.02.2006 05:08 10.686 KB911927.log
18.02.2006 05:08 66.851 netfxocm.log
18.02.2006 05:08 39.388 plusoc.log
18.02.2006 05:08 15.344 msgsocm.log
18.02.2006 05:08 158.934 ocgen.log
18.02.2006 05:08 294.592 FaxSetup.log
18.02.2006 05:08 100.992 msmqinst.log
18.02.2006 05:08 18.711 updspapi.log
18.02.2006 05:08 1.374 imsins.BAK
18.02.2006 05:08 10.097 KB911565.log
18.02.2006 05:07 6.702 KB913446.log
11.01.2006 15:16 10.173 KB908519.log
06.01.2006 15:39 11.070 KB912919.log

Verzeichnis von C:\

10.04.2006 16:41 0 sys.txt
10.04.2006 16:40 8.341 system.txt
10.04.2006 16:39 343 systemtemp.txt
10.04.2006 16:32 99.609 system32.txt
10.04.2006 16:29 1.610.612.736 pagefile.sys
11.02.2006 15:10 3.185 PDFCreator-Errorlog.txt
01.12.2005 02:01 1.159 _Sid.txt
01.12.2005 01:18 185 ati.log
30.11.2005 23:39 430 TO_InstallLog.txt
30.11.2005 23:24 0 IO.SYS
30.11.2005 23:24 0 MSDOS.SYS
30.11.2005 23:24 0 AUTOEXEC.BAT
30.11.2005 23:24 0 CONFIG.SYS
30.11.2005 23:17 209 boot.ini
31.10.2005 17:56 700.416 StubInstaller.exe
10.08.2004 21:00 4.952 bootfont.bin
10.08.2004 21:00 47.564 NTDETECT.COM
10.08.2004 21:00 251.184 ntldr
06.02.2004 18:17 16.384 hpqimgrc.resources.dll

grüße
frank_stoned
Seitenanfang Seitenende
11.04.2006, 00:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 frank_stoned

1.
stelle den Cleaner genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben)

l o l l o l.sys ..schreibe es rein (ohne Leerstellen)

Zitat

wenn ich es kopiere, erscheint.. lollol.sys
in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

3.
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ...

C:\WINDOWS\system32\l o l o l.sys (wieder ohne leerstellen in die killbox kopieren...oder schreiben...oder manuell loeschen)

C:\DOKUME~1\STEFAN\LOKALE~1\Temp\4643733f62ce6b75ce6cc3d0eda06c9f.html
C:\DOKUME~1\STEFAN\LOKALE~1\Temp\a6ffb4a932ed05684c7c4eda07ae2cd0.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\ckl009.dat
C:\WINDOWS\system32\del32.bat
C:\WINDOWS\system32\getfile.dat
C:\StubInstaller.exe

PC neustarten

4.
scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2006, 06:46
Member

Themenstarter

Beiträge: 13
#5 guten morgen sabina!

zu 2.:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 11.04.2006 00:33:39 for strings:
; 'lollol.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32]
@="C:\\WINDOWS\\system32\\lollol.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32]
@="C:\\WINDOWS\\system32\\lollol.sys"

; End Of The Log...


zu 3.:

habe ich wie beschrieben gemacht. wenn ich mich aber mit meinem benutzerprofil anmelde, erscheint weiterhin vier mal die meldung, dass die datei scvhost.exe nicht gefunden werden kann. sollte das nicht eigentlich weg sein?

zu 4.:

The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.

Report is empty.

Total number of scanned files: 138744
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 05:26:43

grüße
frank_stoned
Seitenanfang Seitenende
11.04.2006, 11:05
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 frank_stoned

Gehe in die Registry
Start - Ausfuehren - regedit

bearbeiten - suchen - l o l l o l.sys

loesche: (was ich rot gekennzeichnet habe)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32]
@="C:\\WINDOWS\\system32\\lollol.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32]
@="C:\\WINDOWS\\system32\\lollol.sys"

PC neustarten

dann poste bitte das neue Log vom HijackThis (und berichte auch, wie es um die firewall bestellt ist)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2006, 11:32
Member

Themenstarter

Beiträge: 13
#7 Logfile of HijackThis v1.99.1
Scan saved at 11:20:34, on 11.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\PRISMSTA.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://welcome.icq.com/js/ppfile.html?0
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [ATIPTA] "C:\ATI-CPanel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Programme\Save\Save.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Programme\Star Downloader\sdie.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133388519859
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Firewall: der dienst kann nicht gestartet werden. fehler 123: die syntax für den dateinamen, verzeichnisnamen oder die datenträgerbezeichnung sind falsch.
Seitenanfang Seitenende
11.04.2006, 11:58
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 1.
fixe mit dem HijackThis:

F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Programme\Save\Save.exe"

PC neustarten

2,
loesche:
C:\Programme\Save

3.
berichte, was du findest unter:

HKLM\SOFTWARE\Microsoft\Security Center

Zitat

"AntiVirusDisableNotify"=dword:00000001 oder 0 ????
"AntiVirusOverride"=dword:00000000
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"FirstRunDisabled"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
aktiviere Windows XP Firewall:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

Zitat

"EnableFirewall"=dword:00000000 oder 1 ???
4.
suche auch noch mal alle Eintraege von
scvhost.exe und Generic Host Process und Windows-Firewall/Gemeinsame Nutzung der Internetverbindung in der Registry und loesche sie.

5.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
set\set\set <--loeschen

PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2006, 12:52
Member

Themenstarter

Beiträge: 13
#9 zu 2.:

war nicht mehr vorhanden. in der registry ist aber unter hklm\software\whenUsave ein eintrag vorhanden.

zu 3.:

außer bei "FirstRunDisabled" ist bei jedem eintrag der wert 0

dieser eintrag existiert nicht:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Seitenanfang Seitenende
11.04.2006, 13:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 zu 2:
wende die REGEDIT4 an
http://virus-protect.org/artikel/spyware/save.html

zu 3: alles in Ordnung

zu:4 poste das Log
http://virus-protect.org/registry_stuff.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2006, 13:32
Member

Themenstarter

Beiträge: 13
#11 doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
doesn't exist HKEY_CURRENT_USER\Software\Microsoft\OLE
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"Description"="Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,43,3a,5c,57,49,4e,44,4f,\
57,53,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,\
6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:0000113b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Trillian\\trillian.exe"="C:\\Programme\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Programme\\ICQLite\\ICQLite.exe"="C:\\Programme\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Programme\\Xfire\\Xfire.exe"="C:\\Programme\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Programme\\HLSW\\hlsw.exe"="C:\\Programme\\HLSW\\hlsw.exe:*:Enabled:HLSW"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Eine DLL-Datei als Anwendung ausführen"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\counter-strike\\hl.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programme\\Gamers.IRC\\mirc.exe"="C:\\Programme\\Gamers.IRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Download\\eMule0.46c\\emule.exe"="C:\\Download\\eMule0.46c\\emule.exe:*:Enabled:eMule"
"C:\\Programme\\g3torrent\\g3torrent.exe"="C:\\Programme\\g3torrent\\g3torrent.exe:*:Enabled:g3torrent"
"C:\\Programme\\Azureus\\Azureus.exe"="C:\\Programme\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\condition zero\\hl.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Programme\\CS\\hl2.exe"="C:\\Programme\\CS\\hl2.exe:*:Enabled:hl2"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\dedicated server\\hlds.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\dedicated server\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\dedicated server\\hltv.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\dedicated server\\hltv.exe:*:Enabled:HLTV Launcher"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\INpact_CSS_Hud_tweaker_1.18\\INpact_CSS_Hud_tweaker.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\INpact_CSS_Hud_tweaker_1.18\\INpact_CSS_Hud_tweaker.exe:*:Enabled:Application MFC Hud"
"C:\\Programme\\SmartFTP\\SmartFTP.exe"="C:\\Programme\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Programme\\CS1.6noSteam\\hl.exe"="C:\\Programme\\CS1.6noSteam\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programme\\CS1.6 pod-Bot\\hl.exe"="C:\\Programme\\CS1.6 pod-Bot\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\1044_CounterStrike 2D_cs2d_0031\\cs2d_0031\\CounterStrike2D.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\1044_CounterStrike 2D_cs2d_0031\\cs2d_0031\\CounterStrike2D.exe:*:Disabled:CounterStrike2D"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Programme\\LimeWire\\LimeWire.exe"="C:\\Programme\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\counter-strike source\\hl2.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\source dedicated server\\srcds.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\source dedicated server\\srcds.exe:*:Enabled:srcds"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\half-life 2 deathmatch\\hl2.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Lokale Einstellungen\\Temp\\Rar$EX00.235\\cs2d_0031\\CounterStrike2D.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Lokale Einstellungen\\Temp\\Rar$EX00.235\\cs2d_0031\\CounterStrike2D.exe:*:Enabled:CounterStrike2D"
"C:\\Programme\\Teamspeak2server\\server_windows.exe"="C:\\Programme\\Teamspeak2server\\server_windows.exe:*:Enabled:Server"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Eigene Dateien\\ICQ Lite\\198163341\\Tobi_233704280\\GBA\\VisualBoyAdvance.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Eigene Dateien\\ICQ Lite\\198163341\\Tobi_233704280\\GBA\\VisualBoyAdvance.exe:*:Disabled:VisualBoyAdvance emulator"
"D:\\Michael\\Nützliches\\Emulator\\Konsolen\\SuperN\\zsneswv1.36\\ZSNESW.EXE"="D:\\Michael\\Nützliches\\Emulator\\Konsolen\\SuperN\\zsneswv1.36\\ZSNESW.EXE:*:Enabled:ZSNESW"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Eigene Dateien\\ICQ Lite\\198163341\\Tobi_233704280\\Snes9XW.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Eigene Dateien\\ICQ Lite\\198163341\\Tobi_233704280\\Snes9XW.exe:*:Enabled:Snes9XW"
"C:\\Programme\\CS1.6 pod-Bot\\hltv.exe"="C:\\Programme\\CS1.6 pod-Bot\\hltv.exe:*:Enabled:HLTV Launcher"
"C:\\Programme\\BearShare\\BearShare.exe"="C:\\Programme\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Programme\\Java\\j2re1.4.2_05\\bin\\javaw.exe"="C:\\Programme\\Java\\j2re1.4.2_05\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Programme\\Steam\\SteamApps\\hurricane1990\\day of defeat source\\hl2.exe"="C:\\Programme\\Steam\\SteamApps\\hurricane1990\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Programme\\CSSource\\CS\\hl2.exe"="C:\\Programme\\CSSource\\CS\\hl2.exe:*:Enabled:hl2"
"C:\\Programme\\DreamCatcher\\Painkiller\\Bin\\Painkiller.exe"="C:\\Programme\\DreamCatcher\\Painkiller\\Bin\\Painkiller.exe:*:Enabled:Painkiller"
"C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\Weisseradler-Script 1.071\\mirc.exe"="C:\\Dokumente und Einstellungen\\HURR!CANE\\Desktop\\Weisseradler-Script 1.071\\mirc.exe:*:Enabled:mIRC"
"C:\\Programme\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Programme\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Sicherheitscenter"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Überwacht Systemsicherheitseinstellungen und -konfigurationen."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:87,3b,8d,8e,33,56,7c,4f,b3,b8,85,83,b4,1b,a0,13
"AdjustedNullSessionPipes"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Ermöglicht Remotebenutzern, Registrierungseinstellungen dieses Computers zu verändern. Wenn dieser Dienst beendet wird, kann die Registrierung nur von lokalen Benutzern dieses Computers verändert werden. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können."
"DependOnService"=hex(7):52,50,43,53,53,00,00
"DisplayName"="Remote-Registrierung"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,4c,6f,63,61,6c,53,65,72,\
76,69,63,65,00
"ObjectName"="NT AUTHORITY\\LocalService"
"Group"=""
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,72,65,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Type"=dword:00000010
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,\
74,6c,6e,74,73,76,72,2e,65,78,65,00
"DisplayName"="Telnet"
"DependOnService"=hex(7):52,50,43,53,53,00,54,43,50,49,50,00,4e,54,4c,4d,53,53,\
50,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"=hex(2):45,72,6d,f6,67,6c,69,63,68,74,20,65,69,6e,65,6d,20,52,65,\
6d,6f,74,65,62,65,6e,75,74,7a,65,72,2c,20,73,69,63,68,20,61,6e,20,64,69,65,\
73,65,6d,20,43,6f,6d,70,75,74,65,72,20,61,6e,7a,75,6d,65,6c,64,65,6e,20,75,\
6e,64,20,50,72,6f,67,72,61,6d,6d,65,20,61,75,73,7a,75,66,fc,68,72,65,6e,2e,\
20,55,6e,74,65,72,73,74,fc,74,7a,74,20,76,65,72,73,63,68,69,65,64,65,6e,65,\
20,54,43,50,2f,49,50,2d,54,65,6c,6e,65,74,63,6c,69,65,6e,74,73,2c,20,65,69,\
6e,73,63,68,6c,69,65,df,6c,69,63,68,20,55,4e,49,58,2d,62,61,73,69,65,72,74,\
65,6e,20,75,6e,64,20,57,69,6e,64,6f,77,73,2d,62,61,73,69,65,72,74,65,6e,20,\
43,6f,6d,70,75,74,65,72,6e,2e,20,57,65,6e,6e,20,64,69,65,73,65,72,20,44,69,\
65,6e,73,74,20,61,6e,67,65,68,61,6c,74,65,6e,20,77,69,72,64,2c,20,69,73,74,\
20,64,65,72,20,52,65,6d,6f,74,65,7a,75,67,72,69,66,66,20,6d,f6,67,6c,69,63,\
68,65,72,77,65,69,73,65,20,6e,69,63,68,74,20,6d,65,68,72,20,76,65,72,66,fc,\
67,62,61,72,2e,20,57,65,6e,6e,20,64,69,65,73,65,72,20,44,69,65,6e,73,74,20,\
64,65,61,6b,74,69,76,69,65,72,74,20,77,69,72,64,2c,20,6b,f6,6e,6e,65,6e,20,\
61,6c,6c,65,20,44,69,65,6e,73,74,65,2c,20,64,69,65,20,65,78,70,6c,69,7a,69,\
74,20,76,6f,6e,20,64,69,65,73,65,6d,20,44,69,65,6e,73,74,20,61,62,68,e4,6e,\
67,65,6e,2c,20,6e,69,63,68,74,20,6d,65,68,72,20,67,65,73,74,61,72,74,65,74,\
20,77,65,72,64,65,6e,2e,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000002c4
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:e8,75,6a,47,b0,26,1c,db,a8,ba,a3,7a,bb,63,21,31,39,35,33,64,62,\
65,39,32,00,fd,07,00,2c,78,00,00,34,fa,07,00,56,82,46,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,2c,10,e8,85,5f,3c,3d,a6,9c,76,1b,95

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:24,30,d6,5a,4c,e4,60,4c,7e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:98,7d,01,35,39,c9

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:17,25,4a,94,49,5f,18,c2,18,d5,ae,89,73,4b,32,25

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:10,38,fd,16,fa,f5,c5,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


Seitenanfang Seitenende
11.04.2006, 15:35
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 die Firewall ist sehr wohl aktiv, und erlaubt auch den zahlreichen P2P-Proggies Zugriff auf deinen PC.
Der Trojaner ist geloescht... denke mal drueber nach, wo du dir das eingefangen hast... und berichte
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2006, 17:09
Member

Themenstarter

Beiträge: 13
#13 vielen dank für deine zeit und deine hilfe.

die windows-firewall ist nicht aktiv. im sicherheitscenter steht INAKTIV.
kann das vielleicht daran liegen, dass ich die software avast! als antivirus und firewall habe und beides, windows-firewall und avast!, zusammen nicht funktionieren?
ich hab mir den trojaner nicht eingefangen. das war mein brüderchen...und wo, das ist ja klar...
Seitenanfang Seitenende
11.04.2006, 21:24
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 diese Eintraege...findest du sie???

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
*EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
*EnableFirewall
dword:00000000

schluessel auf 1 setzen.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.04.2006, 06:01
Member

Themenstarter

Beiträge: 13
#15 nein, sind nicht vorhanden. unter hklm\software\policies\microsoft ist kein ordner namens windowsfirewall.

nur hier habe ich sowas gefunden: hklm\system\controlset001\services\sharedaccess\parameters\firewallpolicy\...

hab grad noch einmal hijackthis durchlaufen lassen. das hier war im log aufgeführt:

O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
Dieser Beitrag wurde am 12.04.2006 um 06:11 Uhr von frank_stoned editiert.
Seitenanfang Seitenende