Trojaner BDS/Ciadoor.13.312 - diverse Admin Rechte abgeschaltet - |
||
---|---|---|
#0
| ||
11.05.2006, 00:35
Member
Beiträge: 15 |
||
|
||
11.05.2006, 12:42
Ehrenmitglied
Beiträge: 29434 |
#2
Tommy55
das kann man reinigen. es erfordert mehrere Schritte, aber bis jetzt habe ich es immer gereinigt bekommen http://virus-protect.org/artikel/dienste/wsock32sys.html Hijackthis http://computercops.biz/zx/Merijn/hijackthis.zip http://virus-protect.org/hjtkurz.html Lade/entpacke HijackThis in einem Ordner --> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.05.2006, 14:43
Member
Themenstarter Beiträge: 15 |
#3
Hallo Sabina,
schonmal vielen Dank, dass Du Dich bereit erklärt hast mir zu helfen. Bin leider erst heute zu dem Scan mit Hijackthis gekommen. Habe auch vorher mit Cleanup die Säuberung laufen lassen. Hier das Log-File: Logfile of HijackThis v1.99.1 Scan saved at 14:38:36, on 13.05.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\PMJ151LA.BIN C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SCARDS32.EXE C:\WINDOWS\System32\WFXSVC.EXE C:\Programme\Symantec\WinFax\WFXMOD32.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Programme\CyberLink\PowerVCRII\Agent.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\system32\carpserv.exe C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\Programme\Winamp\winampa.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\ATI Technologies\ATI.ACE\cli.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe C:\Programme\ASUS\ASUS FM Radio\ezagent.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\system32\ctfmon.exe I:\Tommy\Eigene Dateien\Eigene Programme\Internet\Hijackthis\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smartsurfer.web.de/Download R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von NetCologne R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: N.Cs4 - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - C:\WINDOWS\system32\wsock32.sys (file missing) O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE O4 - HKLM\..\Run: [Agent] C:\Programme\CyberLink\PowerVCRII\Agent.exe O4 - HKLM\..\Run: [Remote_Agent] C:\Programme\CyberLink\PowerVCRII\RemoteAgent.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mssys.exe /u O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe O4 - HKLM\..\Run: [0900 Warner] C:\PROGRA~1\0190WA~1\WARN0900.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe O4 - HKCU\..\Run: [EzAgent] C:\Programme\ASUS\ASUS FM Radio\ezagent.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programme\GetRight\getright.exe O4 - Global Startup: VersionBackup.lnk = C:\Programme\VersionBackup\VersionBackup.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Web-Eintrag - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\programme\lotus\organize\bandobjs.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.internetcologne.de O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c2.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab O16 - DPF: {51EA44E6-C8C3-4E30-8F3D-D8EE71A44DCB} (Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_1115.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.expressphoto.de/ImageUploader3.cab O16 - DPF: {ABC1D8DE-CAB5-4FB7-BCD0-137BAB9F09DC} (aldisued-fotos-druck_de_bilduebertragung) - http://www.aldisued-fotos-druck.de/upload/aldi_sued_bilduebertragung.cab O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing) O21 - SSODL: System - {B2A551D4-D9C9-42A6-ABD8-9DABF6ACA3E7} - C:\WINDOWS\system32\system32.dll (file missing) O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - Towitoko AG - C:\WINDOWS\SCARDS32.EXE O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE Ich hoffe Du kannst daraus was erkennen. Für mich sind das fast alles bömische Dörfer. Unverändert meldet AntiVir immer brav beim Start dass die infizierte Datei wsock32.sys im windows/system32-Verzeichnis gefunden wird. Nun ich hoffe, dass Du was weißt wie ich den Pagegeist wieder los werde ohne, dass ich den Rechner neu aufsetzen muss. Noch danke und bis bald Tommy |
|
|
||
13.05.2006, 15:13
Ehrenmitglied
Beiträge: 29434 |
#4
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Zitat R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/PC neustarten gehe in die Registry...du müsstest nun eigentlich wieder in die Registry kommen.... Start->Ausführen --> regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD (Ohne den Schlüssel Policies) Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein ---------------------------------- Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html echo.zip entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren http://virus-protect.org/bat/echo.zip __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.05.2006, 15:27
Member
Themenstarter Beiträge: 15 |
#5
Hallo Sabina,
danke für die Anleitung, leider scheint der Trojaner noch eine Hürde eingebaut zu haben. HijackThis konnte nicht alle Einträge löschen. Es kam die Fehlermeldung "Das Bearbeiten der Registrierung wurde durch den Administrator deaktiviert." (siehe nochmal neue Logdatei von HijackThis unten) Dieser neue Administrator wurde von dem Trojaner eingerichtet und mit einem Paßwort versehen. Da komme ich nicht ran. Laut Benutzerkonto habe ich und der "neue" Administrator die Computeradministratorrechte. Nur sind meine Kompetenzen seit dem Befall eingeschränkt. Ich kann den Trojaner-Administrator nicht löschen. Diese Kompetenz habe ich nicht. Gerade habe ich noch festgestellt, als ich mir die Benutzerkonten angesehen habe, dass noch ein neues Konto von alleine entstanden ist. Es nannte sich "ASP.Net". Auch dieses verfügte über Admin-Rechte, das konnte ich aber gerade löschen. Hier nochmal alle Einträge nachdem HijackThis gefixt hat: Logfile of HijackThis v1.99.1 Scan saved at 15:17:19, on 14.05.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\system32\carpserv.exe C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\Programme\Winamp\winampa.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\ATI Technologies\ATI.ACE\cli.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\ASUS\ASUS FM Radio\ezagent.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programme\internet explorer\iexplore.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\WINDOWS\PMJ151LA.BIN C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SCARDS32.EXE C:\WINDOWS\System32\WFXSVC.EXE C:\Programme\Symantec\WinFax\WFXMOD32.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wuauclt.exe i:\Tommy\Eigene Dateien\Eigene Programme\Internet\Hijackthis\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smartsurfer.web.de/Download R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von NetCologne F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE O4 - HKLM\..\Run: [Agent] C:\Programme\CyberLink\PowerVCRII\Agent.exe O4 - HKLM\..\Run: [Remote_Agent] C:\Programme\CyberLink\PowerVCRII\RemoteAgent.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe O4 - HKLM\..\Run: [0900 Warner] C:\PROGRA~1\0190WA~1\WARN0900.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe O4 - HKCU\..\Run: [EzAgent] C:\Programme\ASUS\ASUS FM Radio\ezagent.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programme\GetRight\getright.exe O4 - Global Startup: VersionBackup.lnk = C:\Programme\VersionBackup\VersionBackup.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Web-Eintrag - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\programme\lotus\organize\bandobjs.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.internetcologne.de O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab O16 - DPF: {51EA44E6-C8C3-4E30-8F3D-D8EE71A44DCB} (Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_1115.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.expressphoto.de/ImageUploader3.cab O16 - DPF: {ABC1D8DE-CAB5-4FB7-BCD0-137BAB9F09DC} (aldisued-fotos-druck_de_bilduebertragung) - http://www.aldisued-fotos-druck.de/upload/aldi_sued_bilduebertragung.cab O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - Towitoko AG - C:\WINDOWS\SCARDS32.EXE O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE Vielleicht hast Du noch eine Idee wie ich daran komme? Danke und Grüße Tommy |
|
|
||
14.05.2006, 17:41
Ehrenmitglied
Beiträge: 29434 |
#6
Tommy55
Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten poste den report vom Avenger ! ----------- dann fixe mit dem HijackThis: Zitat F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exePC neustarten Start->Ausführen --> regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD (Ohne den Schlüssel Policies) Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein ---------------------------------- Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html echo.zip entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren http://virus-protect.org/bat/echo.zip __________ __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.05.2006, 22:54
Member
Themenstarter Beiträge: 15 |
#7
Hallo Sabina,
toll, dass Du immer so schnell reagierst. Den Tipp mit dem Avenger habe ich umgesetzt. Es kamen aber verschiedene Fehlermeldungen in der Form als das Skript ausgeführt wurde, dass der Zugriff auf die Registry nicht möglich wäre, das Zeile 1 des Skripts nicht gültig wäre und ignoriert würde. Dann lief etwas, der PC startete auch neu, dann nachdem Windows wieder oben war kamen Meldungen, dass die Datei scvhost.exe vermisst würde. Die Meldung kam bestimmt 5-6 mal. Dann habe ich unter C:\avenger\ eine Datei mit dem Namen ckl0009.dat gefunden. Ich schätze, das ist die Datei, deren Inhalt ich posten soll. Hier der Inhalt: Server Started @23:30:03 07.05.2006 (23:31:03) Microsoft Internet Explorer (23:31:08) nkoppl223a (23:31:10) <No Title> (23:31:11) Microsoft Internet Explorer (23:31:18) <No Title> (23:31:21) <No Title> (23:31:22) Startmenü Server Started @23:38:44 07.05.2006 (23:38:46) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne (23:38:47) <No Title> (23:38:47) Program Manager (23:38:47) NetDSL Einwahlassistent (23:38:51) Microsoft Internet Explorer (23:39:02) <No Title> (23:39:03) <No Title> (23:39:04) Control Center (23:39:12) Avira AntiVir PersonalEdition Classic Updater (23:39:17) ZoneAlarm Pro (23:39:18) Avira AntiVir PersonalEdition Classic Updater (23:39:25) AntiVir® Notifier (23:39:27) Avira AntiVir PersonalEdition Classic Updater (23:40:17) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne (23:40:20) Avira AntiVir PersonalEdition Classic Updater (23:40:20) <No Title> (23:40:20) ZoneAlarm Pro (23:40:24) Avira AntiVir PersonalEdition Classic Updater (23:40:33) ZoneAlarm Pro (23:40:43) Avira AntiVir PersonalEdition Classic Updater (23:40:46) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne (23:42:07) Microsoft Internet Explorer bereitgestellt von NetCologne (23:43:16) <No Title> (23:43:16) ALDI informiert: Angebote bei ALDI, ALDI Produkte, ALDI Öffnungszeiten - Microsoft Internet Explorer bereitgestellt von NetColo (23:45:17) Microsoft Internet Explorer bereitgestellt von NetCologne (23:45:52) Media Markt. Die beliebtesten Digital-Kameras. - Microsoft Internet Explorer bereitgestellt von NetCologne (23:45:54) <No Title> (23:45:54) Microsoft Internet Explorer bereitgestellt von NetCologne (23:46:16) Media Markt. Die beliebtesten Digital-Kameras. - Microsoft Internet Explorer bereitgestellt von NetCologne ww.casio.de (23:46:37) Microsoft Internet Explorer bereitgestellt von NetCologne (23:47:35) Microsoft Internet Explorer bereitgestellt von NetCologne (23:48:49) EXILIM CARD - EX-S600 "Sparkle Silver"- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:48:51) http://www.exilim.de/de/exilimcard/exs600silver/gallery/3d/ - Microsoft Internet Explorer bereitgestellt von NetCologne (23:49:22) EXILIM CARD - EX-S600 "Sparkle Silver"- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:51:05) Microsoft Internet Explorer bereitgestellt von NetCologne (23:51:12) Press- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:51:23) http://www.exilim.de/de/press/article/12994585/ - Microsoft Internet Explorer bereitgestellt von NetCologne (23:52:18) Press- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:55:49) <No Title> (23:55:49) Microsoft Internet Explorer Casio Exilim(23:56:04) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:56:11) Google - Microsoft Internet Explorer bereitgestellt von NetCologne -Z10 00(23:56:29) <No Title> (23:56:32) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b (23:56:32) <No Title> (23:56:34) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b (23:56:34) Windows Installer (23:56:35) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b (23:58:37) <No Title> (23:58:38) Startseite - CASIO EUROPE - Microsoft Internet Explorer bereitgestellt von NetCologne (23:58:39) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:58:40) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b (23:58:42) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b (23:58:44) <No Title> (23:59:18) Task-Manager (23:59:19) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:59:24) <No Title> (23:59:27) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne (23:59:28) Startseite - CASIO EUROPE - Microsoft Internet Explorer bereitgestellt von NetCologne (23:59:28) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b (23:59:36) Task-Manager (23:59:38) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b (23:59:42) <No Title> Server Started @00:03:25 08.05.2006 (00:05:04) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne (00:05:12) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne (00:05:12) <No Title> (Del) (00:05:15) Task-Manager (00:05:21) <No Title> (00:05:24) i:\Tommy\Eigene Dateien\Eigene Programme\Brennprogramme\Nero 7.2 (00:05:24) <No Title> (00:05:27) Avira AntiVir PersonalEdition Classic (00:05:27) <No Title> (00:05:30) Startmenü (00:05:34) <No Title> (00:05:40) Hilfe- und Supportcenter (00:05:50) Systemwiederherstellung (00:06:05) Hilfe- und Supportcenter (00:06:11) <No Title> (00:06:14) <No Title> (00:06:15) NetDSL Einwahlassistent (00:06:17) <No Title> (00:07:01) <No Title> (00:07:01) Windows Explorer (00:07:31) Startmenü (00:07:33) <No Title> (00:07:33) <No Title> (00:07:33) <No Title> (00:07:35) <No Title> (00:07:35) <No Title> (00:08:08) C:\ (00:08:26) <No Title> (00:08:28) <No Title> (00:08:28) Control Center (00:08:59) AntiVir Guard (00:10:01) <No Title> (00:10:01) Startmenü (00:10:02) <No Title> (00:10:02) <No Title> (00:10:03) <No Title> Server Started @23:56:11 10.05.2006 (23:57:08) Windows Explorer (23:57:10) ZoneAlarm Pro (23:57:11) Eigene Dateien (23:57:56) <No Title> (23:57:56) Achtung Fund! (23:58:16) system32 (23:58:27) <No Title> (23:58:27) Achtung Fund! (23:59:14) system32 (23:59:18) Achtung Fund! (23:59:21) system32 (23:59:23) <No Title> (23:59:23) Achtung Fund! (00:00:16) system32 (00:00:18) <No Title> (00:00:18) Achtung Fund! (00:00:20) system32 (00:00:24) Achtung Fund! (00:00:28) system32 (00:00:32) <No Title> (00:00:32) Achtung Fund! (00:00:35) system32 (00:01:21) <No Title> (00:01:21) Startmenü (00:01:22) Windows Explorer (00:01:26) <No Title> (00:01:42) Systemsteuerung (00:01:47) system32 (00:01:53) Startmenü (00:02:05) <No Title> (00:02:05) Hilfe- und Supportcenter (00:02:07) Systemwiederherstellung (00:02:08) Hilfe- und Supportcenter (00:02:10) Systemwiederherstellung (00:02:47) Hilfe- und Supportcenter Server Started @15:14:17 14.05.2006 (15:14:26) <No Title> (15:14:36) Startmenü (15:14:39) Program Manager (15:14:40) <No Title> (15:14:41) Windows Explorer (15:14:57) HijackThis - v1.99.1 (15:15:51) hijackthis (15:15:52) Startmenü (15:15:53) <No Title> (15:15:53) <No Title> (15:15:53) <No Title> (15:15:54) <No Title> (15:15:55) hijackthis (15:15:55) <No Title> (15:16:12) hijackthis (15:16:15) <No Title> (15:16:15) <No Title> (15:16:16) hijackthis (15:16:22) <No Title> (15:16:27) hijackthis (15:16:29) HijackThis - v1.99.1 (15:16:45) Öffnen zweiter (15:17:18) HijackThis - v1.99.1 (15:17:19) zweiter Scan nach Ciadoor.log - Editor (15:17:29) HijackThis - v1.99.1 (15:17:31) zweiter Scan nach Ciadoor.log - Editor (15:17:33) <No Title> (15:17:34) NetDSL Einwahlassistent (15:17:40) <No Title> (15:17:40) Microsoft Internet Explorer Hallo Sb (Back) abina, danke f;r dien (Back) Anl eite (Back) ung, leider scheint der Trojaner noch eine H;rde eingebaut zu haben. Der (Back) (Back) (Back) (Back) Er hat ja auf mei nem Rechner einen neune (Back) (Back) en Administrator angelegt. Ich bin laut b (Back) Benutzerrechten auch noch (Del) Bei folen (Back) (Back) (Back) legen (Back) (Back) (Back) (Back) gende Mal-Wart (Back) e (Back) (Back) ree (Back) (Back) (Back) (Back) (Back) (Back) ware-Eintr~ge konnte HijackThis nicht l'schen, (Back) (Back) . Es kam die Fehlermeldung "Das Bearbeietne (Back) (Back) (Back) (Back) ten der Registrierung wurde durch den Administrator deaktiviert." Dieser sogenannte Administrag (Back) tor hat sich ja mit dm (Back) em (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) wi (Back) urde von dem W (Back) Trojaner eingerichtet und mit einem Pa[wort versehen., (Back) (Back) (Back) . Da komme ich nicht ran. Laut (Back) (Back) (Back) (Back) (Back) Laut Benutzer(15:21:04) Startmenü (15:21:08) Windows Explorer (15:21:12) <No Title> (15:21:49) Systemsteuerung (15:21:55) zweiter Scan nach Ciadoor.log - Editor (15:21:56) NetDSL Einwahlassistent (15:21:57) Trojaner BDS/Ciadoor.13.312 - diverse Admin Rechte abgeschaltet - - Security Forum - Microsoft Internet Explorer bereitgestellt kont gi (Back) (Back) habe (Back) n ich und der "neue (Back) " Administrator die Computeradministratorrechte. Nur kann ich den Trojaner-Administrator nicht l'schen. Diese Kompe tenz habe ich nicht. Gerade habe ich noch festgestellt, als ih (Back) (Back) ch mit (Back) (Back) r die Benutzerkonn (Back) ten angeseehn h (Back) (Back) (Back) (Back) (Back) hen habe, dass noch ein Konto entst anden ist. Es nannte sich ASP.Net (Left) (Left) (Left) (Left) (Left) (Left) (Left) " (Right) (Right) (Right) (Right) (Right) (Right) (Right) ". Auch dieses verf;gte ;ber Admin -Rechte, das konte (Back) (Back) (Back) nte ich aber gerade l'schen. Hier die Eintr~ge di (Back) e HijackThis nicht l'schen konnte> nochmal alle (Del) (Del) (Del) (Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Del) (Del) (Del) nachdme (Back) (Back) (Back) em (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) gefixt hat (Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) konnte ni (Back) (Back) (Back) (Right) (Right) (Right) (Right) (Right) (Right) (Right) alle Eintr~ge (Dwn) (Dwn) *siehe nochmal Logdatei von (Left) (Left) (Left) (Right) neuen (Back) (End) HijackThis unten) (Back) ( Server Started @15:35:38 14.05.2006 (15:35:49) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne (15:35:50) <No Title> (15:35:51) Program Manager (15:35:51) <No Title> (15:35:51) Windows Explorer (15:35:56) <No Title> (15:35:57) MAGIX Video deLuxe 2005/2006 (15:35:57) <No Title> (15:36:00) MAGIX Video deLuxe 2005/2006 (15:36:00) Video (293 x 381) (15:36:02) Media Pool (15:36:02) MAGIX Video deLuxe 2005/2006 - Neu01.MVD (15:36:02) Video (360 x 288) (15:36:02) Media Pool (15:36:04) MAGIX Video deLuxe 2005/2006 - Neu01.MVD (15:36:07) Media Pool (15:36:10) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD (15:39:51) <No Title> (15:39:51) Windows Explorer (15:39:53) Windows Explorer (15:39:55) Eigene Dateien (15:39:56) NEU (E (15:41:11) Windows Media Player (15:42:19) Top 100 27.02.2006 (15:42:57) Windows Media Player (15:43:40) mixed dance (15:44:12) Windows Media Player (15:44:26) mixed dance (15:44:47) Windows Media Player (15:44:50) <No Title> (15:44:50) mixed dance (15:45:16) Eigene Dateien (15:46:16) Windows Media Player (15:46:41) Kontor - Chill out 2 (15:47:01) Windows Media Player (15:48:50) Anastacia - Pieces Of A Dream[2005][CD+3Vid+Covers] (15:49:47) Windows Media Player (15:50:22) Hitbox 2006 (15:50:46) Windows Media Player (15:50:53) Hitbox 2006 (15:50:55) Windows Media Player (15:51:07) Hitbox 2006 (15:51:15) Windows Media Player (15:51:27) Hitbox 2006 (15:51:56) Windows Media Player (15:52:10) Hitbox 2006 (15:52:12) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD (15:52:18) Hitbox 2006 (15:52:41) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD (15:52:43) Media Pool (15:53:08) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (15:54:53) <No Title> (15:54:54) Summe (15:54:58) <No Title> (15:55:10) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) t (Del) p(16:08:13) Programmeinstellungen (16:08:16) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (16:09:09) <No Title> (16:09:17) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Right) (Right) (Right) (Left) (Right) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) t (Del) (Left) (Left) (Left) (Left) (Left) (16:21:19) My Videos (16:21:23) Windows Explorer (16:21:38) Windows Media Player (16:22:31) <No Title> (16:22:31) Audio CD (E (16:22:32) My Videos (16:22:35) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (16:22:37) Media Pool (16:23:21) <No Title> (16:23:21) Windows Media Player (16:23:28) Optionen (16:23:37) Windows Media Player (16:23:38) Media Pool (16:23:57) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) t t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t(16:33:22) Media Pool (16:33:24) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD * (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Left) (Left) (Right) (Right) (Left) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Right) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Left) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Left) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) t (Dwn) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) Die weiteren Schritte werde ich nun machen. Habe gedacht ich poste erstmal und lösche dann weiter. Hoffentlich läuft nachher noch alles?? DA bin ich wieder! Der PC lebt wieder etwas mehr!!!! HURRRAA Schonmal Danke. In die Registry bin ich wieder reingekommen. Ich konnte aber nur den ersten Eintrag korrigieren: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) Die beiden anderen Einträge konnte ich nicht finden. Sie stehen nicht in der Registry oder nicht an der Stelle: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD (Ohne den Schlüssel Policies) Dazu paßt vielleicht auch das Fehlerfenster (sieht aus wie ein DOS-Fenster), welches ich jetzt bekomme, wenn ich Windows hochgefahren habe: C:\windows\system32\cmd.exe : "Die Eingabeaufforderung ist vom Administrator deaktiviert worden. Drücken Sie eine beliebige Taste..." Den nächsten Schritt in Deiner Anleitung mit dem Tool DATFIND.bat konnte ich leider nicht ausführen, da auch dabei die gleiche Meldung wie beim Start auftauchte. Wie kann ich das Problem nun wieder lösen? Mühsam ernährt sich das Eichhörnchen!! Gute Nacht, Tommy Dieser Beitrag wurde am 14.05.2006 um 23:20 Uhr von Tommy55 editiert.
|
|
|
||
14.05.2006, 23:19
Ehrenmitglied
Beiträge: 29434 |
#8
diese dat -> ckl0009.dat -> ist vom Trojaner erstellt und zeichnet alles auf, was du so tust... es ist interessant, das mal verfolgen zu koennen.........selbst unsere "Gespraeche/Postings" wurden aufgezeichnet....)
loesche bitte alles im Avenger ! ------------------------------------ Start->Ausführen --> regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD (Ohne den Schlüssel Policies) Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein pc neustarten ----------------------------------------- Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.05.2006, 09:27
Member
Themenstarter Beiträge: 15 |
#9
Hallo Sabina,
leider klappt das mit Deinem Tipp bzgl. Regedit ja noch nicht ganz: Die folgenden von Dir genannten Einträge gibt es in meiner Registry ja garnicht. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen) HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD(Ohne den Schlüssel Policies) Soll ich sie irgendwie anlegen? Wenn ja, wie mache ich das? Grüße Tommy |
|
|
||
15.05.2006, 11:34
Ehrenmitglied
Beiträge: 29434 |
#10
Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Gruppenrichtlinien auswählen > hinzufügen > Fertig stellen > schließen > ok >Benutzerkonfiguration > Aministrative Vorlagen > System > Doppleklick auf "Zugriff auf Eingabeaufforderung verhindern" > deaktivieren > OK > alle Fenster schliessen > neu anmelden > an der Kommandozeile
dann versuche die 4 Logs von datfindbat zu posten, denn um die geht es mir __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.05.2006, 22:11
Member
Themenstarter Beiträge: 15 |
#11
Ich habe versucht das Programm mmc so wie beschrieben auszuführen , bin aber an dem Punkt >Gruppenrichtlinie auswählen hängen geblieben. Dieser Punkt wird mir nicht als Snapin angeboten. Es gibt einen Punkt, der nennt sich "Lokale Benutzer und Gruppen". Ist damit das Gleiche gemeint?
Grüße Tommy |
|
|
||
15.05.2006, 23:21
Ehrenmitglied
Beiträge: 29434 |
||
|
||
16.05.2006, 22:36
Member
Themenstarter Beiträge: 15 |
#13
dies scheint auch eine Sackgasse zu sein. Folgendes kann ich auswählen:
Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Dann kann ich aus dem KONSOLENSTAMM (eine andere Auswahl gibt es nicht) aus folgenden Unterpunkten wählen: .Net Framework 1.1 Configuration - ActiveX-Steuerelement - Computerverwaltung - Datenträgerverwaltung - Defragmentierung - Dienste - Ereignisanzeiger - Freigegebene Ordner - Geräte-Manager - Indexdienst - IP-Sicherheitsmonitor - IP-Sicherheitsrichtlinienverwaltung - Komponentendienste - Leistungskontrolle und Warnungen - Lokale Benutzer und Gruppen - Mit Webadresse verknüpfen - Ordner - Wechselmedienverwaltung - WMI-Steuerung - Zertifikate Wenn ich "Lokale Benutzer und Gruppen" auswähle, kommt ein neues Abfragefenster mit der Frage welcher Computer dieses Snap-In verwalten soll. Lokal oder anderer? Wenn ich einen Punkt auswähle kommt die Fehlermeldung: "Auf diesem Computer wird die Windows XP Home Edition ausgeführt. Dieses Snap-In kann mit dieser Windowsversion nicht ausgeführt werden.Verwenden Sie die Option Benutzerkonten in der Systemsteuerung, um lokale Benutzerkonten auf diesem Computer zu verwalten." Nun ja, wie gehts nun weiter? Nochmal grob der Stand: AntiVir meldet mir NICHT mehr, dass die Datei wsock32.sys mit dem Virus BDS/Ciadoor.13.312 befallen wäre. Es geht aber immer noch das Fenster auf: C:\windows\system32\cmd.exe : "Die Eingabeaufforderung ist vom Administrator deaktiviert worden. Drücken Sie eine beliebige Taste..." und die Admin-Rechte um z.B. eine Systemwiederherstellung durchzuführen sind immer noch wegen der Gruppenrichtlinie durch den "Trojaner"-Administrator gesperrt. Blöde Situation, oder? Sabina, hast Du noch eine Idee???? Grüße Tommy |
|
|
||
17.05.2006, 01:16
Ehrenmitglied
Beiträge: 29434 |
#14
0.
waehle ein anderes Konto als das, wo du im Moment bist...vielleicht in abgesicherten Modus, das Administrator-Konto Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Lokale Benutzer und Gruppen ----------------------------------------- 1. Start->Ausführen --> regedit bearbeiten - suchen - reinkopieren - scvhost.exe loesche alles, was du findest.... -------- [HKEY_CURRENT_USER\Software\VB and VBA Program Settings] set\ set\ set\ xxxxxxxx.ini --schreibe mir, welche ini du dort findest.... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.05.2006, 23:21
Member
Themenstarter Beiträge: 15 |
#15
habe mich zuerst im abgesicherten Modus mit allen Benutzern angemeldet (auch als "Trojaner"-Admin!!). Konnte aber immer noch nicht über mmc "Lokale Benutzer und Gruppen" anlegen. Es kam immer noch die Meldung:
"Auf diesem Computer wird die Windows XP Home Edition ausgeführt. Dieses Snap-In kann mit dieser Windowsversion nicht ausgeführt werden.Verwenden Sie die Option Benutzerkonten in der Systemsteuerung, um lokale Benutzerkonten auf diesem Computer zu verwalten." Ich konnte aber das Paßwort von dem "Trojaner"-Administrator (nur im abgesicherten Modus) zurücksetzen. In der Regedit habe ich alle Einträge mit "scvhost.exe" gelöscht. Ich habe die Einträge komplett gelöscht, nicht nur die Werte und hoffe, dass das richtig war??? Die gesuchte ini-Datei lautet: r25o9D2UXD.ini. Ansonsten gelten immer noch die Einschränkungen von gestern. noch eine Ergänzung: Wenn ich mich im "Normalen"-Modus versuche als "Trojaner"-Administrator anzumelden, bekomme ich wieder bei dem Benutzer "Trojaner"-Admin eine Paßwortabfrage. An der Stelle wird dann nicht das Paßwort abgefragt, welches ich im Abgesicherten-Modus geändert hatte. Komisch! Dann habe ich mich mal im Normal-Modus unter dem zweiten User (meiner Frau) angemeldet. Dabei ging folgendes Avenger-Log-File automatisch auf. Vielleicht hilft Dir das weiter: Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line --- does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\cupgedcf ******************* Script file located at: \??\C:\WINDOWS\sjrhfafv.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\ckl009.dat deleted successfully. File C:\WINDOWS\system32\scvhost.exe deleted successfully. File C:\WINDOWS\system32\wsock32.sys not found! Deletion of file C:\WINDOWS\system32\wsock32.sys failed! Could not process line: C:\WINDOWS\system32\wsock32.sys Status: 0xc0000034 File C:\WINDOWS\mssys.exe not found! Deletion of file C:\WINDOWS\mssys.exe failed! Could not process line: C:\WINDOWS\mssys.exe Status: 0xc0000034 File C:\WINDOWS\system32\del32.bat not found! Deletion of file C:\WINDOWS\system32\del32.bat failed! Could not process line: C:\WINDOWS\system32\del32.bat Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Grüße Tommy Dieser Beitrag wurde am 18.05.2006 um 13:21 Uhr von Tommy55 editiert.
|
|
|
||
Der Taskmanager wird abgeschaltet und diverse Adminrechte (z.B. einen früheren Wiederherstellungspunkt zu aktivieren) geht nicht mehr. Bei dem Versuch kommt die nette Meldung "Die Systemwiederherstellung wurde aufgrund einer Gruppenrichtlinie deaktiviert. Wenden Sie sich an den Domänenadministrator, um die Systemwiederherstellung zu aktivieren."
Das wäre mein erster Versuch gewesen um den Trojaner wieder loszuwerden. Dann habe ich noch ein Backup von C: auf einer externen Festplatte. Wäre das vielleicht auch eine sinnvolle Lösung. Dabei werden nur nicht alle Dateien, die gerade in Benutzung sind aktualisiert, da einige schon bei der Erstellung des Back up nicht gesichert werden konnten.
Ich bin kein PC-Freak, deshalb falls jemand einen Tip hat, bitte möglichst für einen PC-Dummy beschreiben.
Schon mal vielen Dank!!