Trojaner BDS/Ciadoor.13.312 - diverse Admin Rechte abgeschaltet -

#0
11.05.2006, 00:35
Member

Beiträge: 15
#1 Hilfe, kann mir jemand helfen. Auf meinem Rechner hat sich der Trojaner BDS/Ciadoor.13.312 in der Datei wsock32.sys eingenistet. Dies behauptet mein Virenprogramm AVIRA AntiVir.

Der Taskmanager wird abgeschaltet und diverse Adminrechte (z.B. einen früheren Wiederherstellungspunkt zu aktivieren) geht nicht mehr. Bei dem Versuch kommt die nette Meldung "Die Systemwiederherstellung wurde aufgrund einer Gruppenrichtlinie deaktiviert. Wenden Sie sich an den Domänenadministrator, um die Systemwiederherstellung zu aktivieren."

Das wäre mein erster Versuch gewesen um den Trojaner wieder loszuwerden. Dann habe ich noch ein Backup von C: auf einer externen Festplatte. Wäre das vielleicht auch eine sinnvolle Lösung. Dabei werden nur nicht alle Dateien, die gerade in Benutzung sind aktualisiert, da einige schon bei der Erstellung des Back up nicht gesichert werden konnten.

Ich bin kein PC-Freak, deshalb falls jemand einen Tip hat, bitte möglichst für einen PC-Dummy beschreiben.

Schon mal vielen Dank!!
Seitenanfang Seitenende
11.05.2006, 12:42
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Tommy55

das kann man reinigen. es erfordert mehrere Schritte, aber bis jetzt habe ich es immer gereinigt bekommen ;)
http://virus-protect.org/artikel/dienste/wsock32sys.html

Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.05.2006, 14:43
Member

Themenstarter

Beiträge: 15
#3 Hallo Sabina,

schonmal vielen Dank, dass Du Dich bereit erklärt hast mir zu helfen. Bin leider erst heute zu dem Scan mit Hijackthis gekommen. Habe auch vorher mit Cleanup die Säuberung laufen lassen. Hier das Log-File:

Logfile of HijackThis v1.99.1
Scan saved at 14:38:36, on 13.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Programme\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programme\CyberLink\PowerVCRII\Agent.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
C:\Programme\ASUS\ASUS FM Radio\ezagent.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Tommy\Eigene Dateien\Eigene Programme\Internet\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smartsurfer.web.de/Download
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von NetCologne
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: N.Cs4 - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - C:\WINDOWS\system32\wsock32.sys (file missing)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Agent] C:\Programme\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Programme\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mssys.exe /u
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [0900 Warner] C:\PROGRA~1\0190WA~1\WARN0900.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [EzAgent] C:\Programme\ASUS\ASUS FM Radio\ezagent.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programme\GetRight\getright.exe
O4 - Global Startup: VersionBackup.lnk = C:\Programme\VersionBackup\VersionBackup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Web-Eintrag - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\programme\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.internetcologne.de
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c2.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {51EA44E6-C8C3-4E30-8F3D-D8EE71A44DCB} (Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_1115.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.expressphoto.de/ImageUploader3.cab
O16 - DPF: {ABC1D8DE-CAB5-4FB7-BCD0-137BAB9F09DC} (aldisued-fotos-druck_de_bilduebertragung) - http://www.aldisued-fotos-druck.de/upload/aldi_sued_bilduebertragung.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O21 - SSODL: System - {B2A551D4-D9C9-42A6-ABD8-9DABF6ACA3E7} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - Towitoko AG - C:\WINDOWS\SCARDS32.EXE
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE



Ich hoffe Du kannst daraus was erkennen. Für mich sind das fast alles bömische Dörfer.

Unverändert meldet AntiVir immer brav beim Start dass die infizierte Datei wsock32.sys im windows/system32-Verzeichnis gefunden wird.

Nun ich hoffe, dass Du was weißt wie ich den Pagegeist wieder los werde ohne, dass ich den Rechner neu aufsetzen muss.

Noch danke und bis bald
Tommy
Seitenanfang Seitenende
13.05.2006, 15:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: N.Cs4 - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - C:\WINDOWS\system32\wsock32.sys (file missing)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mssys.exe /u
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c2.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB

O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O21 - SSODL: System - {B2A551D4-D9C9-42A6-ABD8-9DABF6ACA3E7} - C:\WINDOWS\system32\system32.dll (file missing)
PC neustarten

gehe in die Registry...du müsstest nun eigentlich wieder in die Registry kommen....

Start->Ausführen --> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD
(Ohne den Schlüssel Policies)

Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein
----------------------------------

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

echo.zip
entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren http://virus-protect.org/bat/echo.zip
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.05.2006, 15:27
Member

Themenstarter

Beiträge: 15
#5 Hallo Sabina,

danke für die Anleitung, leider scheint der Trojaner noch eine Hürde eingebaut zu haben. HijackThis konnte nicht alle Einträge löschen. Es kam die Fehlermeldung "Das Bearbeiten der Registrierung wurde durch den Administrator deaktiviert." (siehe nochmal neue Logdatei von HijackThis unten)

Dieser neue Administrator wurde von dem Trojaner eingerichtet und mit einem Paßwort versehen. Da komme ich nicht ran. Laut Benutzerkonto habe ich und der "neue" Administrator die Computeradministratorrechte. Nur sind meine Kompetenzen seit dem Befall eingeschränkt. Ich kann den Trojaner-Administrator nicht löschen. Diese Kompetenz habe ich nicht. Gerade habe ich noch festgestellt, als ich mir die Benutzerkonten angesehen habe, dass noch ein neues Konto von alleine entstanden ist. Es nannte sich "ASP.Net". Auch dieses verfügte über Admin-Rechte, das konnte ich aber gerade löschen.

Hier nochmal alle Einträge nachdem HijackThis gefixt hat:

Logfile of HijackThis v1.99.1
Scan saved at 15:17:19, on 14.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ASUS\ASUS FM Radio\ezagent.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\internet explorer\iexplore.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Programme\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
i:\Tommy\Eigene Dateien\Eigene Programme\Internet\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smartsurfer.web.de/Download
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von NetCologne
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Agent] C:\Programme\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Programme\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [0900 Warner] C:\PROGRA~1\0190WA~1\WARN0900.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [EzAgent] C:\Programme\ASUS\ASUS FM Radio\ezagent.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programme\GetRight\getright.exe
O4 - Global Startup: VersionBackup.lnk = C:\Programme\VersionBackup\VersionBackup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Web-Eintrag - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\programme\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.internetcologne.de
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {51EA44E6-C8C3-4E30-8F3D-D8EE71A44DCB} (Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_1115.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.expressphoto.de/ImageUploader3.cab
O16 - DPF: {ABC1D8DE-CAB5-4FB7-BCD0-137BAB9F09DC} (aldisued-fotos-druck_de_bilduebertragung) - http://www.aldisued-fotos-druck.de/upload/aldi_sued_bilduebertragung.cab
O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - The Firebird Project - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - Towitoko AG - C:\WINDOWS\SCARDS32.EXE
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

Vielleicht hast Du noch eine Idee wie ich daran komme?

Danke und Grüße
Tommy
Seitenanfang Seitenende
14.05.2006, 17:41
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Tommy55

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit

Files to delete:
C:\WINDOWS\system32\ckl009.dat
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\wsock32.sys
C:\WINDOWS\mssys.exe
C:\WINDOWS\system32\del32.bat
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten
poste den report vom Avenger !

-----------

dann fixe mit dem HijackThis:

Zitat

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
PC neustarten

Start->Ausführen --> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD
(Ohne den Schlüssel Policies)

Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein
----------------------------------

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

echo.zip
entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren http://virus-protect.org/bat/echo.zip
__________
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.05.2006, 22:54
Member

Themenstarter

Beiträge: 15
#7 Hallo Sabina,

toll, dass Du immer so schnell reagierst. Den Tipp mit dem Avenger habe ich umgesetzt. Es kamen aber verschiedene Fehlermeldungen in der Form als das Skript ausgeführt wurde, dass der Zugriff auf die Registry nicht möglich wäre, das Zeile 1 des Skripts nicht gültig wäre und ignoriert würde. Dann lief etwas, der PC startete auch neu, dann nachdem Windows wieder oben war kamen Meldungen, dass die Datei scvhost.exe vermisst würde. Die Meldung kam bestimmt 5-6 mal.

Dann habe ich unter C:\avenger\ eine Datei mit dem Namen ckl0009.dat gefunden. Ich schätze, das ist die Datei, deren Inhalt ich posten soll. Hier der Inhalt:

Server Started @23:30:03 07.05.2006

(23:31:03) Microsoft Internet Explorer
(23:31:08) nkoppl223a
(23:31:10) <No Title>
(23:31:11) Microsoft Internet Explorer
(23:31:18) <No Title>
(23:31:21) <No Title>
(23:31:22) Startmenü

Server Started @23:38:44 07.05.2006
(23:38:46) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:38:47) <No Title>
(23:38:47) Program Manager
(23:38:47) NetDSL Einwahlassistent
(23:38:51) Microsoft Internet Explorer
(23:39:02) <No Title>
(23:39:03) <No Title>
(23:39:04) Control Center
(23:39:12) Avira AntiVir PersonalEdition Classic Updater

(23:39:17) ZoneAlarm Pro
(23:39:18) Avira AntiVir PersonalEdition Classic Updater
(23:39:25) AntiVir® Notifier
(23:39:27) Avira AntiVir PersonalEdition Classic Updater


(23:40:17) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:40:20) Avira AntiVir PersonalEdition Classic Updater
(23:40:20) <No Title>
(23:40:20) ZoneAlarm Pro
(23:40:24) Avira AntiVir PersonalEdition Classic Updater
(23:40:33) ZoneAlarm Pro
(23:40:43) Avira AntiVir PersonalEdition Classic Updater

(23:40:46) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne


(23:42:07) Microsoft Internet Explorer bereitgestellt von NetCologne



(23:43:16) <No Title>
(23:43:16) ALDI informiert: Angebote bei ALDI, ALDI Produkte, ALDI Öffnungszeiten - Microsoft Internet Explorer bereitgestellt von NetColo




(23:45:17) Microsoft Internet Explorer bereitgestellt von NetCologne

(23:45:52) Media Markt. Die beliebtesten Digital-Kameras. - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:45:54) <No Title>
(23:45:54) Microsoft Internet Explorer bereitgestellt von NetCologne

(23:46:16) Media Markt. Die beliebtesten Digital-Kameras. - Microsoft Internet Explorer bereitgestellt von NetCologne
ww.casio.de
(23:46:37) Microsoft Internet Explorer bereitgestellt von NetCologne


(23:47:35) Microsoft Internet Explorer bereitgestellt von NetCologne



(23:48:49) EXILIM CARD - EX-S600 "Sparkle Silver"- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:48:51) http://www.exilim.de/de/exilimcard/exs600silver/gallery/3d/ - Microsoft Internet Explorer bereitgestellt von NetCologne

(23:49:22) EXILIM CARD - EX-S600 "Sparkle Silver"- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne



(23:51:05) Microsoft Internet Explorer bereitgestellt von NetCologne
(23:51:12) Press- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne

(23:51:23) http://www.exilim.de/de/press/article/12994585/ - Microsoft Internet Explorer bereitgestellt von NetCologne


(23:52:18) Press- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne







(23:55:49) <No Title>
(23:55:49) Microsoft Internet Explorer
Casio Exilim(23:56:04) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:56:11) Google - Microsoft Internet Explorer bereitgestellt von NetCologne
-Z10
00(23:56:29) <No Title>
(23:56:32) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b
(23:56:32) <No Title>
(23:56:34) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b
(23:56:34) Windows Installer
(23:56:35) Computer-Nachrichten.de - Casio Exilim Z1000 und Z5: Serien-Blitz, Anti-Shake-DSP und 3fach-Zoo - Microsoft Internet Explorer b




(23:58:37) <No Title>
(23:58:38) Startseite - CASIO EUROPE - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:58:39) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:58:40) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b
(23:58:42) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b

(23:58:44) <No Title>

(23:59:18) Task-Manager
(23:59:19) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:59:24) <No Title>
(23:59:27) EXILIM ZOOM EX-Z1000- EXILIM - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:59:28) Startseite - CASIO EUROPE - Microsoft Internet Explorer bereitgestellt von NetCologne
(23:59:28) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b
(23:59:36) Task-Manager
(23:59:38) Aktuelle IT-News auf - 26.04.2006, 13:16: Casio Exilim Zoom EX-Z1000: 10 Megapixel und Breitbil - Microsoft Internet Explorer b
(23:59:42) <No Title>

Server Started @00:03:25 08.05.2006

(00:05:04) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne
(00:05:12) InterNetCologne - Ihr Startplatz in die Online-Welt - Microsoft Internet Explorer bereitgestellt von NetCologne
(00:05:12) <No Title>
(Del) (00:05:15) Task-Manager
(00:05:21) <No Title>
(00:05:24) i:\Tommy\Eigene Dateien\Eigene Programme\Brennprogramme\Nero 7.2
(00:05:24) <No Title>
(00:05:27) Avira AntiVir PersonalEdition Classic
(00:05:27) <No Title>
(00:05:30) Startmenü

(00:05:34) <No Title>
(00:05:40) Hilfe- und Supportcenter
(00:05:50) Systemwiederherstellung

(00:06:05) Hilfe- und Supportcenter
(00:06:11) <No Title>
(00:06:14) <No Title>
(00:06:15) NetDSL Einwahlassistent
(00:06:17) <No Title>

(00:07:01) <No Title>
(00:07:01) Windows Explorer

(00:07:31) Startmenü

(00:07:33) <No Title>
(00:07:33) <No Title>
(00:07:33) <No Title>
(00:07:35) <No Title>
(00:07:35) <No Title>

(00:08:08) C:\
(00:08:26) <No Title>
(00:08:28) <No Title>
(00:08:28) Control Center

(00:08:59) AntiVir Guard


(00:10:01) <No Title>
(00:10:01) Startmenü
(00:10:02) <No Title>
(00:10:02) <No Title>
(00:10:03) <No Title>

Server Started @23:56:11 10.05.2006

(23:57:08) Windows Explorer
(23:57:10) ZoneAlarm Pro
(23:57:11) Eigene Dateien


(23:57:56) <No Title>
(23:57:56) Achtung Fund!
(23:58:16) system32

(23:58:27) <No Title>
(23:58:27) Achtung Fund!

(23:59:14) system32
(23:59:18) Achtung Fund!
(23:59:21) system32

(23:59:23) <No Title>
(23:59:23) Achtung Fund!

(00:00:16) system32
(00:00:18) <No Title>
(00:00:18) Achtung Fund!
(00:00:20) system32

(00:00:24) Achtung Fund!
(00:00:28) system32
(00:00:32) <No Title>
(00:00:32) Achtung Fund!
(00:00:35) system32

(00:01:21) <No Title>
(00:01:21) Startmenü
(00:01:22) Windows Explorer

(00:01:26) <No Title>
(00:01:42) Systemsteuerung
(00:01:47) system32

(00:01:53) Startmenü
(00:02:05) <No Title>
(00:02:05) Hilfe- und Supportcenter
(00:02:07) Systemwiederherstellung
(00:02:08) Hilfe- und Supportcenter
(00:02:10) Systemwiederherstellung

(00:02:47) Hilfe- und Supportcenter

Server Started @15:14:17 14.05.2006
(15:14:26) <No Title>
(15:14:36) Startmenü
(15:14:39) Program Manager
(15:14:40) <No Title>
(15:14:41) Windows Explorer

(15:14:57) HijackThis - v1.99.1


(15:15:51) hijackthis
(15:15:52) Startmenü
(15:15:53) <No Title>
(15:15:53) <No Title>
(15:15:53) <No Title>
(15:15:54) <No Title>
(15:15:55) hijackthis
(15:15:55) <No Title>
(15:16:12) hijackthis
(15:16:15) <No Title>
(15:16:15) <No Title>
(15:16:16) hijackthis

(15:16:22) <No Title>
(15:16:27) hijackthis
(15:16:29) HijackThis - v1.99.1
(15:16:45) Öffnen

zweiter
(15:17:18) HijackThis - v1.99.1
(15:17:19) zweiter Scan nach Ciadoor.log - Editor
(15:17:29) HijackThis - v1.99.1
(15:17:31) zweiter Scan nach Ciadoor.log - Editor
(15:17:33) <No Title>
(15:17:34) NetDSL Einwahlassistent
(15:17:40) <No Title>
(15:17:40) Microsoft Internet Explorer

Hallo Sb (Back) abina,

danke f;r dien (Back) Anl
eite (Back) ung, leider scheint der Trojaner noch eine H;rde eingebaut zu haben. Der (Back) (Back) (Back) (Back) Er hat ja auf mei
nem Rechner einen neune (Back) (Back) en Administrator angelegt. Ich bin laut b (Back) Benutzerrechten auch noch
(Del) Bei folen (Back) (Back) (Back) legen (Back) (Back) (Back) (Back) gende Mal-Wart (Back) e (Back) (Back) ree (Back) (Back) (Back) (Back) (Back) (Back) ware-Eintr~ge konnte HijackThis nicht l'schen, (Back) (Back) . Es
kam die Fehlermeldung "Das Bearbeietne (Back) (Back) (Back) (Back) ten der Registrierung wurde durch den Administrator deaktiviert."

Dieser
sogenannte Administrag (Back) tor hat sich ja mit dm (Back) em (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) (Back) wi (Back) urde von dem W (Back) Trojaner eingerichtet und mit einem Pa[wort versehen., (Back) (Back) (Back) . Da
komme ich nicht ran. Laut (Back) (Back) (Back) (Back) (Back) Laut Benutzer(15:21:04) Startmenü
(15:21:08) Windows Explorer
(15:21:12) <No Title>


(15:21:49) Systemsteuerung
(15:21:55) zweiter Scan nach Ciadoor.log - Editor
(15:21:56) NetDSL Einwahlassistent
(15:21:57) Trojaner BDS/Ciadoor.13.312 - diverse Admin Rechte abgeschaltet - - Security Forum - Microsoft Internet Explorer bereitgestellt
kont gi (Back) (Back) habe (Back) n ich und der "neue (Back) " Administrator
die Computeradministratorrechte. Nur kann ich den Trojaner-Administrator nicht l'schen. Diese Kompe
tenz habe ich nicht. Gerade habe ich noch festgestellt, als ih (Back) (Back) ch mit (Back) (Back) r die Benutzerkonn (Back) ten angeseehn h (Back) (Back) (Back) (Back) (Back) hen habe, dass noch ein Konto entst
anden ist. Es nannte sich ASP.Net (Left) (Left) (Left) (Left) (Left) (Left) (Left) " (Right) (Right) (Right) (Right) (Right) (Right) (Right) ". Auch dieses verf;gte ;ber Admin
-Rechte, das konte (Back) (Back) (Back) nte ich aber gerade l'schen.

Hier die Eintr~ge di (Back) e HijackThis nicht l'schen konnte>



nochmal alle (Del) (Del) (Del) (Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Del) (Del) (Del) nachdme (Back) (Back) (Back) em (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) (Del) gefixt hat
(Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) konnte ni (Back) (Back) (Back) (Right) (Right) (Right) (Right) (Right) (Right) (Right) alle Eintr~ge
(Dwn) (Dwn) *siehe nochmal Logdatei von (Left) (Left) (Left) (Right) neuen (Back) (End) HijackThis unten) (Back) (
Server Started @15:35:38 14.05.2006
(15:35:49) Server nicht gefunden - Microsoft Internet Explorer bereitgestellt von NetCologne
(15:35:50) <No Title>
(15:35:51) Program Manager
(15:35:51) <No Title>
(15:35:51) Windows Explorer
(15:35:56) <No Title>
(15:35:57) MAGIX Video deLuxe 2005/2006
(15:35:57) <No Title>
(15:36:00) MAGIX Video deLuxe 2005/2006
(15:36:00) Video (293 x 381)
(15:36:02) Media Pool
(15:36:02) MAGIX Video deLuxe 2005/2006 - Neu01.MVD
(15:36:02) Video (360 x 288)
(15:36:02) Media Pool
(15:36:04) MAGIX Video deLuxe 2005/2006 - Neu01.MVD
(15:36:07) Media Pool

(15:36:10) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD







(15:39:51) <No Title>
(15:39:51) Windows Explorer
(15:39:53) Windows Explorer
(15:39:55) Eigene Dateien
(15:39:56) NEU (E;)



(15:41:11) Windows Media Player


(15:42:19) Top 100 27.02.2006

(15:42:57) Windows Media Player


(15:43:40) mixed dance

(15:44:12) Windows Media Player
(15:44:26) mixed dance

(15:44:47) Windows Media Player
(15:44:50) <No Title>
(15:44:50) mixed dance

(15:45:16) Eigene Dateien


(15:46:16) Windows Media Player

(15:46:41) Kontor - Chill out 2
(15:47:01) Windows Media Player




(15:48:50) Anastacia - Pieces Of A Dream[2005][CD+3Vid+Covers]


(15:49:47) Windows Media Player

(15:50:22) Hitbox 2006

(15:50:46) Windows Media Player
(15:50:53) Hitbox 2006
(15:50:55) Windows Media Player
(15:51:07) Hitbox 2006

(15:51:15) Windows Media Player
(15:51:27) Hitbox 2006

(15:51:56) Windows Media Player

(15:52:10) Hitbox 2006
(15:52:12) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD
(15:52:18) Hitbox 2006

(15:52:41) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD
(15:52:43) Media Pool
(15:53:08) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *




(15:54:53) <No Title>
(15:54:54) Summe
(15:54:58) <No Title>

(15:55:10) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *





(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del)






(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del)
(Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t
(Del) t
(Del)







p(16:08:13) Programmeinstellungen
(16:08:16) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *

(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(16:09:09) <No Title>

(16:09:17) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *

(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Right) (Left)
(Right) (Right) (Right)
(Left) (Right) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Left) (Left) (Left)
(Left) (Left) (Left) (Left)

(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t
(Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right)

(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) t
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) t (Del) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Left) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) t
(Del)
(Left) (Left)
(Left) (Left) (Left)

(16:21:19) My Videos
(16:21:23) Windows Explorer
(16:21:38) Windows Media Player


(16:22:31) <No Title>
(16:22:31) Audio CD (E;)
(16:22:32) My Videos
(16:22:35) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *
(16:22:37) Media Pool


(16:23:21) <No Title>
(16:23:21) Windows Media Player
(16:23:28) Optionen
(16:23:37) Windows Media Player
(16:23:38) Media Pool

(16:23:57) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *

(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)










(Right) (Left)
(Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) t


t (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t(16:33:22) Media Pool
(16:33:24) MAGIX Video deLuxe 2005/2006 - Leipzig2006.MVD *


(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Left) (Left) (Right) (Right) (Left) t
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Right) (Right) t


(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Left) (Right) t (Right) (Right) (Right)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right)
(Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Left) (Right) t (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Right) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Right) t




(Dwn)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)
(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)


(Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) t (Del) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left) (Left)


Die weiteren Schritte werde ich nun machen. Habe gedacht ich poste erstmal und lösche dann weiter. Hoffentlich läuft nachher noch alles??

DA bin ich wieder! Der PC lebt wieder etwas mehr!!!! HURRRAA ;) ;) Schonmal Danke. In die Registry bin ich wieder reingekommen. Ich konnte aber nur den ersten Eintrag korrigieren:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

Die beiden anderen Einträge konnte ich nicht finden. Sie stehen nicht in der Registry oder nicht an der Stelle:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD
(Ohne den Schlüssel Policies)

Dazu paßt vielleicht auch das Fehlerfenster (sieht aus wie ein DOS-Fenster), welches ich jetzt bekomme, wenn ich Windows hochgefahren habe:

C:\windows\system32\cmd.exe : "Die Eingabeaufforderung ist vom Administrator deaktiviert worden. Drücken Sie eine beliebige Taste..."

Den nächsten Schritt in Deiner Anleitung mit dem Tool DATFIND.bat konnte ich leider nicht ausführen, da auch dabei die gleiche Meldung wie beim Start auftauchte.

Wie kann ich das Problem nun wieder lösen? Mühsam ernährt sich das Eichhörnchen!!

Gute Nacht, Tommy
Dieser Beitrag wurde am 14.05.2006 um 23:20 Uhr von Tommy55 editiert.
Seitenanfang Seitenende
14.05.2006, 23:19
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 diese dat -> ckl0009.dat -> ist vom Trojaner erstellt und zeichnet alles auf, was du so tust... es ist interessant, das mal verfolgen zu koennen.........selbst unsere "Gespraeche/Postings" wurden aufgezeichnet....)
loesche bitte alles im Avenger !

------------------------------------

Start->Ausführen --> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD
(Ohne den Schlüssel Policies)

Wenn du jetzt im rechten Fenster einen Wert namens DisableCMD findest, lösche ihn. Spätestens nach einem Neustart sollte die Eingabeaufforderung wieder verfügbar sein

pc neustarten
-----------------------------------------

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.05.2006, 09:27
Member

Themenstarter

Beiträge: 15
#9 Hallo Sabina,

leider klappt das mit Deinem Tipp bzgl. Regedit ja noch nicht ganz:

Die folgenden von Dir genannten Einträge gibt es in meiner Registry ja garnicht.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001" --> auf 0 (oder den ganzen Schluessel loeschen)

HKEY_CURRENT_USER\Software\Microsoft\Windows\System\DisableCMD(Ohne den Schlüssel Policies)


Soll ich sie irgendwie anlegen? Wenn ja, wie mache ich das?

Grüße
Tommy
Seitenanfang Seitenende
15.05.2006, 11:34
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Gruppenrichtlinien auswählen > hinzufügen > Fertig stellen > schließen > ok >Benutzerkonfiguration > Aministrative Vorlagen > System > Doppleklick auf "Zugriff auf Eingabeaufforderung verhindern" > deaktivieren > OK > alle Fenster schliessen > neu anmelden > an der Kommandozeile


dann versuche die 4 Logs von datfindbat zu posten, denn um die geht es mir
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.05.2006, 22:11
Member

Themenstarter

Beiträge: 15
#11 Ich habe versucht das Programm mmc so wie beschrieben auszuführen ;), bin aber an dem Punkt >Gruppenrichtlinie auswählen hängen geblieben. Dieser Punkt wird mir nicht als Snapin angeboten. Es gibt einen Punkt, der nennt sich "Lokale Benutzer und Gruppen". Ist damit das Gleiche gemeint?

Grüße
Tommy
Seitenanfang Seitenende
15.05.2006, 23:21
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 ja, versuche es damit,
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
16.05.2006, 22:36
Member

Themenstarter

Beiträge: 15
#13 ;) dies scheint auch eine Sackgasse zu sein. Folgendes kann ich auswählen:

Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen > Dann kann ich aus dem KONSOLENSTAMM (eine andere Auswahl gibt es nicht) aus folgenden Unterpunkten wählen:

.Net Framework 1.1 Configuration
- ActiveX-Steuerelement
- Computerverwaltung
- Datenträgerverwaltung
- Defragmentierung
- Dienste
- Ereignisanzeiger
- Freigegebene Ordner
- Geräte-Manager
- Indexdienst
- IP-Sicherheitsmonitor
- IP-Sicherheitsrichtlinienverwaltung
- Komponentendienste
- Leistungskontrolle und Warnungen
- Lokale Benutzer und Gruppen
- Mit Webadresse verknüpfen
- Ordner
- Wechselmedienverwaltung
- WMI-Steuerung
- Zertifikate


Wenn ich "Lokale Benutzer und Gruppen" auswähle, kommt ein neues Abfragefenster mit der Frage welcher Computer dieses Snap-In verwalten soll. Lokal oder anderer? Wenn ich einen Punkt auswähle kommt die Fehlermeldung: "Auf diesem Computer wird die Windows XP Home Edition ausgeführt. Dieses Snap-In kann mit dieser Windowsversion nicht ausgeführt werden.Verwenden Sie die Option Benutzerkonten in der Systemsteuerung, um lokale Benutzerkonten auf diesem Computer zu verwalten."

Nun ja, wie gehts nun weiter?

Nochmal grob der Stand: AntiVir meldet mir NICHT mehr, dass die Datei wsock32.sys mit dem Virus BDS/Ciadoor.13.312 befallen wäre. Es geht aber immer noch das Fenster auf:

C:\windows\system32\cmd.exe : "Die Eingabeaufforderung ist vom Administrator deaktiviert worden. Drücken Sie eine beliebige Taste..."
und die Admin-Rechte um z.B. eine Systemwiederherstellung durchzuführen sind immer noch wegen der Gruppenrichtlinie durch den "Trojaner"-Administrator gesperrt.

Blöde Situation, oder?

Sabina, hast Du noch eine Idee????

Grüße
Tommy
Seitenanfang Seitenende
17.05.2006, 01:16
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 0.

waehle ein anderes Konto als das, wo du im Moment bist...vielleicht in abgesicherten Modus, das Administrator-Konto

Start > Ausführen > mmc > Datei > Snapin hinzufügen > Hinzufügen >
Lokale Benutzer und Gruppen

-----------------------------------------

1.
Start->Ausführen --> regedit

bearbeiten - suchen - reinkopieren - scvhost.exe

loesche alles, was du findest....


--------

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings]
set\
set\
set\
xxxxxxxx.ini --schreibe mir, welche ini du dort findest....
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.05.2006, 23:21
Member

Themenstarter

Beiträge: 15
#15 habe mich zuerst im abgesicherten Modus mit allen Benutzern angemeldet (auch als "Trojaner"-Admin!!). Konnte aber immer noch nicht über mmc "Lokale Benutzer und Gruppen" anlegen. Es kam immer noch die Meldung:

"Auf diesem Computer wird die Windows XP Home Edition ausgeführt. Dieses Snap-In kann mit dieser Windowsversion nicht ausgeführt werden.Verwenden Sie die Option Benutzerkonten in der Systemsteuerung, um lokale Benutzerkonten auf diesem Computer zu verwalten."

Ich konnte aber das Paßwort von dem "Trojaner"-Administrator (nur im abgesicherten Modus) zurücksetzen.

In der Regedit habe ich alle Einträge mit "scvhost.exe" gelöscht. Ich habe die Einträge komplett gelöscht, nicht nur die Werte und hoffe, dass das richtig war???

Die gesuchte ini-Datei lautet: r25o9D2UXD.ini.
Ansonsten gelten immer noch die Einschränkungen von gestern. ;)

noch eine Ergänzung:

Wenn ich mich im "Normalen"-Modus versuche als "Trojaner"-Administrator anzumelden, bekomme ich wieder bei dem Benutzer "Trojaner"-Admin eine Paßwortabfrage. An der Stelle wird dann nicht das Paßwort abgefragt, welches ich im Abgesicherten-Modus geändert hatte. Komisch!

Dann habe ich mich mal im Normal-Modus unter dem zweiten User (meiner Frau) angemeldet. Dabei ging folgendes Avenger-Log-File automatisch auf. Vielleicht hilft Dir das weiter:

Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cupgedcf
*******************

Script file located at: \??\C:\WINDOWS\sjrhfafv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ckl009.dat deleted successfully.
File C:\WINDOWS\system32\scvhost.exe deleted successfully.

File C:\WINDOWS\system32\wsock32.sys not found!
Deletion of file C:\WINDOWS\system32\wsock32.sys failed!

Could not process line:
C:\WINDOWS\system32\wsock32.sys
Status: 0xc0000034

File C:\WINDOWS\mssys.exe not found!
Deletion of file C:\WINDOWS\mssys.exe failed!

Could not process line:
C:\WINDOWS\mssys.exe
Status: 0xc0000034

File C:\WINDOWS\system32\del32.bat not found!
Deletion of file C:\WINDOWS\system32\del32.bat failed!

Could not process line:
C:\WINDOWS\system32\del32.bat
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.


Grüße
Tommy
Dieser Beitrag wurde am 18.05.2006 um 13:21 Uhr von Tommy55 editiert.
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: