ciadoor.13: Richtiges Vorgehen?

#1 Hallo, erster richtiger Virus, erster Eintrag in diesem Forum

Leider habe ich mir (selbst schuld, gebe ich zu) den ciadoor.13 Trojaner eingefangen. Auf Eingabeaufforderung, Regedit, Taskmanager konnte ich nicht mehr zugreifen, die Windows-Firewall wurde deaktiviert, Antivir-Suchläufe wurden nach wenigen Sekunden abgebrochen. Antivir konnte den Schädling nicht identifizieren, hatte die infizierte Datei vor dem ausführen extra gescannt.
Durch einige Tricks habe ich jetzt wieder den Zugriff auf Taskmanager, Command und regedit, weiß aber nicht wie ich weiter vorgehen soll. Antivir habe ich deinstalliert und stattdessen Kaspersky installiert, einen kompletten Suchlauf gestartet und alle Dateien die er gefunden hat gelöscht. Es tut mir leid, ich weiß es gibt schon mehrere Threads zu diesem Trojaner, die Vorgehensweise dort kann ich aber nicht zu 100% durchschauen und würde deshalb gerne noch einmal das weitere Vorgehen abstimmen. Bin leider ein absoluter Security-Noob.

Mein Hijackthis-Logfile:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 18:01:57, on 27.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
D:\Misc\Deskmodding\RK Dock\RKLauncher.exe
C:\Programme\Styler\Styler.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
D:\Misc\setups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Programme\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kis] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Startup: RK Launcher.lnk = ?
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.ma-de.de/scan/Msie/bitdefender.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Programme\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

Vielen Dank für eure Geduld

#2 ich schaue mal nach, ob noch was zu finden ist...

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3

Zitat

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 647B-4952

Verzeichnis von C:\WINDOWS\system32

27.06.2006 15:08 15.975 ckl009.dat
27.06.2006 11:41 172 del32.bat
19.06.2006 17:35 2.206 wpa.dbl
11.06.2006 19:41 146.650 BuzzingBee.wav
11.06.2006 19:41 940.794 LoopyMusic.wav
10.06.2006 23:35 401.064 perfh009.dat
10.06.2006 23:35 62.344 perfc009.dat
10.06.2006 23:35 74.950 perfc007.dat
10.06.2006 23:35 415.414 perfh007.dat
10.06.2006 23:35 966.144 PerfStringBackup.INI
10.06.2006 15:08 324.320 FNTCACHE.DAT
09.06.2006 03:19 5.967.776 MRT.exe
01.06.2006 20:47 27.648 jgpl400.dll
01.06.2006 20:47 163.840 jgdw400.dll
29.05.2006 17:32 1.496.576 shdocvw.dll
19.05.2006 17:06 3.076.096 mshtml.dll
18.05.2006 07:36 450.560 jscript.dll
16.05.2006 22:23 339.968 pxwave.dll
16.05.2006 22:23 28.672 vxblock.dll
16.05.2006 22:23 176.128 pxmas.dll
16.05.2006 22:23 56.832 pxinsa64.exe
16.05.2006 22:23 61.440 pxhpinst.exe
16.05.2006 22:23 450.560 pxdrv.dll
16.05.2006 22:23 57.344 pxcpya64.exe
16.05.2006 22:23 430.080 px.dll
16.05.2006 22:23 1.257.472 pxsfs.dll
16.05.2006 17:18 7.006 jupdate-1.5.0_06-b05.log
14.05.2006 10:48 181.248 rasmans.dll
11.05.2006 10:58 104.448 xpsp3res.dll
10.05.2006 07:26 669.184 wininet.dll
10.05.2006 07:26 39.424 pngfilt.dll
10.05.2006 07:26 532.480 mstime.dll
10.05.2006 07:26 617.472 urlmon.dll
10.05.2006 07:26 474.624 shlwapi.dll
10.05.2006 07:26 146.432 msrating.dll
10.05.2006 07:26 448.512 mshtmled.dll
10.05.2006 07:26 357.888 dxtmsft.dll
10.05.2006 07:26 251.904 iepeers.dll
10.05.2006 07:26 55.808 extmgr.dll
10.05.2006 07:26 15.872 jsproxy.dll
10.05.2006 07:26 205.312 dxtrans.dll
10.05.2006 07:26 1.056.256 danim.dll
10.05.2006 07:26 96.768 inseng.dll
10.05.2006 07:26 1.022.976 browseui.dll
10.05.2006 07:26 152.064 cdfview.dll
29.04.2006 06:07 5.533.696 wmp.dll
23.04.2006 00:32 5.618 jupdate-1.5.0_05-b05.log
22.04.2006 22:55 0 h323log.txt
22.04.2006 22:09 237 $winnt$.inf
22.04.2006 22:03 2.951 CONFIG.NT
22.04.2006 22:03 16.832 amcompat.tlb
22.04.2006 22:03 23.392 nscompat.tlb
22.04.2006 22:02 488 logonui.exe.manifest
22.04.2006 22:02 488 WindowsLogon.manifest
22.04.2006 22:01 749 sapi.cpl.manifest
22.04.2006 22:01 749 nwc.cpl.manifest
22.04.2006 22:01 749 ncpa.cpl.manifest
22.04.2006 22:01 749 cdplayer.exe.manifest
22.04.2006 22:01 749 wuaucpl.cpl.manifest
22.04.2006 21:59 21.740 emptyregdb.dat
24.03.2006 19:08 28.778 klogon.dll
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:47 8.495.616 shell32.dll
17.03.2006 03:05 28.672 verclsid.exe
01.03.2006 21:43 956.416 msdtctm.dll
01.03.2006 21:43 161.280 msdtcuiu.dll
01.03.2006 21:43 426.496 msdtcprx.dll
01.03.2006 21:43 66.560 mtxclu.dll
01.03.2006 21:43 11.776 xolehlp.dll
01.03.2006 21:43 91.136 mtxoci.dll

Zitat

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 647B-4952

Verzeichnis von C:\DOKUME~1\Lukas\LOKALE~1\Temp

27.06.2006 18:24 283 wahtmltmp00.htm
27.06.2006 18:20 206 jusched.log
27.06.2006 15:11 163.840 ~DF4A92.tmp
3 Datei(en) 164.329 Bytes
0 Verzeichnis(se), 149.930.758.144 Bytes frei

Zitat

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 647B-4952

Verzeichnis von C:\WINDOWS

27.06.2006 16:40 674.158 setupapi.log
27.06.2006 15:11 4.540 ModemLog_PCI SoftV92 Data Fax Modem with SmartCP.txt
27.06.2006 15:10 0 0.log
27.06.2006 15:10 1.465.048 WindowsUpdate.log
27.06.2006 15:10 2.048 bootstat.dat
27.06.2006 15:09 27.036 SchedLgU.Txt
27.06.2006 12:12 59 ANS2000.INI
27.06.2006 11:44 601 wiadebug.log
27.06.2006 11:44 284 system.ini
27.06.2006 11:44 576 win.ini
27.06.2006 10:30 50 wiaservc.log
25.06.2006 18:00 20 akebook.ini
25.06.2006 18:00 4 a3kebook.ini
25.06.2006 17:48 69 NeroDigital.ini
24.06.2006 18:29 76 StyleBuilder.INI
14.06.2006 15:57 5.362 spupdsvc.log
14.06.2006 15:03 27.864 ehOCGen.log
14.06.2006 15:03 61.572 MedCtrOC.log
14.06.2006 15:03 224.583 tsoc.log
14.06.2006 15:03 24.930 tabletoc.log
14.06.2006 15:03 554.477 iis6.log
14.06.2006 15:03 1.374 imsins.log
14.06.2006 15:03 26.535 ocmsn.log
14.06.2006 15:03 101.823 ntdtcsetup.log
14.06.2006 15:03 170.924 comsetup.log
14.06.2006 15:03 11.404 KB917734.log
14.06.2006 15:03 3.146 wmsetup.log
14.06.2006 15:03 56.402 plusoc.log
14.06.2006 15:03 236.348 ocgen.log
14.06.2006 15:03 98.140 netfxocm.log
14.06.2006 15:03 24.115 msgsocm.log
14.06.2006 15:03 481.410 FaxSetup.log
14.06.2006 15:03 153.264 msmqinst.log
14.06.2006 15:02 1.374 imsins.BAK
14.06.2006 15:02 15.603 KB918439.log
14.06.2006 15:02 15.962 KB917344.log
14.06.2006 15:02 18.330 KB917953.log
14.06.2006 15:02 15.616 KB911280.log
14.06.2006 15:02 20.983 updspapi.log
14.06.2006 15:02 25.738 KB916281.log
14.06.2006 15:02 12.841 KB914389.log
13.06.2006 18:21 115 AIMPR.INI
11.06.2006 21:07 16.477 JB3DRV.LOG
11.06.2006 19:41 73.728 ALCFDRTM.VER
11.06.2006 19:41 73.728 ALCFDRTM.EXE
11.06.2006 19:30 324.057 setupact.log
10.06.2006 18:32 248 accessdll.log
10.06.2006 18:31 105 avmsysnet.log
29.05.2006 18:42 120 ReplacerUndo.txt
14.05.2006 14:52 12.874 KB913580.log
28.04.2006 22:31 6.481 mozver.dat
26.04.2006 15:27 12.443 KB900485.log
24.04.2006 00:38 162.664 EPSTPLOG.TXT
23.04.2006 23:54 1.125 winamp.ini
23.04.2006 14:09 754 WORDPAD.INI
23.04.2006 00:55 400 ODBC.INI
23.04.2006 00:24 35.556 KB899587.log
23.04.2006 00:24 34.670 KB896422.log
23.04.2006 00:24 36.301 KB908531.log
23.04.2006 00:24 34.604 KB911927.log
23.04.2006 00:24 34.101 KB901017.log
23.04.2006 00:24 34.418 KB899591.log
23.04.2006 00:24 35.421 KB896424.log
23.04.2006 00:24 45.495 KB912919.log
23.04.2006 00:23 34.502 KB893756.log
23.04.2006 00:23 33.445 KB911562.log
23.04.2006 00:23 31.499 KB896423.log
23.04.2006 00:23 27.375 KB887998.log
23.04.2006 00:22 33.043 KB896358.log
23.04.2006 00:22 26.476 KB910437.log
23.04.2006 00:22 35.152 KB912812.log
23.04.2006 00:22 33.615 KB902400.log
23.04.2006 00:22 23.754 KB890046.log
23.04.2006 00:21 22.755 KB899589.log
23.04.2006 00:21 23.073 KB905414.log
23.04.2006 00:21 22.294 KB901214.log
23.04.2006 00:21 23.264 KB900725.log
23.04.2006 00:21 18.490 KB904706.log
23.04.2006 00:21 18.287 KB905749.log
23.04.2006 00:21 12.073 KB911565.log
23.04.2006 00:20 17.071 KB896428.log
23.04.2006 00:20 17.763 KB911567.log
23.04.2006 00:20 17.745 KB894391.log
23.04.2006 00:20 15.441 KB908519.log
23.04.2006 00:20 12.732 KB913446.log
23.04.2006 00:20 23.274 KB890859.log
22.04.2006 22:50 0 Sti_Trace.log
22.04.2006 22:50 0 nsreg.dat
22.04.2006 22:49 10.399 KB893803v2.log
22.04.2006 22:49 8.253 KB898461.log
22.04.2006 22:47 1.348 regopt.log
22.04.2006 22:46 0 setuperr.log
22.04.2006 22:31 16.802 wizard.log
22.04.2006 22:27 901 medblker.Log
22.04.2006 22:26 1.454 COM+.log
22.04.2006 22:25 19.269 MC05Upd1.log
22.04.2006 22:24 17.887 KB891781.log
22.04.2006 22:24 16.703 KB891070.log
22.04.2006 22:24 16.320 KB890831.log
22.04.2006 22:24 16.461 KB890546.log
22.04.2006 22:23 17.241 KB890175.log
22.04.2006 22:23 17.475 KB890047.log
22.04.2006 22:23 15.416 KB888402.log
22.04.2006 22:23 15.210 KB888316.log
22.04.2006 22:22 16.379 KB888302.log
22.04.2006 22:22 15.892 KB888113.log
22.04.2006 22:22 16.938 KB888111.log
22.04.2006 22:22 16.561 KB887797.log
22.04.2006 22:21 15.922 KB887742.log
22.04.2006 22:21 15.930 KB887472.log
22.04.2006 22:21 14.410 KB886677.log
22.04.2006 22:21 15.724 KB886185.log
22.04.2006 22:20 15.399 KB885894.log
22.04.2006 22:20 11.504 KB885855.log
22.04.2006 22:20 13.235 KB885836.log
22.04.2006 22:20 13.734 KB885835.log
22.04.2006 22:20 13.744 KB885523.log
22.04.2006 22:19 12.929 KB885250.log
22.04.2006 22:19 11.131 KB885222.log
22.04.2006 22:19 11.294 KB884868.log
22.04.2006 22:19 11.359 KB884575.log
22.04.2006 22:19 11.301 KB884020.log
22.04.2006 22:18 11.037 KB884018.log
22.04.2006 22:18 10.521 KB883667.log
22.04.2006 22:18 10.022 KB883529.log
22.04.2006 22:18 9.692 KB883517.log
22.04.2006 22:18 10.941 KB873339.log
22.04.2006 22:17 11.703 KB873333.log
22.04.2006 22:17 10.550 KB867282.log
22.04.2006 22:14 829 OEWABLog.txt
22.04.2006 22:13 1.052.141 setuplog.txt
22.04.2006 22:10 8.192 REGLOCS.OLD
22.04.2006 22:03 5.027 KB835221.log
22.04.2006 22:03 0 control.ini
22.04.2006 22:03 316.640 WMSysPr9.prx
22.04.2006 22:03 4.161 ODBCINST.INI
22.04.2006 22:01 749 WindowsShell.Manifest
22.04.2006 22:00 1.023 sessmgr.setup.log
22.04.2006 21:59 37 vbaddin.ini
22.04.2006 21:59 36 vb.ini
22.04.2006 21:59 133 DtcInstall.log
22.04.2006 21:56 200 cmsetacl.log

Zitat

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 647B-4952

Verzeichnis von C:\

27.06.2006 18:32 0 sys.txt
27.06.2006 18:32 9.549 system.txt
27.06.2006 18:32 388 systemtemp.txt
27.06.2006 18:32 97.397 system32.txt
27.06.2006 18:27 977 c.txt
27.06.2006 18:26 9.549 winodws.txt
27.06.2006 15:10 1.610.612.736 pagefile.sys
27.06.2006 11:44 220 boot.ini
09.06.2006 23:45 45 TEST.XML
04.06.2006 22:35 4 timestmp.tmp
22.04.2006 22:03 0 AUTOEXEC.BAT
22.04.2006 22:03 0 MSDOS.SYS
22.04.2006 22:03 0 IO.SYS
22.04.2006 22:03 0 CONFIG.SYS
10.08.2004 21:00 4.952 bootfont.bin
10.08.2004 21:00 251.184 ntldr
10.08.2004 21:00 47.564 NTDETECT.COM
17 Datei(en) 1.611.034.565 Bytes
0 Verzeichnis(se), 149.930.749.952 Bytes frei

Vielen Dank...

#4 das muss raus:

Verzeichnis von C:\WINDOWS\system32

27.06.2006 15:08 15.975 ckl009.dat
27.06.2006 11:41 172 del32.bat

vor dem loeschen kannst du noch mal in die ckl009.dat
schauen, da ist alles abgespeichert, was du letztens so am Rechner gemacht hast
__________
MfG Sabina

rund um die PC-Sicherheit

#5

Zitat

Sabina postete
vor dem loeschen kannst du noch mal in die ckl009.dat
schauen, da ist alles abgespeichert, was du letztens so am Rechner gemacht hast

0_o

ist ja echt übel...wenn ich diese beiden dateien gelöscht habe, ist der trojaner endgültig geschichte??
der versendet sich ja nicht per email, ich muss keine sorgen haben jemanden infiziert zu haben, oder?

Vielen Dank für die kompetente Hilfe, Sabina.

#6 wenn du irgendwann mal ans Formatieren denkst, so zoegere nicht, aber soweit wie es jetzt steht, muesste wieder alles sauber sein.
Allerdings ist der Rechner kompromitiert (Ports..usw.)
__________
MfG Sabina

rund um die PC-Sicherheit

#7 mh, jetzt hab ich doch noch ein problem: die windows-firewall lässt sich nicht mehr starten. fehlermeldung: "der dienst windows-firewall/gemeinsame nutzung [...] konnte nicht gestartet werden."

wie lässt sich das beheben?

#8 Die XP-Firewall wieder aktivieren [Windows-Firewall/Gemeinsame Nutzung der Internetverbindung]

http://www.wintotal.de/Tipps/Eintrag.php?TID=1157
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Vielen Dank für den Link!

Mir ist aber ein Gedanke gekommen: könnte es sein, dass kaspersky internet security die windows-interne firewall deaktiviert?

#10 nein, diese Deaktivierung gehort zum Backdoor

poste das log
http://virus-protect.org/registry_stuff.html
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Dann werde ich es also mit der methode die du beschrieben hast machen. hier das log:

Zitat

doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
doesn't exist HKEY_CURRENT_USER\Software\Microsoft\OLE
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"Description"="Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,43,3a,5c,57,49,4e,44,4f,\
57,53,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,\
6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00000cac

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Winamp\\winamp.exe"="C:\\Programme\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\Programme\\Miranda IM\\miranda32.exe"="C:\\Programme\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Programme\\XIII\\system\\XIII.exe"="C:\\Programme\\XIII\\system\\XIII.exe:*:Enabled:XIII"
"C:\\Programme\\Azureus\\Azureus.exe"="C:\\Programme\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programme\\Wolfenstein - Enemy Territory\\ET.exe"="C:\\Programme\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"C:\\Programme\\Microangelo\\Toolset 6\\m6animator.exe"="C:\\Programme\\Microangelo\\Toolset 6\\m6animator.exe:*:Enabled:m6animator"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"52525:TCP"="52525:TCP:*:Enabled:Azureus Port TCP"
"52525:UDP"="52525:UDP:*:Enabled:Azureus Port UDP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Sicherheitscenter"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Überwacht Systemsicherheitseinstellungen und -konfigurationen."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:91,57,0c,7b,ae,72,c0,4c,aa,c8,f7,20,33,7a,e1,b8
"AdjustedNullSessionPipes"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Ermöglicht Remotebenutzern, Registrierungseinstellungen dieses Computers zu verändern. Wenn dieser Dienst beendet wird, kann die Registrierung nur von lokalen Benutzern dieses Computers verändert werden. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abhängigen Dienste nicht gestartet werden können."
"DependOnService"=hex(7):52,50,43,53,53,00,00
"DisplayName"="Remote-Registrierung"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,4c,6f,63,61,6c,53,65,72,\
76,69,63,65,00
"ObjectName"="NT AUTHORITY\\LocalService"
"Group"=""
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,72,65,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Type"=dword:00000010
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,\
74,6c,6e,74,73,76,72,2e,65,78,65,00
"DisplayName"="Telnet"
"DependOnService"=hex(7):52,50,43,53,53,00,54,43,50,49,50,00,4e,54,4c,4d,53,53,\
50,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"=hex(2):45,72,6d,f6,67,6c,69,63,68,74,20,65,69,6e,65,6d,20,52,65,\
6d,6f,74,65,62,65,6e,75,74,7a,65,72,2c,20,73,69,63,68,20,61,6e,20,64,69,65,\
73,65,6d,20,43,6f,6d,70,75,74,65,72,20,61,6e,7a,75,6d,65,6c,64,65,6e,20,75,\
6e,64,20,50,72,6f,67,72,61,6d,6d,65,20,61,75,73,7a,75,66,fc,68,72,65,6e,2e,\
20,55,6e,74,65,72,73,74,fc,74,7a,74,20,76,65,72,73,63,68,69,65,64,65,6e,65,\
20,54,43,50,2f,49,50,2d,54,65,6c,6e,65,74,63,6c,69,65,6e,74,73,2c,20,65,69,\
6e,73,63,68,6c,69,65,df,6c,69,63,68,20,55,4e,49,58,2d,62,61,73,69,65,72,74,\
65,6e,20,75,6e,64,20,57,69,6e,64,6f,77,73,2d,62,61,73,69,65,72,74,65,6e,20,\
43,6f,6d,70,75,74,65,72,6e,2e,20,57,65,6e,6e,20,64,69,65,73,65,72,20,44,69,\
65,6e,73,74,20,61,6e,67,65,68,61,6c,74,65,6e,20,77,69,72,64,2c,20,69,73,74,\
20,64,65,72,20,52,65,6d,6f,74,65,7a,75,67,72,69,66,66,20,6d,f6,67,6c,69,63,\
68,65,72,77,65,69,73,65,20,6e,69,63,68,74,20,6d,65,68,72,20,76,65,72,66,fc,\
67,62,61,72,2e,20,57,65,6e,6e,20,64,69,65,73,65,72,20,44,69,65,6e,73,74,20,\
64,65,61,6b,74,69,76,69,65,72,74,20,77,69,72,64,2c,20,6b,f6,6e,6e,65,6e,20,\
61,6c,6c,65,20,44,69,65,6e,73,74,65,2c,20,64,69,65,20,65,78,70,6c,69,7a,69,\
74,20,76,6f,6e,20,64,69,65,73,65,6d,20,44,69,65,6e,73,74,20,61,62,68,e4,6e,\
67,65,6e,2c,20,6e,69,63,68,74,20,6d,65,68,72,20,67,65,73,74,61,72,74,65,74,\
20,77,65,72,64,65,6e,2e,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000003bc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:29,c1,24,c0,66,15,e5,84,69,cc,b4,ab,44,84,3c,63,37,62,31,66,63,\
36,66,31,00,fd,07,00,57,04,00,00,34,fa,07,00,56,82,46,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,f2,bb,e6,7d,18,63,1f,b2,54,ad,62,7b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:e1,b7,9b,79,6b,65,67,b7,7d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:ac,f5,df,88,9b,d1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:35,b0,a1,59,8f,4a,2e,4d,73,29,d3,8f,47,5e,95,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:d0,9b,5a,1f,4b,66,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,38,3a,3c,0c,7f,c4,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]



#12 start - Ausfuehren - regedit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001 -> aendere das in 0

dann starte den Rechner neu.
__________
MfG Sabina

rund um die PC-Sicherheit

#13 hier hab mal von ner hacker seite (nenn ich nicht) die Anleitung für Cia Entfernung geladen. hoffe kann euch helfen

edit (Mod)

#14

Zitat

Sabina postete
start - Ausfuehren - regedit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001 -> aendere das in 0

dann starte den Rechner neu.

danke, hat wunderbar funktioniert!