löschen von mtcls32.exe |
||
---|---|---|
#0
| ||
11.10.2006, 14:26
...neu hier
Beiträge: 9 |
||
|
||
11.10.2006, 15:40
Ehrenmitglied
Beiträge: 29434 |
#2
wie kann man sich heutzutage ohne Windowsupdates ins Internet trauen ????
1. sandbox.norman http://sandbox.norman.no/live_4.html diese zwei Dateien einkopieren und berichte dann, wenn du eine nachricht per mail erhaelst. C:\WINDOWS\mtcls32.exe C:\WINDOWS\system32\FrameWork.exe 2. die datfindbat hat 6 logs, und es interessieren nur die Dateien der letzten 3 monate http://virus-protect.org/datfindbat.html 3. Download Registry Search by Bobbi Flekman http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" ( reinkopieren) mtcl32 in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. ----------------------------------------------- das sind anonyme FTP-Server, mit denen der hacker vollen Zugriff auf dein System hat... C:\WINDOWS\system32\TFTP3728 C:\WINDOWS\system32\TFTP460 C:\WINDOWS\system32\TFTP1900 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
11.10.2006, 16:04
...neu hier
Themenstarter Beiträge: 9 |
#3
REGEDIT4
; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 11.10.2006 16:02:21 for strings: ; 'mtcl32' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000] "Service"="mtcl32" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000\Control] "ActiveService"="mtcl32" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Enum] "0"="Root\\LEGACY_MTCL32\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32\0000] "Service"="mtcl32" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000] "Service"="mtcl32" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000\Control] "ActiveService"="mtcl32" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Enum] "0"="Root\\LEGACY_MTCL32\\0000" [HKEY_USERS\S-1-5-21-220523388-261903793-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit] "LastKey"="Arbeitsplatz\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_MTCL32\\0000" ; End Of The Log... sandbox mtcls32.exe : Not detected by Sandbox (Signature: W32/SDBot.AKXY) [ General information ] * Display message box (Debugger found) : Close debugger, and restart. Program will not be started. * File length: 131072 bytes. * MD5 hash: 4d899993e29693a1553eec4b29e92b89. __________ -Taras |
|
|
||
11.10.2006, 16:06
Ehrenmitglied
Beiträge: 29434 |
#4
und was wird zu C:\WINDOWS\system32\FrameWork.exe gesagt ?
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
11.10.2006, 16:29
...neu hier
Themenstarter Beiträge: 9 |
#5
C:\WINDOWS\system32\FrameWork.exe ist noch nicht angekommen.
wenn ich mir sp2 draufmache, wird mein inet total lahm (download < 2kb/s) FrameWork.exe : Not detected by Sandbox (Signature: NO_VIRUS) [ General information ] * File length: 94208 bytes. * MD5 hash: f2995b79932e3b40adad18ac58d112d9. __________ -Taras Dieser Beitrag wurde am 11.10.2006 um 17:29 Uhr von Taras87 editiert.
|
|
|
||
12.10.2006, 00:31
Ehrenmitglied
Beiträge: 29434 |
#6
Avenger
http://virus-protect.org/artikel/tools/avenger.html kopiere rein Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was nach neustart erscheint ** scanne, lasse alles, was gefunden wird loeschen und poste den report http://virus-protect.org/a2.html ** poste dieses log http://virus-protect.org/registry_stuff.html ** Windows Worms Doors Cleaner - anwenden - alles auf gruen stellen http://virus-protect.org/windsdoorcleaner.html dann mache schnellstens unbedingt die Windowsupdates !! ____________ Zitat http://www.sophos.de/security/analyses/w32rbotfmw.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.10.2006, 06:58
...neu hier
Themenstarter Beiträge: 9 |
#7
Logfile of The Avenger version 1, by Swandog46
Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mcbnbayc ******************* Script file located at: \??\C:\WINDOWS\System32\mclkkvyl.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32 failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32 Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32 failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32 Status: 0xc0000034 File C:\WINDOWS\mtcls32.exe deleted successfully. File C:\WINDOWS\system32\FrameWork.exe deleted successfully. File C:\WINDOWS\system32\TFTP3728 deleted successfully. File C:\WINDOWS\system32\TFTP460 deleted successfully. File C:\WINDOWS\system32\TFTP1900 deleted successfully. Completed script processing. ******************* Finished! Terminate. doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork ----------------------- ----------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung" "DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\ 41,4c,47,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "autodisconnect"=dword:0000000f "enableforcedlogoff"=dword:00000001 "enablesecuritysignature"=dword:00000000 "requiresecuritysignature"=dword:00000000 "NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\ 4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\ 4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\ 53,76,72,00,00 "NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00 "Lmannounce"=dword:00000000 "Size"=dword:00000001 "Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000000 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00 "OtherDomains"=hex(7):00 "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "Win Net Wks32"="netwks32.exe" [HKEY_CURRENT_USER\Software\Microsoft\OLE] "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Nachrichtendienst" "DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\ 4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum] "0"="Root\\LEGACY_MESSENGER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DoNotAllowXPSP2"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\ 14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\ 00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\ 00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\ 5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\ 5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00 "EnableDCOM"="N" "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\ 63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00 "LsaPid"=dword:0000025c "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000001 "restrictanonymoussam"=dword:00000001 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\ 50,72,6f,76,69,64,65,72,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\ 39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\ b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:9f,76,9f,08,08,88 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0] "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:a0,b8,41,95,e6,e9,c6,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] "EnableFirewall"=dword:00000000 a-squared Free - Version 2.0 Scan Einstellungen: Objekte: Speicher, Traces, Cookies, C:\WINDOWS, C:\Programme Archiv Scan: An Heuristik: An ADS Scan: An Scan Beginn: 12.10.2006 06:35:10 Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_msdirectx gefunden: Trace.Registry.Aimbot C:\Dokumente und Einstellungen\Taras\Cookies\taras@2o7[2].txt gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Cookies\taras@adtech[2].txt gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Cookies\taras@atdmt[2].txt gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Cookies\taras@weborama[2].txt gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Cookies\taras@zedo[1].txt gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:18 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:20 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:21 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:62 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:63 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:64 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:65 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:71 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:116 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:118 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:127 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:146 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:185 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:241 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:242 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:265 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:267 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:276 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:277 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:321 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:322 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:323 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:324 gefunden: Trace.TrackingCookie C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:325 gefunden: Trace.TrackingCookie Gescannt Dateien: 58724 Traces: 75690 Cookies: 411 Prozesse: 20 Gefunden Dateien: 0 Traces: 1 Cookies: 29 Prozesse: 0 Registry Keys: 0 Scan Ende: 12.10.2006 06:54:15 Scan Zeit: 00:19:05 __________ -Taras |
|
|
||
12.10.2006, 09:21
Ehrenmitglied
Beiträge: 29434 |
#8
1.
poste dieses log http://www.f-secure.com/blacklight/ starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei 2. Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen Zitat REGEDIT4Avenger Zitat registry keys to delete:** poste das log vom avenger, nach neustart ** mache die Windowsupdates - SP2 - berichte, ob es geklappt hat ! ** poste noch mal das log vom stuff. http://virus-protect.org/registry_stuff.html ** poste noch mal die 6 logs von datfindbat - 3 Monate vom Datum her http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.10.2006, 13:47
...neu hier
Themenstarter Beiträge: 9 |
#9
Logfile of The Avenger version 1, by Swandog46
Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\jgaauavk ******************* Script file located at: \??\C:\Program Files\rsjinltf.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx Status: 0xc0000034 File C:\WINDOWS\system32\netwks32.exe not found! Deletion of file C:\WINDOWS\system32\netwks32.exe failed! Could not process line: C:\WINDOWS\system32\netwks32.exe Status: 0xc0000034 File C:\WINDOWS\system32\msdirectx.sys not found! Deletion of file C:\WINDOWS\system32\msdirectx.sys failed! Could not process line: C:\WINDOWS\system32\msdirectx.sys Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Verzeichnis von C:\WINDOWS\system32 13.10.2006 13:44 81.496 nvapps.xml 12.10.2006 16:52 311.604 perfh009.dat 12.10.2006 16:52 39.992 perfc009.dat 12.10.2006 16:52 316.594 perfh007.dat 12.10.2006 16:52 48.156 perfc007.dat 12.10.2006 16:52 723.568 PerfStringBackup.INI 12.10.2006 16:46 2.184 wpa.dbl 12.10.2006 16:46 90.296 FNTCACHE.DAT 11.10.2006 14:20 43.520 CmdLineExt03.dll 09.10.2006 17:26 16.832 amcompat.tlb 09.10.2006 17:25 23.392 nscompat.tlb 07.10.2006 11:42 552 d3d8caps.dat 07.10.2006 10:36 135.168 javaw.exe 07.10.2006 10:36 139.264 javaws.exe 07.10.2006 10:36 69.632 javacpl.cpl 07.10.2006 10:36 135.168 java.exe 07.10.2006 08:53 940 $winnt$.inf 07.10.2006 00:58 333 $ncsp$.inf 07.10.2006 00:44 66.048 VCLSMP50.bpl 07.10.2006 00:44 2.020.864 VCL50.bpl 07.10.2006 00:44 248.832 VCLX50.bpl 07.10.2006 00:44 157.696 rmoc3260.dll 07.10.2006 00:44 24.576 prefscpl.cpl 07.10.2006 00:44 5.632 pndx5032.dll 07.10.2006 00:44 6.656 pndx5016.dll 07.10.2006 00:44 278.528 pncrt.dll 07.10.2006 00:35 25.065 wmpscheme.xml 07.10.2006 00:30 2.953 CONFIG.NT 07.10.2006 00:29 488 logonui.exe.manifest 07.10.2006 00:29 488 WindowsLogon.manifest 07.10.2006 00:28 749 ncpa.cpl.manifest 07.10.2006 00:28 749 cdplayer.exe.manifest 07.10.2006 00:28 749 sapi.cpl.manifest 07.10.2006 00:28 749 nwc.cpl.manifest 07.10.2006 00:28 749 wuaucpl.cpl.manifest 07.10.2006 00:28 21.740 emptyregdb.dat 07.10.2006 00:25 0 h323log.txt 25.08.2006 05:47 379.640 pxwave.dll 25.08.2006 05:47 1.309.432 pxsfs.dll 25.08.2006 05:47 183.032 pxmas.dll 25.08.2006 05:47 115.880 pxinsi64.exe 25.08.2006 05:47 62.632 pxinsa64.exe 25.08.2006 05:47 67.240 pxhpinst.exe 25.08.2006 05:47 477.944 pxdrv.dll 25.08.2006 05:47 63.144 pxcpya64.exe 25.08.2006 05:47 129.784 pxafs.dll 25.08.2006 05:47 39.672 VXBLOCK.dll 25.08.2006 05:47 514.808 px.dll 11.08.2006 21:45 2.953.216 nvvitvsr.dll 11.08.2006 21:45 2.904.064 nvvitvs.dll 11.08.2006 21:45 888.832 nvmobls.dll 11.08.2006 21:45 2.859.008 nvmoblsr.dll 11.08.2006 21:45 458.752 nvmccssr.dll 11.08.2006 21:45 1.732.608 nvwssr.dll 11.08.2006 21:45 188.416 nvmccss.dll 11.08.2006 21:45 1.236.992 nvwss.dll 11.08.2006 21:45 2.928.640 nvgamesr.dll 11.08.2006 21:45 3.039.232 nvgames.dll 11.08.2006 21:45 5.251.072 nvdispsr.dll 11.08.2006 21:45 5.611.520 nvdisps.dll 11.08.2006 21:45 45.056 nvmccsrs.dll 11.08.2006 21:45 229.376 nvmccs.dll 11.08.2006 21:45 581.632 nvhwvid.dll 11.08.2006 21:44 147.456 nvcolor.exe 11.08.2006 21:43 196.608 nvapi.dll 11.08.2006 21:43 81.920 nvwddi.dll 11.08.2006 21:43 86.016 nvmctray.dll 11.08.2006 21:43 7.630.848 nvcpl.dll 11.08.2006 21:43 1.519.616 nwiz.exe 11.08.2006 21:43 466.944 nvshell.dll 11.08.2006 21:43 1.662.976 nvwdmcpl.dll 11.08.2006 21:43 69.632 nvcpl.cpl 11.08.2006 21:43 1.339.392 nvdspsch.exe 11.08.2006 21:43 425.984 keystone.exe 11.08.2006 21:43 794.624 nvcplui.exe 11.08.2006 21:43 1.011.712 nvcpluir.dll 11.08.2006 21:43 286.720 nvnt4cpl.dll 11.08.2006 21:43 1.019.904 nvwimg.dll 11.08.2006 21:43 442.368 nvappbar.exe 11.08.2006 21:43 73.728 nvtuicpl.cpl 11.08.2006 21:43 1.470.464 nview.dll 11.08.2006 21:43 311.296 nvexpbar.dll 11.08.2006 21:42 5.636.096 nvoglnt.dll 11.08.2006 21:42 4.496.128 nv4_disp.dll 11.08.2006 21:42 155.715 nvsvc32.exe 11.08.2006 21:42 16.960 nvdisp.nvu 11.08.2006 21:42 35.840 nvcodins.dll 11.08.2006 21:42 35.840 nvcod.dll 29.07.2006 19:32 48.936 sirenacm.dll __________ -Taras |
|
|
||
13.10.2006, 13:48
Ehrenmitglied
Beiträge: 29434 |
#10
mache die Windowsupdates - SP2 - berichte, ob es geklappt hat !
** poste noch mal das log vom stuff. http://virus-protect.org/registry_stuff.html ** poste noch mal die 6 logs von datfindbat - 3 Monate vom Datum her http://virus-protect.org/datfindbat.html __________ __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.10.2006, 21:41
...neu hier
Themenstarter Beiträge: 9 |
#11
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork ----------------------- ----------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung" "DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\ 41,4c,47,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "autodisconnect"=dword:0000000f "enableforcedlogoff"=dword:00000001 "enablesecuritysignature"=dword:00000000 "requiresecuritysignature"=dword:00000000 "NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\ 4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\ 4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\ 53,76,72,00,00 "NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00 "Lmannounce"=dword:00000000 "Size"=dword:00000001 "Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000000 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00 "OtherDomains"=hex(7):00 "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "Win Net Wks32"="netwks32.exe" [HKEY_CURRENT_USER\Software\Microsoft\OLE] "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Nachrichtendienst" "DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\ 4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum] "0"="Root\\LEGACY_MESSENGER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DoNotAllowXPSP2"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\ 14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\ 00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\ 00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\ 5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\ 5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00 "EnableDCOM"="Y" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\ 63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00 "LsaPid"=dword:00000258 "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000001 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 "restrictanonymoussam"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\ 50,72,6f,76,69,64,65,72,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\ 39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\ b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:9f,76,9f,08,08,88 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0] "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:d0,1a,f9,39,0d,ee,c6,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,6c,05,74,fd,4e,c2,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,f3,98,77,fd,4e,c2,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify"=dword:00000000 "AntiVirusDisableNotify"=dword:00000000 "FirewallDisableNotify"=dword:00000000 "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] "EnableFirewall"=dword:00000001 13.10.2006 13:44 81.496 nvapps.xml 12.10.2006 16:52 311.604 perfh009.dat 12.10.2006 16:52 39.992 perfc009.dat 12.10.2006 16:52 316.594 perfh007.dat 12.10.2006 16:52 48.156 perfc007.dat 12.10.2006 16:52 723.568 PerfStringBackup.INI 12.10.2006 16:46 2.184 wpa.dbl 12.10.2006 16:46 90.296 FNTCACHE.DAT 11.10.2006 14:20 43.520 CmdLineExt03.dll 09.10.2006 17:26 16.832 amcompat.tlb 09.10.2006 17:25 23.392 nscompat.tlb 07.10.2006 11:42 552 d3d8caps.dat 07.10.2006 10:36 135.168 javaw.exe 07.10.2006 10:36 139.264 javaws.exe 07.10.2006 10:36 69.632 javacpl.cpl 07.10.2006 10:36 135.168 java.exe 07.10.2006 08:53 940 $winnt$.inf 07.10.2006 00:58 333 $ncsp$.inf 07.10.2006 00:44 66.048 VCLSMP50.bpl 07.10.2006 00:44 2.020.864 VCL50.bpl 07.10.2006 00:44 248.832 VCLX50.bpl 07.10.2006 00:44 157.696 rmoc3260.dll 07.10.2006 00:44 24.576 prefscpl.cpl 07.10.2006 00:44 5.632 pndx5032.dll 07.10.2006 00:44 6.656 pndx5016.dll 07.10.2006 00:44 278.528 pncrt.dll 07.10.2006 00:35 25.065 wmpscheme.xml 07.10.2006 00:30 2.953 CONFIG.NT 07.10.2006 00:29 488 logonui.exe.manifest 07.10.2006 00:29 488 WindowsLogon.manifest 07.10.2006 00:28 749 ncpa.cpl.manifest 07.10.2006 00:28 749 cdplayer.exe.manifest 07.10.2006 00:28 749 sapi.cpl.manifest 07.10.2006 00:28 749 nwc.cpl.manifest 07.10.2006 00:28 749 wuaucpl.cpl.manifest 07.10.2006 00:28 21.740 emptyregdb.dat 07.10.2006 00:25 0 h323log.txt 25.08.2006 05:47 379.640 pxwave.dll 25.08.2006 05:47 1.309.432 pxsfs.dll 25.08.2006 05:47 183.032 pxmas.dll 25.08.2006 05:47 115.880 pxinsi64.exe 25.08.2006 05:47 62.632 pxinsa64.exe 25.08.2006 05:47 67.240 pxhpinst.exe 25.08.2006 05:47 477.944 pxdrv.dll 25.08.2006 05:47 63.144 pxcpya64.exe 25.08.2006 05:47 129.784 pxafs.dll 25.08.2006 05:47 39.672 VXBLOCK.dll 25.08.2006 05:47 514.808 px.dll 11.08.2006 21:45 2.953.216 nvvitvsr.dll 11.08.2006 21:45 2.904.064 nvvitvs.dll 11.08.2006 21:45 888.832 nvmobls.dll 11.08.2006 21:45 2.859.008 nvmoblsr.dll 11.08.2006 21:45 458.752 nvmccssr.dll 11.08.2006 21:45 1.732.608 nvwssr.dll 11.08.2006 21:45 188.416 nvmccss.dll 11.08.2006 21:45 1.236.992 nvwss.dll 11.08.2006 21:45 2.928.640 nvgamesr.dll 11.08.2006 21:45 3.039.232 nvgames.dll 11.08.2006 21:45 5.251.072 nvdispsr.dll 11.08.2006 21:45 5.611.520 nvdisps.dll 11.08.2006 21:45 45.056 nvmccsrs.dll 11.08.2006 21:45 229.376 nvmccs.dll 11.08.2006 21:45 581.632 nvhwvid.dll 11.08.2006 21:44 147.456 nvcolor.exe 11.08.2006 21:43 196.608 nvapi.dll 11.08.2006 21:43 81.920 nvwddi.dll 11.08.2006 21:43 86.016 nvmctray.dll 11.08.2006 21:43 7.630.848 nvcpl.dll 11.08.2006 21:43 1.519.616 nwiz.exe 11.08.2006 21:43 466.944 nvshell.dll 11.08.2006 21:43 1.662.976 nvwdmcpl.dll 11.08.2006 21:43 69.632 nvcpl.cpl 11.08.2006 21:43 1.339.392 nvdspsch.exe 11.08.2006 21:43 425.984 keystone.exe 11.08.2006 21:43 794.624 nvcplui.exe 11.08.2006 21:43 1.011.712 nvcpluir.dll 11.08.2006 21:43 286.720 nvnt4cpl.dll 11.08.2006 21:43 1.019.904 nvwimg.dll 11.08.2006 21:43 442.368 nvappbar.exe 11.08.2006 21:43 73.728 nvtuicpl.cpl 11.08.2006 21:43 1.470.464 nview.dll 11.08.2006 21:43 311.296 nvexpbar.dll 11.08.2006 21:42 5.636.096 nvoglnt.dll 11.08.2006 21:42 4.496.128 nv4_disp.dll 11.08.2006 21:42 155.715 nvsvc32.exe 11.08.2006 21:42 16.960 nvdisp.nvu 11.08.2006 21:42 35.840 nvcodins.dll 11.08.2006 21:42 35.840 nvcod.dll 29.07.2006 19:32 48.936 sirenacm.dll 24.03.2006 19:08 28.778 klogon.dll __________ -Taras |
|
|
||
14.10.2006, 00:16
Ehrenmitglied
Beiträge: 29434 |
#12
gehe in die Registry
Start - Ausfuehren - regedit bearbeiten - suchen - netwks32.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 - in 1 aendern [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "Win Net Wks32"="netwks32.exe" - loeschen [HKEY_CURRENT_USER\Software\Microsoft\OLE] "Win Net Wks32"="netwks32.exe" - loeschen [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DoNotAllowXPSP2" - loeschen PC neustarten ** poste das neue log vom Stuff __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.10.2006, 09:18
...neu hier
Themenstarter Beiträge: 9 |
#13
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork ----------------------- ----------------------- REGEDIT4 ----------------------- ----------------------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung" "DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\ 41,4c,47,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "autodisconnect"=dword:0000000f "enableforcedlogoff"=dword:00000001 "enablesecuritysignature"=dword:00000000 "requiresecuritysignature"=dword:00000000 "NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\ 4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\ 4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\ 53,76,72,00,00 "NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00 "Lmannounce"=dword:00000000 "Size"=dword:00000001 "Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000000 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00 "OtherDomains"=hex(7):00 "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "Win Net Wks32"="netwks32.exe" [HKEY_CURRENT_USER\Software\Microsoft\OLE] "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Nachrichtendienst" "DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\ 4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum] "0"="Root\\LEGACY_MESSENGER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DoNotAllowXPSP2"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\ 14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\ 00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\ 00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\ 5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\ 5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00 "EnableDCOM"="N" "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\ 63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00 "LsaPid"=dword:0000025c "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000001 "restrictanonymoussam"=dword:00000001 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\ 50,72,6f,76,69,64,65,72,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\ 39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\ b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:9f,76,9f,08,08,88 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0] "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:a0,b8,41,95,e6,e9,c6,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung" "DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\ 41,4c,47,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\ 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "autodisconnect"=dword:0000000f "enableforcedlogoff"=dword:00000001 "enablesecuritysignature"=dword:00000000 "requiresecuritysignature"=dword:00000000 "NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\ 4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\ 4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\ 53,76,72,00,00 "NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00 "Lmannounce"=dword:00000000 "Size"=dword:00000001 "Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000000 "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00 "OtherDomains"=hex(7):00 "AutoShareWks"=dword:00000000 "AutoShareServer"=dword:00000000 [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "Win Net Wks32"="netwks32.exe" [HKEY_CURRENT_USER\Software\Microsoft\OLE] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] "Type"=dword:00000020 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\ 32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00 "DisplayName"="Nachrichtendienst" "DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\ 4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\ 33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum] "0"="Root\\LEGACY_MESSENGER\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DoNotAllowXPSP2"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\ 14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\ 00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\ 00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\ 5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\ 5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00 "EnableDCOM"="N" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\ 63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00 "LsaPid"=dword:00000258 "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000001 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 "restrictanonymoussam"=dword:00000001 "Win Net Wks32"="netwks32.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\ 50,72,6f,76,69,64,65,72,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\ 39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\ b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:9f,76,9f,08,08,88 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0] "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:d0,1a,f9,39,0d,ee,c6,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,6c,05,74,fd,4e,c2,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,90,e2,8a,cc,27,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,f3,98,77,fd,4e,c2,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify"=dword:00000000 "AntiVirusDisableNotify"=dword:00000000 "FirewallDisableNotify"=dword:00000000 "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] "EnableFirewall"=dword:00000001 __________ -Taras |
|
|
||
14.10.2006, 09:21
Ehrenmitglied
Beiträge: 29434 |
#14
nun werden wir es aufgeben, der Wurm ist immer noch drauf, du bekommst die Eintraege nicht geloescht und die Dienste sind schon wieder verstellt.
es macht auch keinen Sinn sowas reinigen zu wollen, der Rechner, zudem ohne Windowsupdates ist komromitiert , du musst formatieren. dann vergiss nicht, sofort die Windowsupdates zu machen. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.10.2006, 16:43
...neu hier
Themenstarter Beiträge: 9 |
#15
hab bereits formatiert, der wurm is irgendwie draufgeblieben ._.
und wo kann ich den wurm sehen? __________ -Taras Dieser Beitrag wurde am 14.10.2006 um 17:02 Uhr von Taras87 editiert.
|
|
|
||
ich denke es könnte an dem prozess mtcls32.exe liegen, denn jedes mal wenn ich ihn beende, läuft das gerade laufende wieder flüssig. jedoch startet es sich bei jedem beenden immer wieder neu. wenn ich es suchen will, wird nur die prefetch datei gefunden.
was soll ich dagegen tun?
Logfile of HijackThis v1.99.1
Scan saved at 16:29:52, on 10.10.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\ArcorOnline\Arcor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\mtcls32.exe
C:\Dokumente und Einstellungen\Taras\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1031
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Win Net Wks32] netwks32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FAAD534-19C1-4B62-9170-0C99822330E6}: NameServer = 195.50.140.250 195.50.140.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: mtc l32 (mtcl32) - Unknown owner - C:\WINDOWS\mtcls32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
----------------------------------
Verzeichnis von C:\WINDOWS\system32
11.10.2006 14:20 43.520 CmdLineExt03.dll
11.10.2006 13:31 81.496 nvapps.xml
09.10.2006 17:26 16.832 amcompat.tlb
09.10.2006 17:25 23.392 nscompat.tlb
08.10.2006 19:47 39.992 perfc009.dat
08.10.2006 19:47 311.604 perfh009.dat
08.10.2006 19:47 316.594 perfh007.dat
08.10.2006 19:47 48.156 perfc007.dat
08.10.2006 19:47 721.214 PerfStringBackup.INI
07.10.2006 11:42 552 d3d8caps.dat
07.10.2006 10:36 139.264 javaws.exe
07.10.2006 10:36 135.168 javaw.exe
07.10.2006 10:36 69.632 javacpl.cpl
07.10.2006 10:36 135.168 java.exe
07.10.2006 09:58 184.832 TFTP3728
07.10.2006 09:55 0 TFTP460
07.10.2006 09:49 94.208 FrameWork.exe
07.10.2006 09:43 0 TFTP1900
07.10.2006 08:53 940 $winnt$.inf
07.10.2006 00:58 333 $ncsp$.inf
07.10.2006 00:44 66.048 VCLSMP50.bpl
07.10.2006 00:44 2.020.864 VCL50.bpl
07.10.2006 00:44 248.832 VCLX50.bpl
edit
__________
-Taras