löschen von mtcls32.exe

#1 egal welches spiel oder programm ich starte, fängt es immer an stark zu ruckeln.
ich denke es könnte an dem prozess mtcls32.exe liegen, denn jedes mal wenn ich ihn beende, läuft das gerade laufende wieder flüssig. jedoch startet es sich bei jedem beenden immer wieder neu. wenn ich es suchen will, wird nur die prefetch datei gefunden.

was soll ich dagegen tun?

Logfile of HijackThis v1.99.1
Scan saved at 16:29:52, on 10.10.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\ArcorOnline\Arcor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\mtcls32.exe
C:\Dokumente und Einstellungen\Taras\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1031
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Win Net Wks32] netwks32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FAAD534-19C1-4B62-9170-0C99822330E6}: NameServer = 195.50.140.250 195.50.140.114
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: mtc l32 (mtcl32) - Unknown owner - C:\WINDOWS\mtcls32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe



----------------------------------




Verzeichnis von C:\WINDOWS\system32

11.10.2006 14:20 43.520 CmdLineExt03.dll
11.10.2006 13:31 81.496 nvapps.xml
09.10.2006 17:26 16.832 amcompat.tlb
09.10.2006 17:25 23.392 nscompat.tlb
08.10.2006 19:47 39.992 perfc009.dat
08.10.2006 19:47 311.604 perfh009.dat
08.10.2006 19:47 316.594 perfh007.dat
08.10.2006 19:47 48.156 perfc007.dat
08.10.2006 19:47 721.214 PerfStringBackup.INI
07.10.2006 11:42 552 d3d8caps.dat
07.10.2006 10:36 139.264 javaws.exe
07.10.2006 10:36 135.168 javaw.exe
07.10.2006 10:36 69.632 javacpl.cpl
07.10.2006 10:36 135.168 java.exe
07.10.2006 09:58 184.832 TFTP3728
07.10.2006 09:55 0 TFTP460
07.10.2006 09:49 94.208 FrameWork.exe
07.10.2006 09:43 0 TFTP1900
07.10.2006 08:53 940 $winnt$.inf
07.10.2006 00:58 333 $ncsp$.inf
07.10.2006 00:44 66.048 VCLSMP50.bpl
07.10.2006 00:44 2.020.864 VCL50.bpl
07.10.2006 00:44 248.832 VCLX50.bpl


edit
__________
-Taras

#2 wie kann man sich heutzutage ohne Windowsupdates ins Internet trauen ????

1.
sandbox.norman
http://sandbox.norman.no/live_4.html
diese zwei Dateien einkopieren und berichte dann, wenn du eine nachricht per mail erhaelst.

C:\WINDOWS\mtcls32.exe
C:\WINDOWS\system32\FrameWork.exe

2.
die datfindbat hat 6 logs, und es interessieren nur die Dateien der letzten 3 monate
http://virus-protect.org/datfindbat.html

3.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" ( reinkopieren)

mtcl32

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.


-----------------------------------------------

das sind anonyme FTP-Server, mit denen der hacker vollen Zugriff auf dein System hat...

C:\WINDOWS\system32\TFTP3728
C:\WINDOWS\system32\TFTP460
C:\WINDOWS\system32\TFTP1900
__________
MfG Sabina

rund um die PC-Sicherheit

#3 REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 11.10.2006 16:02:21 for strings:
; 'mtcl32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000]
"Service"="mtcl32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32\0000\Control]
"ActiveService"="mtcl32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32\Enum]
"0"="Root\\LEGACY_MTCL32\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32\0000]
"Service"="mtcl32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000]
"Service"="mtcl32"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32\0000\Control]
"ActiveService"="mtcl32"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32\Enum]
"0"="Root\\LEGACY_MTCL32\\0000"

[HKEY_USERS\S-1-5-21-220523388-261903793-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Arbeitsplatz\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_MTCL32\\0000"

; End Of The Log...














sandbox

mtcls32.exe : Not detected by Sandbox (Signature: W32/SDBot.AKXY)

[ General information ]
* Display message box (Debugger found) : Close debugger, and restart. Program will not be started.
* File length: 131072 bytes.
* MD5 hash: 4d899993e29693a1553eec4b29e92b89.
__________
-Taras

#4 und was wird zu C:\WINDOWS\system32\FrameWork.exe gesagt ?
__________
MfG Sabina

rund um die PC-Sicherheit

#5 C:\WINDOWS\system32\FrameWork.exe ist noch nicht angekommen.
wenn ich mir sp2 draufmache, wird mein inet total lahm (download < 2kb/s)




FrameWork.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* File length: 94208 bytes.
* MD5 hash: f2995b79932e3b40adad18ac58d112d9.
__________
-Taras

#6 Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32

Files to delete:
C:\WINDOWS\mtcls32.exe
C:\WINDOWS\system32\FrameWork.exe
C:\WINDOWS\system32\TFTP3728
C:\WINDOWS\system32\TFTP460
C:\WINDOWS\system32\TFTP1900

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint

**
scanne, lasse alles, was gefunden wird loeschen und poste den report
http://virus-protect.org/a2.html

**
poste dieses log
http://virus-protect.org/registry_stuff.html

**
Windows Worms Doors Cleaner - anwenden - alles auf gruen stellen
http://virus-protect.org/windsdoorcleaner.html

dann mache schnellstens unbedingt die Windowsupdates !!

____________

Zitat

http://www.sophos.de/security/analyses/w32rbotfmw.html
Der Wurm verbreitet sich auf andere Netzwerkcomputer, indem er häufige Pufferüberlauf-Schwachstellen ausnutzt, darunter: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) und MSSQL (MS02-039) (CAN-2002-0649).

Nebeneffekte

* Ermöglicht Dritten den Zugriff auf den Computer
* Reduziert die Systemsicherheit
* Installiert sich in der Registrierung
* Nutzt bekannte Schwachstellen aus

__________
MfG Sabina

rund um die PC-Sicherheit

#7 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mcbnbayc

*******************

Script file located at: \??\C:\WINDOWS\System32\mclkkvyl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MTCL32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mtcl32 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32
Status: 0xc0000034

File C:\WINDOWS\mtcls32.exe deleted successfully.
File C:\WINDOWS\system32\FrameWork.exe deleted successfully.
File C:\WINDOWS\system32\TFTP3728 deleted successfully.
File C:\WINDOWS\system32\TFTP460 deleted successfully.
File C:\WINDOWS\system32\TFTP1900 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.






doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\
41,4c,47,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"="netwks32.exe"


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Win Net Wks32"="netwks32.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"Win Net Wks32"="netwks32.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:0000025c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"Win Net Wks32"="netwks32.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\
39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:9f,76,9f,08,08,88

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:a0,b8,41,95,e6,e9,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000



a-squared Free - Version 2.0

Scan Einstellungen:

Objekte: Speicher, Traces, Cookies, C:\WINDOWS, C:\Programme
Archiv Scan: An
Heuristik: An
ADS Scan: An

Scan Beginn: 12.10.2006 06:35:10

Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_msdirectx gefunden: Trace.Registry.Aimbot
C:\Dokumente und Einstellungen\Taras\Cookies\taras@2o7[2].txt gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Cookies\taras@adtech[2].txt gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Cookies\taras@atdmt[2].txt gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Cookies\taras@weborama[2].txt gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Cookies\taras@zedo[1].txt gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:18 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:20 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:21 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:62 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:63 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:64 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:65 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:71 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:116 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:118 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:127 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:146 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:185 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:241 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:242 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:265 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:267 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:276 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:277 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:321 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:322 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:323 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:324 gefunden: Trace.TrackingCookie
C:\Dokumente und Einstellungen\Taras\Anwendungsdaten\Mozilla\Firefox\Profiles\iu6q5wu9.default\cookies.txt:325 gefunden: Trace.TrackingCookie

Gescannt

Dateien: 58724
Traces: 75690
Cookies: 411
Prozesse: 20

Gefunden

Dateien: 0
Traces: 1
Cookies: 29
Prozesse: 0
Registry Keys: 0

Scan Ende: 12.10.2006 06:54:15
Scan Zeit: 00:19:05
__________
-Taras

#8 1.
poste dieses log
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei

2.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=-
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=-
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=-
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"=-
"EnableDCOM"="Y"
"MSI_Place_holder"=-
"Win Net Wks32"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymoussam"=-
"restrictanonymoussam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-
"DoNotAllowXPSP2"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000001

Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx

Files to delete:
C:\WINDOWS\system32\netwks32.exe
C:\WINDOWS\system32\msdirectx.sys

**
poste das log vom avenger, nach neustart

**
mache die Windowsupdates - SP2 - berichte, ob es geklappt hat !

**
poste noch mal das log vom stuff.
http://virus-protect.org/registry_stuff.html

**
poste noch mal die 6 logs von datfindbat - 3 Monate vom Datum her
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jgaauavk

*******************

Script file located at: \??\C:\Program Files\rsjinltf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx
Status: 0xc0000034



File C:\WINDOWS\system32\netwks32.exe not found!
Deletion of file C:\WINDOWS\system32\netwks32.exe failed!

Could not process line:
C:\WINDOWS\system32\netwks32.exe
Status: 0xc0000034



File C:\WINDOWS\system32\msdirectx.sys not found!
Deletion of file C:\WINDOWS\system32\msdirectx.sys failed!

Could not process line:
C:\WINDOWS\system32\msdirectx.sys
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.








Verzeichnis von C:\WINDOWS\system32

13.10.2006 13:44 81.496 nvapps.xml
12.10.2006 16:52 311.604 perfh009.dat
12.10.2006 16:52 39.992 perfc009.dat
12.10.2006 16:52 316.594 perfh007.dat
12.10.2006 16:52 48.156 perfc007.dat
12.10.2006 16:52 723.568 PerfStringBackup.INI
12.10.2006 16:46 2.184 wpa.dbl
12.10.2006 16:46 90.296 FNTCACHE.DAT
11.10.2006 14:20 43.520 CmdLineExt03.dll
09.10.2006 17:26 16.832 amcompat.tlb
09.10.2006 17:25 23.392 nscompat.tlb
07.10.2006 11:42 552 d3d8caps.dat
07.10.2006 10:36 135.168 javaw.exe
07.10.2006 10:36 139.264 javaws.exe
07.10.2006 10:36 69.632 javacpl.cpl
07.10.2006 10:36 135.168 java.exe
07.10.2006 08:53 940 $winnt$.inf
07.10.2006 00:58 333 $ncsp$.inf
07.10.2006 00:44 66.048 VCLSMP50.bpl
07.10.2006 00:44 2.020.864 VCL50.bpl
07.10.2006 00:44 248.832 VCLX50.bpl
07.10.2006 00:44 157.696 rmoc3260.dll
07.10.2006 00:44 24.576 prefscpl.cpl
07.10.2006 00:44 5.632 pndx5032.dll
07.10.2006 00:44 6.656 pndx5016.dll
07.10.2006 00:44 278.528 pncrt.dll
07.10.2006 00:35 25.065 wmpscheme.xml
07.10.2006 00:30 2.953 CONFIG.NT
07.10.2006 00:29 488 logonui.exe.manifest
07.10.2006 00:29 488 WindowsLogon.manifest
07.10.2006 00:28 749 ncpa.cpl.manifest
07.10.2006 00:28 749 cdplayer.exe.manifest
07.10.2006 00:28 749 sapi.cpl.manifest
07.10.2006 00:28 749 nwc.cpl.manifest
07.10.2006 00:28 749 wuaucpl.cpl.manifest
07.10.2006 00:28 21.740 emptyregdb.dat
07.10.2006 00:25 0 h323log.txt
25.08.2006 05:47 379.640 pxwave.dll
25.08.2006 05:47 1.309.432 pxsfs.dll
25.08.2006 05:47 183.032 pxmas.dll
25.08.2006 05:47 115.880 pxinsi64.exe
25.08.2006 05:47 62.632 pxinsa64.exe
25.08.2006 05:47 67.240 pxhpinst.exe
25.08.2006 05:47 477.944 pxdrv.dll
25.08.2006 05:47 63.144 pxcpya64.exe
25.08.2006 05:47 129.784 pxafs.dll
25.08.2006 05:47 39.672 VXBLOCK.dll
25.08.2006 05:47 514.808 px.dll
11.08.2006 21:45 2.953.216 nvvitvsr.dll
11.08.2006 21:45 2.904.064 nvvitvs.dll
11.08.2006 21:45 888.832 nvmobls.dll
11.08.2006 21:45 2.859.008 nvmoblsr.dll
11.08.2006 21:45 458.752 nvmccssr.dll
11.08.2006 21:45 1.732.608 nvwssr.dll
11.08.2006 21:45 188.416 nvmccss.dll
11.08.2006 21:45 1.236.992 nvwss.dll
11.08.2006 21:45 2.928.640 nvgamesr.dll
11.08.2006 21:45 3.039.232 nvgames.dll
11.08.2006 21:45 5.251.072 nvdispsr.dll
11.08.2006 21:45 5.611.520 nvdisps.dll
11.08.2006 21:45 45.056 nvmccsrs.dll
11.08.2006 21:45 229.376 nvmccs.dll
11.08.2006 21:45 581.632 nvhwvid.dll
11.08.2006 21:44 147.456 nvcolor.exe
11.08.2006 21:43 196.608 nvapi.dll
11.08.2006 21:43 81.920 nvwddi.dll
11.08.2006 21:43 86.016 nvmctray.dll
11.08.2006 21:43 7.630.848 nvcpl.dll
11.08.2006 21:43 1.519.616 nwiz.exe
11.08.2006 21:43 466.944 nvshell.dll
11.08.2006 21:43 1.662.976 nvwdmcpl.dll
11.08.2006 21:43 69.632 nvcpl.cpl
11.08.2006 21:43 1.339.392 nvdspsch.exe
11.08.2006 21:43 425.984 keystone.exe
11.08.2006 21:43 794.624 nvcplui.exe
11.08.2006 21:43 1.011.712 nvcpluir.dll
11.08.2006 21:43 286.720 nvnt4cpl.dll
11.08.2006 21:43 1.019.904 nvwimg.dll
11.08.2006 21:43 442.368 nvappbar.exe
11.08.2006 21:43 73.728 nvtuicpl.cpl
11.08.2006 21:43 1.470.464 nview.dll
11.08.2006 21:43 311.296 nvexpbar.dll
11.08.2006 21:42 5.636.096 nvoglnt.dll
11.08.2006 21:42 4.496.128 nv4_disp.dll
11.08.2006 21:42 155.715 nvsvc32.exe
11.08.2006 21:42 16.960 nvdisp.nvu
11.08.2006 21:42 35.840 nvcodins.dll
11.08.2006 21:42 35.840 nvcod.dll
29.07.2006 19:32 48.936 sirenacm.dll
__________
-Taras

#10 mache die Windowsupdates - SP2 - berichte, ob es geklappt hat !

**
poste noch mal das log vom stuff.
http://virus-protect.org/registry_stuff.html

**
poste noch mal die 6 logs von datfindbat - 3 Monate vom Datum her
http://virus-protect.org/datfindbat.html
__________
__________
MfG Sabina

rund um die PC-Sicherheit

#11 doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\
41,4c,47,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"="netwks32.exe"


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Win Net Wks32"="netwks32.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000002


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000258
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"restrictanonymoussam"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\
39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:9f,76,9f,08,08,88

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:d0,1a,f9,39,0d,ee,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,6c,05,74,fd,4e,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,f3,98,77,fd,4e,c2,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000001







13.10.2006 13:44 81.496 nvapps.xml
12.10.2006 16:52 311.604 perfh009.dat
12.10.2006 16:52 39.992 perfc009.dat
12.10.2006 16:52 316.594 perfh007.dat
12.10.2006 16:52 48.156 perfc007.dat
12.10.2006 16:52 723.568 PerfStringBackup.INI
12.10.2006 16:46 2.184 wpa.dbl
12.10.2006 16:46 90.296 FNTCACHE.DAT
11.10.2006 14:20 43.520 CmdLineExt03.dll
09.10.2006 17:26 16.832 amcompat.tlb
09.10.2006 17:25 23.392 nscompat.tlb
07.10.2006 11:42 552 d3d8caps.dat
07.10.2006 10:36 135.168 javaw.exe
07.10.2006 10:36 139.264 javaws.exe
07.10.2006 10:36 69.632 javacpl.cpl
07.10.2006 10:36 135.168 java.exe
07.10.2006 08:53 940 $winnt$.inf
07.10.2006 00:58 333 $ncsp$.inf
07.10.2006 00:44 66.048 VCLSMP50.bpl
07.10.2006 00:44 2.020.864 VCL50.bpl
07.10.2006 00:44 248.832 VCLX50.bpl
07.10.2006 00:44 157.696 rmoc3260.dll
07.10.2006 00:44 24.576 prefscpl.cpl
07.10.2006 00:44 5.632 pndx5032.dll
07.10.2006 00:44 6.656 pndx5016.dll
07.10.2006 00:44 278.528 pncrt.dll
07.10.2006 00:35 25.065 wmpscheme.xml
07.10.2006 00:30 2.953 CONFIG.NT
07.10.2006 00:29 488 logonui.exe.manifest
07.10.2006 00:29 488 WindowsLogon.manifest
07.10.2006 00:28 749 ncpa.cpl.manifest
07.10.2006 00:28 749 cdplayer.exe.manifest
07.10.2006 00:28 749 sapi.cpl.manifest
07.10.2006 00:28 749 nwc.cpl.manifest
07.10.2006 00:28 749 wuaucpl.cpl.manifest
07.10.2006 00:28 21.740 emptyregdb.dat
07.10.2006 00:25 0 h323log.txt
25.08.2006 05:47 379.640 pxwave.dll
25.08.2006 05:47 1.309.432 pxsfs.dll
25.08.2006 05:47 183.032 pxmas.dll
25.08.2006 05:47 115.880 pxinsi64.exe
25.08.2006 05:47 62.632 pxinsa64.exe
25.08.2006 05:47 67.240 pxhpinst.exe
25.08.2006 05:47 477.944 pxdrv.dll
25.08.2006 05:47 63.144 pxcpya64.exe
25.08.2006 05:47 129.784 pxafs.dll
25.08.2006 05:47 39.672 VXBLOCK.dll
25.08.2006 05:47 514.808 px.dll
11.08.2006 21:45 2.953.216 nvvitvsr.dll
11.08.2006 21:45 2.904.064 nvvitvs.dll
11.08.2006 21:45 888.832 nvmobls.dll
11.08.2006 21:45 2.859.008 nvmoblsr.dll
11.08.2006 21:45 458.752 nvmccssr.dll
11.08.2006 21:45 1.732.608 nvwssr.dll
11.08.2006 21:45 188.416 nvmccss.dll
11.08.2006 21:45 1.236.992 nvwss.dll
11.08.2006 21:45 2.928.640 nvgamesr.dll
11.08.2006 21:45 3.039.232 nvgames.dll
11.08.2006 21:45 5.251.072 nvdispsr.dll
11.08.2006 21:45 5.611.520 nvdisps.dll
11.08.2006 21:45 45.056 nvmccsrs.dll
11.08.2006 21:45 229.376 nvmccs.dll
11.08.2006 21:45 581.632 nvhwvid.dll
11.08.2006 21:44 147.456 nvcolor.exe
11.08.2006 21:43 196.608 nvapi.dll
11.08.2006 21:43 81.920 nvwddi.dll
11.08.2006 21:43 86.016 nvmctray.dll
11.08.2006 21:43 7.630.848 nvcpl.dll
11.08.2006 21:43 1.519.616 nwiz.exe
11.08.2006 21:43 466.944 nvshell.dll
11.08.2006 21:43 1.662.976 nvwdmcpl.dll
11.08.2006 21:43 69.632 nvcpl.cpl
11.08.2006 21:43 1.339.392 nvdspsch.exe
11.08.2006 21:43 425.984 keystone.exe
11.08.2006 21:43 794.624 nvcplui.exe
11.08.2006 21:43 1.011.712 nvcpluir.dll
11.08.2006 21:43 286.720 nvnt4cpl.dll
11.08.2006 21:43 1.019.904 nvwimg.dll
11.08.2006 21:43 442.368 nvappbar.exe
11.08.2006 21:43 73.728 nvtuicpl.cpl
11.08.2006 21:43 1.470.464 nview.dll
11.08.2006 21:43 311.296 nvexpbar.dll
11.08.2006 21:42 5.636.096 nvoglnt.dll
11.08.2006 21:42 4.496.128 nv4_disp.dll
11.08.2006 21:42 155.715 nvsvc32.exe
11.08.2006 21:42 16.960 nvdisp.nvu
11.08.2006 21:42 35.840 nvcodins.dll
11.08.2006 21:42 35.840 nvcod.dll
29.07.2006 19:32 48.936 sirenacm.dll
24.03.2006 19:08 28.778 klogon.dll
__________
-Taras

#12 gehe in die Registry
Start - Ausfuehren - regedit

bearbeiten - suchen - netwks32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000 - in 1 aendern

[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"="netwks32.exe" - loeschen


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Win Net Wks32"="netwks32.exe" - loeschen

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2" - loeschen

PC neustarten

**
poste das neue log vom Stuff
__________
MfG Sabina

rund um die PC-Sicherheit

#13 doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
-----------------------
-----------------------
REGEDIT4
-----------------------
-----------------------

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\
41,4c,47,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"="netwks32.exe"


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Win Net Wks32"="netwks32.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"Win Net Wks32"="netwks32.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:0000025c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"Win Net Wks32"="netwks32.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\
39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:9f,76,9f,08,08,88

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:a0,b8,41,95,e6,e9,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,4e,4c,41,00,52,61,73,4d,61,6e,00,\
41,4c,47,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:1d,9d,d6,7b,72,b1,44,49,85,80,31,83,55,ab,dd,9b
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000


[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
"Win Net Wks32"="netwks32.exe"


[HKEY_CURRENT_USER\Software\Microsoft\OLE]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000002


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000258
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"restrictanonymoussam"=dword:00000001
"Win Net Wks32"="netwks32.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:1c,b3,b7,17,5f,1e,42,c9,0f,41,5d,0b,9e,5c,28,3d,35,34,30,65,39,\
39,31,30,00,00,00,00,01,00,00,00,b0,01,00,00,b4,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,1a,6f,28,ab

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:f0,0c,6d,30,80,c4,99,22,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:9f,76,9f,08,08,88

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3d,03,a0,e7,3c,a4,94,b6,7c,44,fa,a7,60,82,4f,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:d0,1a,f9,39,0d,ee,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,6c,05,74,fd,4e,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,90,e2,8a,cc,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,f3,98,77,fd,4e,c2,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000001


__________
-Taras

#14 nun werden wir es aufgeben, der Wurm ist immer noch drauf, du bekommst die Eintraege nicht geloescht und die Dienste sind schon wieder verstellt.
es macht auch keinen Sinn sowas reinigen zu wollen, der Rechner, zudem ohne Windowsupdates ist komromitiert , du musst formatieren.
dann vergiss nicht, sofort die Windowsupdates zu machen.
__________
MfG Sabina

rund um die PC-Sicherheit

#15 hab bereits formatiert, der wurm is irgendwie draufgeblieben ._.

und wo kann ich den wurm sehen?
__________
-Taras