Ich bin ge-hijacked - bin jetzt am Ende

JoEh · 23.08.2005, 12:25

Hallo Forum,

Ich habe mir einen Highjacker eingehandelt. Ich habe mir das alles im Forum durchgelesen und durchgeführt.
CWS hat nichts gefunden
Adware hat nichts gefunden
Dann habe ich mit HJT angefangen

Ich habe die angehägten Einträge vom HJT log entfernt.

Danach ist es auch schon besser geworden aber noch nicht völlig weg
Jetzt weiss ich nicht mehr weiter was ich noch rausschmeissen
Wo kann man noch was dazu lesen?
Wie kann man weiter vorgehen?

Vielen Dank
JoEh

Entfernt aus HJT log:
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\lthba.dll
O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [DCC_send] ExchangeMaster.exe
O4 - HKCU\..\Run: [NukeSpan] avpmondll.exe
O4 - HKCU\..\Run: [NSYSCPLSTR] StatusCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\WareOut\WareOut.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1447E809-7E4B-4D78-B87D-56C84272E61B}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF3ED80A-5472-4F71-9EE3-14364A5589C8}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1447E809-7E4B-4D78-B87D-56C84272E61B}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{1447E809-7E4B-4D78-B87D-56C84272E61B}: NameServer = 69.50.176.158,85.255.112.8

Aktuelles Log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe
C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\Agilent\IO Libraries\bin\iprocsvr.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Programme\Agilent\IO Libraries\bin\iproc82357.exe
C:\Programme\Agilent\IO Libraries\bin\iproc488.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Programme\Internet Explorer\iexplore.exe
c:\projekte\download\adware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.10:3128
R3 - URLSearchHook: (no name) - {E98938F2-BA4F-80A6-9A4E-A97DA5F29FB7} - sound64.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\lthba.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Programme\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Programme\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [borlandg] panel_its.exe
O4 - HKLM\..\Run: [TemplateDongle] sysconf16.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Programme\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: IO Control.lnk = ?
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123411190614
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BE4C32B-7C0E-4A2E-B3B4-F1068A44C183}: NameServer = 192.168.100.10
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Chris14 · 23.08.2005, 12:37

warum hast du die ersten 4 zeilen (betriebssystem usw.) entfernt?

fixe mal mit hijackthis:
R3 - URLSearchHook: (no name) - {E98938F2-BA4F-80A6-9A4E-A97DA5F29FB7} - sound64.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\lthba.dll
O4 - HKLM\..\Run: [borlandg] panel_its.exe
O4 - HKLM\..\Run: [TemplateDongle] sysconf16.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

lösche im abgesicherten modus diese dateien:
c:\windows\system32\lthba.dll
c:\windows\system32\panel_its.exe
c:\windows\system32\sysconf16.exe
C:\Programme\WareOut\WareOut.exe"
c:\windows\system32\ExchangeMaster.exe
c:\windows\system32\avpmondll.exe
c:\windows\system32\StatusCheck.exe

leere mal den papierkorb auf c:

und mach mal einen eScan

falls nicht getan, das system patchen (SP2 installieren)

stupormundi · 23.08.2005, 12:46

@ chris14
wegen

Zitat:

c:\windows\system32\sysconf16.exe

ist das nicht der hier?
http://www.sophos.com/virusinfo/anal...ojsdbotfb.html
Wäre da nicht wieder ein Neuaufsetzen anzuraten?

Bis denn, stupormundi

Chris14 · 23.08.2005, 12:47

net umbedingt. das ist auch wareout malware. und der eintrag:
>O4 - HKLM\..\Run: [TemplateDongle] sysconf16.exe weißt eher auf wareout trojan statt bot hin.
aber du hast mich stutzig gemacht;
@joeh lass die datei sysconf16.exe bei http://virusscan.jotti.org/de überprüfen und poste das ergebnis.

dartus · 23.08.2005, 12:53

Hallo,

ausser der Downloader im Papierkorb gehört alls dazu:

http://www.doxdesk.com/parasite/WareOut.html (Entfernung wird beschrieben)

Sind noch jede Menge andere Dateien.

dartus

Chris14 · 23.08.2005, 12:56

genau. deswegen soll er auch auf jedenfall einen escan machen. ich weiß jezt schon, das da noch einiges anderes trojanerzeugs aufm system is.

JoEh · 23.08.2005, 20:52

Vielen Dank für die umfangreichen Anworten!

Zur Geschichte. Am 5.8. hat der Rechner nicht mehr gebootet.
Hatte am Vortag eine ganze mengean tools installiert und deinstalliert.

Kam über mein Linux noch an die Platte und konnte die Daten retten.

Dann habe ich das XP Pro von der Recovery CD drauf gemacht.

Habe das Update von Microsoft drüber laufen lassen (ging recht kurz, ggf sammelupdate???)

Norton antivirus, Outpost firewall drauf und die Alten Daten(!!!)
Ich denke da liegt es drin.

Dann 2 Wo Später die Hijack geschichte

Norton scan, CWShredder, Adware, Spybot -> alle haben nichts gefunden.
Dann habe ich noch das SP2 drüber geladen hat ein halbe Stunde gedauert.

Ich denke in den Daten des Backups ist der Virus(???) drin.

Ich werden jetzt
1. http://www.doxdesk.com/parasite/WareOut.html
2. http://virusscan.jotti.org/de
3. escan
durchführen.

@chris14 12:37
Die DNS und alternativer DNS Server waren total zerrodelt.
Deshalb ich die vier Zeilen mit den IP adressen rausgenommen

Chris14 · 23.08.2005, 21:27

die dns mein ich net. sondern eher sowas wie betriebssystem, service packs usw.
aber ich denke das da alles in ordnung ist (hast ja grad geschrieben, dass du die patches drüberlaufen lässt)

JoEh · 24.08.2005, 06:51

@chris14: Sorry für das Missverständnis.

Die ersten vier einträge:
Alles was ich nicht zuordnen konnte habe ich im Netz (google) eingegeben und durchgelesen was die Welt dazu meint. dann habe ich die dinge rausgeschmissen w gesag wird, dass man sie besser löscht.

Ich habe jetzt das alles durchgeführt.
Die lage hat sich aber insgesamtverschlchtert
Doch der Reihe nach

1. Wareout
Hatte schon die deinstall genutzt die das ding mitbringt. und habe alle daten die in der doxdesk drin stehen nicht mehr gefunden

2. sysconf16.exe
Die datei gibt s auf meinem rechner nicht

3. escan
Lief über 6 Stunden
gekürztes Protkoll am ende

zusätzlich
A. In der Taskleiste geht ein Box auf mit "Your computer might by a risk ...
geht man darauf versucht eine HH.exe etwas von einer winprotct.net seite zu laden

B. Norton AVmeckert ständig über eine hclean32.exe in der ein trojaner sitzen soll
die Datei gibt es auf meinem rechnernicht

C. Obwohl ich das Update von microsoft komplett machen lassen habe hat er schon wieder ein SP2 installiert

D. der Rechner fängt nach dem booten an ohne grund eine DSL verbindung an

Insgesamt sieht das nicht gut aus
Ich bin kurz davor den Rechner wieder platt zu machen.
Aber dann habe ich wahrscheinlich in 14 Tagen wieder das Problem
und ausserdem ist es mein productivrechener (ist ganz schöne scheisse)

Gruss
JoEh

hier das escan log (gekürzt auf alle monierten einträge)

Wed Aug 24 06:34:19 2005 => Scanning File C:\WINDOWS\System32\lthba.dll
Wed Aug 24 06:34:22 2005 => File C:\WINDOWS\System32\lthba.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.

Wed Aug 24 06:34:35 2005 => ERROR!!! Invalid Entry borlandg = panel_its.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.

Wed Aug 24 06:34:35 2005 => ERROR!!! Invalid Entry TemplateDongle = sysconf16.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.

Wed Aug 24 06:34:56 2005 => System found infected with AdWare.ToolBar.SBSoft.h Spyware/Adware ({08BEC6AA-49FC-4379-3587-4B21E286C19E})! Action taken: No Action Taken.

Wed Aug 24 06:35:30 2005 => Offending file found: C:\DOKUME~1\JoEh\LOKALE~1\Temp\insthelp.dll
Wed Aug 24 06:35:30 2005 => System found infected with RedV Spyware/Adware (insthelp.dll)! Action taken: No Action Taken.

Wed Aug 24 06:35:55 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Wed Aug 24 06:35:57 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.

Wed Aug 24 06:35:57 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Roxioscan.exe" refers to invalid object "C:\Programme\Gemeinsame Dateien\Roxio Shared\Support\Roxioscan.exe". Action Taken: No Action Taken.

Wed Aug 24 06:35:57 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Programme\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.

Wed Aug 24 06:35:58 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\WINDOWS\yourapp.Exe". Action Taken: No Action Taken.

Wed Aug 24 06:35:59 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Acrobat 6.0\TempIccProfiles\". Action Taken: No Action Taken.

Wed Aug 24 06:35:59 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Acrobat 6.0\TempIccProfiles\Non-Recommended\". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".013". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abs". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".acr". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".b3d". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cam". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cfm". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".crw". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dcm". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dcx". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dds". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".djvu". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ecw". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".fpx". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".fsh". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".g3". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gsm". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".hwl". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".icl". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ics". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".iff". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".img". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".iw44". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".j2k". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jng". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jp2". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jpc". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jpm". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".kdc". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lbm". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ldf". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lds". Action Taken: No Action Taken.

Wed Aug 24 06:36:00 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lwf". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".med". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mng". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ngg". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nlm". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nol". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ogg". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pbm". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pgm". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ppm". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".prj". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".psp". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ras". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".raw". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rgb". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sff". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sfw". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sgi". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sid". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".st5". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sun". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tga". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wbmp". Action Taken: No Action Taken.

Wed Aug 24 06:36:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xpm". Action Taken: No Action Taken.

Wed Aug 24 06:36:02 2005 => Entry "HKCR\CLSID\{0662245D-254C-4363-AA70-D909C154A688}" refers to invalid object ".\sldwebpub.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:02 2005 => Entry "HKCR\CLSID\{0880413D-9C3D-11D3-B931-00C04F8EF738}" refers to invalid object ".\sldse.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:03 2005 => Entry "HKCR\CLSID\{1C9BC2F5-6822-11d2-B8A7-00C04F8EF738}" refers to invalid object ".\sldug.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765C5-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765C6-AE47-11D1-9975-00805F8AC636}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765C7-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765C8-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "edpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765CB-AE47-11D1-9975-00805F8AC63E}" refers to invalid object "mnpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:04 2005 => Entry "HKCR\CLSID\{2FC765CC-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "mnpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:05 2005 => Entry "HKCR\CLSID\{4575C431-E2CB-11d2-B8E0-00C04F8EF738}" refers to invalid object ".\sld2demu.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:05 2005 => Entry "HKCR\CLSID\{46C64A4D-2B14-11D2-B484-00C04FA33EF2}" refers to invalid object "ShellExt\sldicon.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:05 2005 => Entry "HKCR\CLSID\{47B4ACA1-B1C4-11d2-8398-0008C7B2F44D}" refers to invalid object ".\sldmdt.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:06 2005 => Entry "HKCR\CLSID\{5d3d7a00-5f31-11d1-b1c9-0020af351f6f}" refers to invalid object ".\sldtrans.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:07 2005 => Entry "HKCR\CLSID\{62845280-4FE2-11D1-8EAC-00805FD26FAA}" refers to invalid object "lipref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:07 2005 => Entry "HKCR\CLSID\{6B8FE721-A25A-11d3-B45B-0008C7B2ECD7}" refers to invalid object ".\sldinventor.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:07 2005 => Entry "HKCR\CLSID\{700D36FB-3889-11D4-AF00-00C04F61025C}" refers to invalid object ".\sldxgl.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:08 2005 => Entry "HKCR\CLSID\{744C3DF0-DFAE-11D1-826B-00805F2AB103}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:08 2005 => Entry "HKCR\CLSID\{7EFD5D24-CB58-11d4-88F5-00B0D0239602}" refers to invalid object ".\sldjpeg.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:09 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:11 2005 => Entry "HKCR\CLSID\{BBEF802E-1021-11d4-BD57-00C04F019809}" refers to invalid object ".\sldcollab.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:11 2005 => Entry "HKCR\CLSID\{C0A97BDB-3080-11D3-B908-00C04F8EF738}" refers to invalid object ".\sldcgr.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:12 2005 => Entry "HKCR\CLSID\{C90DF1A7-4DEF-11D4-AF15-00C04F61025C}" refers to invalid object ".\sldhsf.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:13 2005 => Entry "HKCR\CLSID\{E49F0B41-3322-11D4-AEFE-00C04F61025C}" refers to invalid object ".\sldmts.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:13 2005 => Entry "HKCR\CLSID\{E98938F2-BA4F-80A6-9A4E-A97DA5F29FB7}" refers to invalid object "sound64.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:14 2005 => Entry "HKCR\CLSID\{EA320F72-9CFB-11D3-B931-00C04F8EF738}" refers to invalid object ".\slddxf3d.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:14 2005 => Entry "HKCR\CLSID\{F335158C-A691-11D3-B934-00C04F8EF738}" refers to invalid object ".\sldhcg.dll". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.det" refers to invalid object "DETFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:17 2005 => Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:18 2005 => Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:18 2005 => Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:18 2005 => Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.

Wed Aug 24 06:36:18 2005 => Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.

Wed Aug 24 06:36:18 2005 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

Wed Aug 24 06:36:20 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Wed Aug 24 06:36:20 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Wed Aug 24 06:36:21 2005 => Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.

Wed Aug 24 06:36:22 2005 => Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.

Wed Aug 24 06:36:22 2005 => Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.

Wed Aug 24 06:36:24 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Wed Aug 24 06:36:24 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Wed Aug 24 06:36:24 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Wed Aug 24 06:36:30 2005 => Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Wed Aug 24 06:36:32 2005 => ***** Checking for specific ITW Viruses *****
Wed Aug 24 06:36:32 2005 => Checking for Welchia Virus...
Wed Aug 24 06:36:32 2005 => Checking for LovGate Virus...
Wed Aug 24 06:36:32 2005 => Checking for CodeRed Virus...
Wed Aug 24 06:36:32 2005 => Checking for OpaServ Virus...
Wed Aug 24 06:36:32 2005 => Checking for Sobig.e Virus...
Wed Aug 24 06:36:32 2005 => Checking for Winupie Virus...
Wed Aug 24 06:36:33 2005 => Checking for Swen Virus...
Wed Aug 24 06:36:33 2005 => Checking for JS.Fortnight Virus...
Wed Aug 24 06:36:33 2005 => Checking for Novarg Virus...
Wed Aug 24 06:36:33 2005 => Checking for Pagabot Virus...
Wed Aug 24 06:36:33 2005 => Checking for Parite.b Virus...
Wed Aug 24 06:36:33 2005 => Checking for Parite.a Virus...
Wed Aug 24 06:36:33 2005 => Checking for Adware.SeekSeek Virus...

Wed Aug 24 06:36:33 2005 => ***** Scanning complete. *****

Wed Aug 24 06:36:33 2005 => Total Objects Scanned: 20863
Wed Aug 24 06:36:33 2005 => Total Virus(es) Found: 3
Wed Aug 24 06:36:33 2005 => Total Disinfected Files: 0
Wed Aug 24 06:36:33 2005 => Total Files Renamed: 0
Wed Aug 24 06:36:33 2005 => Total Deleted Objects: 0
Wed Aug 24 06:36:33 2005 => Total Errors: 115
Wed Aug 24 06:36:33 2005 => Time Elapsed: 00:02:30
Wed Aug 24 06:36:33 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:36:33 2005 => Virus Database Count: 144970

Wed Aug 24 06:36:34 2005 => Scan Completed.

Wed Aug 24 06:39:36 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:36 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:37 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:37 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:39 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:39 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:40 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:40 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:41 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:41 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:42 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:42 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:43 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:43 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:45 2005 => Virus Database Date: 2005/08/22
Wed Aug 24 06:39:45 2005 => Virus Database Count: 144970
Wed Aug 24 06:39:45 2005 => AV Library Unloaded (3)...

Ich bin ge-hijacked - bin jetzt am Ende

Log-Analyse und Auswertung: Ich bin ge-hijacked - bin jetzt am Ende