Trojaner-Board - Unerwünschte Werbung + Weiterleitung durch Google

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Unerwünschte Werbung + Weiterleitung durch Google (https://www.trojaner-board.de/75502-unerwuenschte-werbung-weiterleitung-google.html)

Unerwünschte Werbung + Weiterleitung durch Google

Hallo!

Der Titel sagt schon alles aus: Ich werde durch Google oftmals auf unerwünschte Seiten weitergeleitet. Ich bekomme auch sonst Werbungen, auch, dass mein PC beschädigt sei. Allerdings ist diese Warnung auf englisch und somit ein Fake (?).

Ohne mehr drumherum zu reden, möchte ich gleich die Hinweise dieses Forums umsetzten und bitte um Hilfe.

HijackThis Log-Files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:34, on 19.07.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
C:\Programme\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\windows\pp10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE
C:\WINDOWS\9129837.exe
C:\WINDOWS\system32\sistray.exe
C:\Programme\FSC\Wireless Utility\WirelessSelector.exe
C:\Programme\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\sndvol32.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows Live\Toolbar\wltuser.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchPadHotKey] C:\Programme\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
O4 - HKLM\..\Run: [Windows MSN Live Messanger] livemsngs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl8] C:\Programme\CyberLink\PowerDVD8\PDVD8Serv.exe
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] C:\Programme\CyberLink\PowerDVD8\Language\Language.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S4E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S1C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Dokumente und Einstellungen\bitanem\Anwendungsdaten\Macromedia\Common\429700261.dll""
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\429700261.dll"" (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Picture Motion Browser Medien-Prüfung.lnk = C:\Programme\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: rncsys32.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WirelessSelector.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://80.237.209.20/objects/NpFv501.dll

--
End of file - 6121 bytes

Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2462
Windows 5.1.2600 Service Pack 2

19.07.2009 18:56:30
mbam-log-2009-07-19 (18-56-30).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 126367
Laufzeit: 25 minute(s), 36 second(s)

Infizierte Speicherprozesse: 2
Infizierte Speichermodule: 2
Infizierte Registrierungsschlüssel: 4
Infizierte Registrierungswerte: 7
Infizierte Dateiobjekte der Registrierung: 12
Infizierte Verzeichnisse: 0
Infizierte Dateien: 28

Infizierte Speicherprozesse:
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Unloaded process successfully.

Infizierte Speichermodule:
c:\programme\sFX\SfX.DlL (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\kavo0.dll (Spyware.OnlineGames) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sfx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sfxdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Hijack.Sound) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Hijack.Sound) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kava (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\bitanem\ANWEND~1\MACROM~1\Common\429700261.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\programme\sFX\SfX.DlL (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\livemsngs.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\bitanem\lokale einstellungen\anwendungsdaten\Mozilla\Firefox\Profiles\eq8gq75x.default\Cache\C29D9653d01 (Rogue.Installer) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\bitanem\lokale einstellungen\Temp\~TM85.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\bitanem\lokale einstellungen\temporary internet files\Content.IE5\KZ9RQEZL\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\bitanem\startmenü\programme\autostart\rncsys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programme\sFX\sfX.sYs (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{45532e9f-7db4-49af-9389-baf77aa2b844}\RP278\A0327831.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\WINDOWS\kart_1247835244.exe (Trojan.LdPinch) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy49.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv341247563936.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\localservice\anwendungsdaten\macromedia\Common\429700261.dll (Hijack.Sound) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\networkservice\anwendungsdaten\macromedia\Common\429700261.dll (Hijack.Sound) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\bitanem\anwendungsdaten\macromedia\Common\429700261.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kavo0.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\kavo1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kavo.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ld12.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\bitanem\Anwendungsdaten\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101465752.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

Dein System ist TOTAL verseucht. Da hilft kein Gegenmittel mehr.
Du hast Rootkits, Backdoors und das sogar in der Mehrzahl.
Setze die Kiste neu auf und sicher sie ab wie hier beschrieben.

Eingefangen hast Du dir den Koobfacewurm.

Gruss swiss

Fast hätt ichs vergessen. Nach dem Neuaufsetzen ändere noch alle Passwörter vorallem bei Onlinebanking.
Nur zur Sicherheit, falls sich jemand schon irgendwo Zugang verschafft haben sollte.

Gruss Swiss

Vielen Dank für deine Hilfe!

Kann ich diese Schnüffelprogramme nicht manuell entfernen, ohne mein System neu aufsetzen zu müssen?

Worm.KoobFace -> deleted successfully

Ist also löschbar, oder? :(

Das grosse Proble ist, dass Dein System kompromitiert wurde. Somit besteht keine Gewähr mehr, dass du noch sicher sein kannst, dass Dein System nicht schon durch Dritte gesteuert wird.

Vorallem bei Ebanking oder heiklen Daten gibt es hier kerine andere Wahl.

Gruss Swiss