Win Vista: Webseiten (auch Besucher) werden auf Werbung umgeleitet

alrescha · 16.09.2013, 19:34

Hallo allerseits,
ich hoffe, ihr könnt mir helfen. Schon mal vorab vielen Dank für eure Mühe und das tolle Forum hier

Problem: Sobald man nach meiner Webseite sucht (Google, Yahoo, Bing etc.) und auf den Ergebnislink klickt, landet man auf einer Spamseite. Das wurde mir von einigen Forenbesuchern bestätigt, ich selbst konnte es bei mir auch nachstellen.

Die .htaccess enthält keine seltsamen Weiterleitungen.

Vor einiger Zeit war ich so naiv und habe Filezilla als FTP-Client genutzt. Erst, nachdem ich mir damit Malware eingehandelt hatte, war ich schlauer. Eigentlich dachte ich, dass ich alles behoben habe und ich habe auch den Webhoster nach Schadskripten suchen lassen. Sollte alles ok sein. Dass etwas nicht stimmt, erkenne ich nur an der seltsamen Weiterleitung via Suchmaschine. Ich habe noch eine andere Webseite, die aber nicht betroffen ist.

Hier die Logfiles:

defogger_disable:

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:57 on 16/09/2013 (Suse)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Addition

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-09-2013
Ran by Suse at 2013-09-16 18:03:59
Running from C:\Users\Suse\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

Adobe Flash Player 11 ActiveX (Version: 11.5.502.135)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94)
Amazon Kindle
Avira Free Antivirus (Version: 13.0.0.4052)
Foxit Reader (Version: 5.4.5.124)
Free FLV Converter V 7.6.0 (Version: 7.6.0.0)
GIMP 2.8.2 (Version: 2.8.2)
Google Chrome (Version: 29.0.1547.66)
Google Update Helper (Version: 1.3.21.153)
GSAK 8.2.0.11
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
Microsoft .NET Framework 3.5 Language Pack SP1 - deu (Version: 3.5.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 18.0.2 (x86 de) (Version: 18.0.2)
Mozilla Maintenance Service (Version: 17.0.6)
Mozilla Thunderbird 17.0.6 (x86 de) (Version: 17.0.6)
Newsletter Genius
NVIDIA Drivers (Version: 1.3)
NVIDIA nView Desktop Manager
OpenOffice.org 3.4.1 (Version: 3.41.9593)
Opera Stable 16.0.1196.73 (Version: 16.0.1196.73)
Shared C Run-time for x86 (Version: 10.0.0)
StreamTransport version: 1.0.2.2171
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
VLC media player 2.0.5 (Version: 2.0.5)

==================== Restore Points  =========================


==================== Hosts content: ==========================

2006-11-02 12:23 - 2006-09-18 23:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0C4F4A55-6A3F-42D3-B626-F4E0447D9EC6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-12-09] (Google Inc.)
Task: {155723BA-60E2-4354-93AF-84EAC8D3C2D8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-21] ()
Task: {172E1AB1-02CB-4214-9567-20075B97ADE8} - System32\Tasks\Microsoft\Windows\RestartManager\{2BCC3EEA-5B55-4c56-A163-2F4AEF5BEA61} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {22E1772E-7DFE-4C5F-841F-1C93FD5D82A4} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {2DE18FE4-6467-484F-8431-206702EC5546} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-21] (Microsoft Corporation)
Task: {2E5B7D97-F14C-4CFF-864E-620AABA892D1} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {31D0C8A4-B75D-4D62-A659-434925C2BAAA} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-21] (Microsoft Corporation)
Task: {3B6586E6-E538-4A6C-8DC7-E212B1153190} - System32\Tasks\User_Feed_Synchronization-{0D77440E-4974-4183-ACEB-2C1EC601DE73} => C:\Windows\system32\msfeedssync.exe [2008-01-21] (Microsoft Corporation)
Task: {4D72741E-769C-45DB-8604-CB8EBDADAA29} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {6A5C3F7C-2049-4164-8835-FE71EC06B141} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2008-01-21] (Microsoft Corporation)
Task: {B691EA69-DE55-48AF-91CD-90251DB3C8B5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-12-09] (Google Inc.)
Task: {B9471838-7476-4B76-97A4-7D50DC318575} - System32\Tasks\Microsoft\Windows\RestartManager\{88D9428F-D7FF-4c77-AA2B-D1C5A644D4B3} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {BEFF6D53-30A2-4784-A3A5-D4500CDF2D51} - System32\Tasks\EPUpdater => C:\Users\Suse\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe
Task: {CBA89BDE-2692-4C77-8816-63B3B43D45E9} - System32\Tasks\BrowserDefendert => Sc.exe start BrowserDefendert
Task: {F4BB0E1A-D7F1-4F9B-99A5-CF40D9ACB0CC} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{0D77440E-4974-4183-ACEB-2C1EC601DE73}.job => C:\Windows\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2009-06-16 14:59 - 2009-06-16 14:59 - 00989696 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi.dll
2009-06-16 10:27 - 2009-06-16 10:27 - 00092704 _____ (NVIDIA Corporation) C:\Windows\system32\nvHotkey.dll
2012-08-10 17:51 - 2012-08-10 17:51 - 00985088 _____ () C:\Programme\OpenOffice.org 3\program\libxml2.dll
2013-09-05 18:47 - 2013-09-05 07:28 - 00868704 _____ () C:\Program Files\Opera\16.0.1196.73\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) ==========


==================== Faulty Device Manager Devices =============

Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Data Interface
Description: Data Interface
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Data Interface
Description: Data Interface
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/16/2013 06:01:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/16/2013 05:51:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/16/2013 05:50:08 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/15/2013 10:20:59 AM) (Source: Application Error) (User: )
Description: Fehlerhafte Anwendung FLVToX.exe, Version 2.0.0.37, Zeitstempel 0x51d1437d, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000, Ausnahmecode 0xc0000005, Fehleroffset 0x7265766e,
Prozess-ID 0x1318, Anwendungsstartzeit FLVToX.exe0.

Error: (09/15/2013 06:46:16 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2013 11:31:57 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2013 06:28:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 02:15:35 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 05:20:10 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 05:08:58 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (09/16/2013 06:01:39 PM) (Source: Service Control Manager) (User: )
Description: Treiber für parallelen Anschluss%%1058

Error: (09/16/2013 06:00:20 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/16/2013 05:51:11 PM) (Source: Service Control Manager) (User: )
Description: Treiber für parallelen Anschluss%%1058

Error: (09/16/2013 05:49:50 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/16/2013 05:50:10 AM) (Source: Service Control Manager) (User: )
Description: Treiber für parallelen Anschluss%%1058

Error: (09/16/2013 05:48:36 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/16/2013 05:46:48 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/15/2013 09:06:27 AM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (09/15/2013 06:46:20 AM) (Source: Service Control Manager) (User: )
Description: Treiber für parallelen Anschluss%%1058

Error: (09/15/2013 06:45:00 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos


Microsoft Office Sessions:
=========================
Error: (09/16/2013 06:01:39 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/16/2013 05:51:10 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/16/2013 05:50:08 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/15/2013 10:20:59 AM) (Source: Application Error)(User: )
Description: FLVToX.exe2.0.0.3751d1437dunknown0.0.0.000000000c00000057265766e131801ceb1e35958ff15

Error: (09/15/2013 06:46:16 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2013 11:31:57 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2013 06:28:23 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 02:15:35 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 05:20:10 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/13/2013 05:08:58 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2013-09-16 18:03:30.802
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.723
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.666
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.573
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.480
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.433
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.370
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-09-16 18:03:30.308
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-08-08 13:48:33.507
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-08-08 13:48:33.444
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info =========================== 

Percentage of memory in use: 31%
Total physical RAM: 3581.05 MB
Available physical RAM: 2470.53 MB
Total Pagefile: 7347.1 MB
Available Pagefile: 6325.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1908.37 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.79 GB) (Free:47.08 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 112 GB) (Disk ID: CC56804A)
Partition 1: (Active) - (Size=112 GB) - (Type=07 NTFS)

==================== End Of Log ============================

FRST

Zitat:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2013
Ran by Suse (administrator) on SUSE-PC on 16-09-2013 18:02:29
Running from C:\Users\Suse\Desktop
Microsoft® Windows Vista™ Business Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 7
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(OpenOffice.org) C:\Programme\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Programme\OpenOffice.org 3\program\soffice.bin
(Opera Software) C:\Program Files\Opera\16.0.1196.73\opera.exe
() C:\Program Files\Opera\16.0.1196.73\opera_crashreporter.exe
(Opera Software) C:\Program Files\Opera\16.0.1196.73\opera.exe
(Opera Software) C:\Program Files\Opera\16.0.1196.73\opera.exe
(Microsoft Corporation) C:\Windows\system32\conime.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [mcui_exe] - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
HKLM\...\Run: [nwiz] - nwiz.exe /install
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NVHotkey] - rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [347192 2013-09-08] (Avira Operations GmbH & Co. KG)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Tinchen\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\Suse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Programme\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
SearchScopes: HKLM - DefaultScope value is missing.
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll No File
Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 03 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 04 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 05 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 06 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 07 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 08 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 33 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [258104] (Avira Operations GmbH & Co. KG)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Suse\AppData\Roaming\Mozilla\Firefox\Profiles\umtfam07.default
FF DefaultSearchEngine: Sichere Suche
FF SearchEngineOrder.1: Sichere Suche
FF SelectedSearchEngine: Sichere Suche
FF Keyword.URL: hxxp://de.search.yahoo.com/search?fr=mcafee&p=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Programme\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Programme\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
FF Extension: No Name - C:\Users\Suse\AppData\Roaming\Mozilla\Firefox\Profiles\umtfam07.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

Chrome:
=======
CHR HomePage: hxxp://www.literaturschock.de/
CHR RestoreOnStartup: "hxxp://www.literaturschock.de/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google

riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{go ogle:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google

mniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefi xUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Extension: (Google Drive) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Chrome YouTube Downloader) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbdjiinahkdjdcdlgfimlcolkjpbooja\2.6.19_0
CHR Extension: (Add to Amazon Wish List) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced\1.0.0.10_0
CHR Extension: (Google Search) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (AdBlock) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.7_0
CHR Extension: (FVD Video Downloader) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp\5.4.1_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\Suse\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [84024 2013-09-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [108088 2013-09-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [815160 2013-09-08] (Avira Operations GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [88840 2013-09-08] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136672 2013-09-08] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-09-08] (Avira Operations GmbH & Co. KG)
R0 CLFS; C:\Windows\System32\CLFS.sys [247352 2008-01-21] (Microsoft Corporation)
S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-09-08] (Avira GmbH)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-16 18:03 - 2013-09-16 18:03 - 00377856 _____ C:\Users\Suse\Desktop\gmer_2.1.19163.exe
2013-09-16 18:02 - 2013-09-16 18:02 - 00000000 ____D C:\FRST
2013-09-16 18:01 - 2013-09-16 18:02 - 01084083 _____ (Farbar) C:\Users\Suse\Desktop\FRST.exe
2013-09-16 17:57 - 2013-09-16 17:58 - 00000470 _____ C:\Users\Suse\Desktop\defogger_disable.log
2013-09-16 17:57 - 2013-09-16 17:57 - 00000000 _____ C:\Users\Suse\defogger_reenable
2013-09-16 17:56 - 2013-09-16 17:56 - 00050477 _____ C:\Users\Suse\Desktop\Defogger.exe
2013-09-16 07:03 - 2013-09-16 07:03 - 00007145 _____ C:\Users\Suse\AppData\Local\recently-used.xbel
2013-09-15 08:28 - 2013-09-15 08:28 - 00000976 _____ C:\Users\Suse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free FLV Converter.lnk
2013-09-15 08:28 - 2013-09-15 08:28 - 00000000 ____D C:\Users\Suse\AppData\Roaming\FreeFLVConverter
2013-09-15 08:28 - 2013-07-01 11:53 - 00397312 _____ (Koyote-Lab Inc) C:\Windows\system32\TubeFinder.exe
2013-09-15 08:28 - 2011-09-28 10:18 - 01081616 _____ (Microsoft Corporation) C:\Windows\system32\mscomctl.ocx
2013-09-15 08:28 - 2011-09-28 10:18 - 00364544 _____ C:\Windows\system32\PropertyGrid.ocx
2013-09-15 08:28 - 2011-09-28 10:18 - 00208500 _____ C:\Windows\system32\ReyXpBasics.tlb
2013-09-15 08:28 - 2011-09-28 10:18 - 00152848 _____ (Microsoft Corporation) C:\Windows\system32\COMDLG32.OCX
2013-09-15 08:28 - 2011-09-28 10:18 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\MSCMCFR.DLL
2013-09-15 08:28 - 2011-09-28 10:18 - 00119568 _____ (Microsoft Corporation) C:\Windows\system32\VB6FR.DLL
2013-09-15 08:28 - 2011-09-28 10:18 - 00101888 _____ (Microsoft Corporation) C:\Windows\system32\VB6STKIT.DLL
2013-09-15 08:28 - 2011-09-28 10:18 - 00084512 _____ (Microsoft Corporation) C:\Windows\system32\PICCLP32.OCX
2013-09-15 08:28 - 2011-09-28 10:18 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\CMDLGFR.DLL
2013-09-15 08:28 - 2011-09-28 10:18 - 00024576 _____ C:\Windows\system32\ControlSubX.ocx
2013-09-15 08:28 - 2011-09-28 10:18 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\PCCLPFR.DLL
2013-09-15 08:27 - 2013-09-15 08:28 - 00000000 ____D C:\Program Files\Free FLV Converter
2013-09-13 05:26 - 2013-09-13 05:28 - 00000000 ____D C:\Windows\system32\MRT
2013-09-08 07:53 - 2013-09-08 07:53 - 00000000 ____D C:\Users\Suse\AppData\Roaming\Avira
2013-09-08 07:48 - 2013-09-08 07:48 - 00000000 ____D C:\ProgramData\APN
2013-09-08 07:47 - 2013-09-08 07:47 - 00000000 ____D C:\ProgramData\Avira
2013-09-08 07:47 - 2013-09-08 07:47 - 00000000 ____D C:\Program Files\Avira
2013-09-08 07:47 - 2013-09-08 07:46 - 00136672 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2013-09-08 07:47 - 2013-09-08 07:46 - 00088840 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2013-09-08 07:47 - 2013-09-08 07:46 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2013-09-08 07:47 - 2013-09-08 07:46 - 00028520 _____ (Avira GmbH) C:\Windows\system32\Drivers\ssmdrv.sys
2013-09-01 09:29 - 2013-09-01 09:29 - 00000000 ____D C:\Users\Suse\AppData\Roaming\dvdcss

==================== One Month Modified Files and Folders =======

2013-09-16 18:03 - 2013-09-16 18:03 - 00377856 _____ C:\Users\Suse\Desktop\gmer_2.1.19163.exe
2013-09-16 18:03 - 2008-01-21 03:39 - 02088693 _____ C:\Windows\WindowsUpdate.log
2013-09-16 18:02 - 2013-09-16 18:02 - 00000000 ____D C:\FRST
2013-09-16 18:02 - 2013-09-16 18:01 - 01084083 _____ (Farbar) C:\Users\Suse\Desktop\FRST.exe
2013-09-16 18:00 - 2013-08-09 16:48 - 00060096 _____ C:\ProgramData\nvModes.dat
2013-09-16 18:00 - 2013-08-09 16:48 - 00060096 _____ C:\ProgramData\nvModes.001
2013-09-16 18:00 - 2012-12-09 12:43 - 00001090 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-16 18:00 - 2006-11-02 15:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-16 18:00 - 2006-11-02 14:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-16 18:00 - 2006-11-02 14:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-16 17:59 - 2006-11-02 15:01 - 00032510 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-16 17:58 - 2013-09-16 17:57 - 00000470 _____ C:\Users\Suse\Desktop\defogger_disable.log
2013-09-16 17:57 - 2013-09-16 17:57 - 00000000 _____ C:\Users\Suse\defogger_reenable
2013-09-16 17:57 - 2012-12-06 23:56 - 00000000 ____D C:\Users\Suse
2013-09-16 17:56 - 2013-09-16 17:56 - 00050477 _____ C:\Users\Suse\Desktop\Defogger.exe
2013-09-16 17:54 - 2012-12-16 02:21 - 00000416 ____H C:\Windows\Tasks\User_Feed_Synchronization-{0D77440E-4974-4183-ACEB-2C1EC601DE73}.job
2013-09-16 07:03 - 2013-09-16 07:03 - 00007145 _____ C:\Users\Suse\AppData\Local\recently-used.xbel
2013-09-16 07:03 - 2012-12-18 22:27 - 00000000 ____D C:\Users\Suse\.gimp-2.8
2013-09-16 06:37 - 2013-02-17 12:05 - 00000000 ____D C:\Users\Suse\AppData\Roaming\vlc
2013-09-16 06:10 - 2012-12-09 12:43 - 00001094 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-15 11:35 - 2012-12-18 22:05 - 00023552 _____ C:\Users\Suse\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-09-15 08:28 - 2013-09-15 08:28 - 00000976 _____ C:\Users\Suse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free FLV Converter.lnk
2013-09-15 08:28 - 2013-09-15 08:28 - 00000000 ____D C:\Users\Suse\AppData\Roaming\FreeFLVConverter
2013-09-15 08:28 - 2013-09-15 08:27 - 00000000 ____D C:\Program Files\Free FLV Converter
2013-09-14 11:45 - 2006-11-02 13:18 - 00000000 ___RD C:\Users\Public
2013-09-13 05:28 - 2013-09-13 05:26 - 00000000 ____D C:\Windows\system32\MRT
2013-09-11 05:14 - 2013-02-07 11:29 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-09-11 05:14 - 2013-02-07 11:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 17:38 - 2006-11-02 15:00 - 00027558 _____ C:\Windows\PFRO.log
2013-09-08 11:48 - 2006-11-02 12:33 - 01445310 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-08 11:45 - 2013-08-09 16:45 - 00002865 _____ C:\Windows\setupact.log
2013-09-08 07:53 - 2013-09-08 07:53 - 00000000 ____D C:\Users\Suse\AppData\Roaming\Avira
2013-09-08 07:48 - 2013-09-08 07:48 - 00000000 ____D C:\ProgramData\APN
2013-09-08 07:47 - 2013-09-08 07:47 - 00000000 ____D C:\ProgramData\Avira
2013-09-08 07:47 - 2013-09-08 07:47 - 00000000 ____D C:\Program Files\Avira
2013-09-08 07:46 - 2013-09-08 07:47 - 00136672 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2013-09-08 07:46 - 2013-09-08 07:47 - 00088840 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2013-09-08 07:46 - 2013-09-08 07:47 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2013-09-08 07:46 - 2013-09-08 07:47 - 00028520 _____ (Avira GmbH) C:\Windows\system32\Drivers\ssmdrv.sys
2013-09-08 07:43 - 2013-08-08 14:23 - 00000000 ____D C:\Program Files\McAfee
2013-09-08 07:43 - 2013-08-08 14:10 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-09-08 07:43 - 2013-02-07 11:29 - 00000000 ____D C:\ProgramData\McAfee
2013-09-08 07:40 - 2013-02-17 12:04 - 00000000 ____D C:\Programme
2013-09-05 20:12 - 2013-05-05 08:10 - 00036089 _____ C:\Users\Suse\literaturschock_newsletter.nlgp
2013-09-05 18:47 - 2013-08-08 10:33 - 00000000 ____D C:\Program Files\Opera
2013-09-01 16:57 - 2006-11-02 12:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-09-01 09:29 - 2013-09-01 09:29 - 00000000 ____D C:\Users\Suse\AppData\Roaming\dvdcss
2013-08-23 15:52 - 2013-08-08 14:31 - 00262144 _____ C:\Windows\system32\config\ELAM

Some content of TEMP:
====================
C:\Users\Suse\AppData\Local\Temp\Foxit Updater.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-16 17:56

==================== End Of Log ============================

gmer

Der Scan wurde mit der Meldung "GMER has found system modification caused by ROOTKIT activity" beendet.

Code:

ATTFilter

GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-09-16 19:48:56
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 ST9120817AS rev.3.ADB 111,79GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Suse\AppData\Local\Temp\kxldypow.sys


---- Processes - GMER 2.1 ----

Process   (*** hidden *** )  [4] 848CEA90  

---- EOF - GMER 2.1 ----

Bisher hatte ich Antivir installiert (ohne Funde). Kurz nach dem ersten Malware-Problem jedoch die Testversion von McAfee. Da wurde dann alles soweit gesäubert. Leider habe ich da keine Logfiles mehr, weil die Testversion dann ablief und ich sie deinstallierte. Dann wieder Antivir, aber nun teste ich gerade Kaspersky und mache einen vollständigen Scan. Die Logfiles würde ich dann nachreichen (der läuft wohl noch ein Weilchen).

Liebe Grüße
Suse

Win Vista: Webseiten (auch Besucher) werden auf Werbung umgeleitet

Log-Analyse und Auswertung: Win Vista: Webseiten (auch Besucher) werden auf Werbung umgeleitet

Win Vista: Webseiten (auch Besucher) werden auf Werbung umgeleitet

Ähnliche Themen: Win Vista: Webseiten (auch Besucher) werden auf Werbung umgeleitet