Trojaner-Board - Sartseite und Popups!!!

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Sartseite und Popups!!! (https://www.trojaner-board.de/13672-sartseite-popups.html)

Sartseite und Popups!!!

So nachdem ich gerade den Tip bekommen habe ein neues Thema zu erstellen, tue ich dies nun.
Also,

ich habe auch so nen lästige Startseite! CoolWWWSearch oder so und seit Neuestem kommt ab und zu noch ein Popup-Fenster, auch wenn ich gar keinen Browser geöffnet habe.Zum Beispiel wenn ich gerade online zocke minimiert sich das Spiel und dieses Fenster taucht auf und erzählt mir das mein System infiziert sei!!!! Das nervt ohne ende, aber das brauch ich euch jawohl nicht zu erzählen.

Ich hab mal mit hijackthis geprüft, hier meine logfile:

Logfile of HijackThis v1.99.0
Scan saved at 22:15:57, on 11.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_5\BASIS-SOFTWARE\BASIS2\UPDATE.EXE
C:\PROGRA~1\FIREFOX\FIREFOX.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\Karpf\Lokale Einstellungen\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
O2 - BHO: (no name) - {01312F67-93B5-426F-AB36-523295A499AE} - (no file)
O2 - BHO: (no name) - {023E860B-B500-4F0B-A629-6A66872E7006} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09B4F0C1-5DE9-4A57-99B6-16ACFB1A4660} - (no file)
O2 - BHO: (no name) - {14C87F7B-7383-46EB-8C9B-E16A4B0885A3} - (no file)
O2 - BHO: (no name) - {2CB81952-9B19-4525-91A4-02543D87E726} - (no file)
O2 - BHO: (no name) - {2DE20D6E-A2F9-4723-A6D5-F6E572596D76} - (no file)
O2 - BHO: (no name) - {305A83D7-A625-4FD7-9524-83E3D57B2E8C} - (no file)
O2 - BHO: (no name) - {3775335F-7BDB-4D63-9877-47073D335620} - (no file)
O2 - BHO: (no name) - {433E3BFB-9B76-4CC1-A27E-98DA7DAAA91F} - (no file)
O2 - BHO: (no name) - {47F7CCE8-69C1-4034-BF7A-773B4F187D19} - (no file)
O2 - BHO: (no name) - {4D914421-9DEC-4FA1-9688-642B2DBF1E7A} - (no file)
O2 - BHO: (no name) - {53577029-8077-44F3-A8AE-DE29D249676B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54817BB3-48EC-4F8C-9B9B-029474F41FA0} - (no file)
O2 - BHO: (no name) - {566F95DB-9214-4345-BE8C-C6432A3D5115} - C:\WINDOWS\system32\pfjghe.dll
O2 - BHO: (no name) - {5C805950-4A0E-4479-A14D-A7AA92549875} - (no file)
O2 - BHO: (no name) - {5DDF5CB8-13B1-41F6-B8FF-04CC7E1C9F41} - (no file)
O2 - BHO: (no name) - {6E32E959-2263-4A9B-BBEF-665028D3A440} - (no file)
O2 - BHO: (no name) - {77E12671-A3B6-43DC-AF5F-335C817C0373} - (no file)
O2 - BHO: (no name) - {78096EB1-3BBD-40E0-A1CF-A4D5FEAF5DB6} - (no file)
O2 - BHO: (no name) - {89354DE8-D753-4A26-97A8-EAD5B195CAD2} - (no file)
O2 - BHO: (no name) - {9500916A-6A46-4232-9F60-6CF867709D30} - (no file)
O2 - BHO: (no name) - {9909F17F-975F-4390-A534-757A9C99AF8D} - (no file)
O2 - BHO: (no name) - {997B75D9-7D35-4E53-B0D7-704AE07B3A31} - (no file)
O2 - BHO: (no name) - {9CC4CA4E-EB17-4207-A72C-16893C2255F0} - (no file)
O2 - BHO: (no name) - {A2C80B8E-356F-4F40-976E-B01729FA423E} - (no file)
O2 - BHO: (no name) - {AC93A655-1221-4DD9-9BAC-01B311FC8F22} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C0FD7CBA-BDC2-4F46-9EA6-9D43D9A24BF0} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: (no name) - {C5E1D489-1E89-4EB5-AF5C-F22F9F5F3055} - (no file)
O2 - BHO: (no name) - {CE3D1617-1224-4465-9DEA-D901BFB45271} - (no file)
O2 - BHO: (no name) - {CEB13376-CA0F-4F50-BD43-72092EEEB3E3} - (no file)
O2 - BHO: (no name) - {D20A32A6-87BD-48AA-B31A-8917BC81B07B} - (no file)
O2 - BHO: (no name) - {D31D311B-44CC-4E98-AF46-F4DD9D65AE1F} - (no file)
O2 - BHO: (no name) - {D4930EC3-C8B7-4599-A187-E59EA49A9FAC} - (no file)
O2 - BHO: (no name) - {D53C17A6-77CF-4C16-8667-D444A234DFF9} - (no file)
O2 - BHO: (no name) - {D67220EA-5AC3-4161-816A-E5D45D1036C0} - (no file)
O2 - BHO: (no name) - {E3E952CC-020B-47EC-ABBD-E30707324756} - (no file)
O2 - BHO: (no name) - {EA289F2E-2A55-4C8C-9B95-0B7E02EADB19} - (no file)
O2 - BHO: (no name) - {ECD630D4-D50C-4943-9514-1D7CEA34C4AA} - (no file)
O2 - BHO: (no name) - {F5F27F97-B9E5-44E7-A9BE-5EE558CC5D78} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll,DllInstall
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de
O16 - DPF: {11111111-1111-1111-1111-111111111123} - its:mhtml:file://C:.mht!http://69.50.191.52/3100/b.chm::/b.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{295039B7-4B2F-4875-AA86-FF34AD067DC7}: NameServer = 217.237.151.225 217.237.150.225
O17 - HKLM\System\CS1\Services\Tcpip\..\{295039B7-4B2F-4875-AA86-FF34AD067DC7}: NameServer = 217.237.151.225 217.237.150.225
O18 - Filter: text/html - {9136EABC-03B1-44DD-98B5-F967D5E1DF9F} - C:\WINDOWS\system32\pfjghe.dll
O18 - Filter: text/plain - {9136EABC-03B1-44DD-98B5-F967D5E1DF9F} - C:\WINDOWS\system32\pfjghe.dll
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Wäre nett wenn mir einer helfen könnte, DANKE

Karpf

Also, gehen wir es an:
Mit HJT im abgesicherten modus fixen (nach dem scan ein häkchen bei den von mir genannten Punkten machen und auf "fix checked" clicken:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
O2 - BHO: (no name) - {01312F67-93B5-426F-AB36-523295A499AE} - (no file)
O2 - BHO: (no name) - {023E860B-B500-4F0B-A629-6A66872E7006} - (no file)
O2 - BHO: (no name) - {09B4F0C1-5DE9-4A57-99B6-16ACFB1A4660} - (no file)
O2 - BHO: (no name) - {14C87F7B-7383-46EB-8C9B-E16A4B0885A3} - (no file)
O2 - BHO: (no name) - {2CB81952-9B19-4525-91A4-02543D87E726} - (no file)
O2 - BHO: (no name) - {2DE20D6E-A2F9-4723-A6D5-F6E572596D76} - (no file)
O2 - BHO: (no name) - {305A83D7-A625-4FD7-9524-83E3D57B2E8C} - (no file)
O2 - BHO: (no name) - {3775335F-7BDB-4D63-9877-47073D335620} - (no file)
O2 - BHO: (no name) - {433E3BFB-9B76-4CC1-A27E-98DA7DAAA91F} - (no file)
O2 - BHO: (no name) - {47F7CCE8-69C1-4034-BF7A-773B4F187D19} - (no file)
O2 - BHO: (no name) - {4D914421-9DEC-4FA1-9688-642B2DBF1E7A} - (no file)
O2 - BHO: (no name) - {53577029-8077-44F3-A8AE-DE29D249676B} - (no file)
O2 - BHO: (no name) - {54817BB3-48EC-4F8C-9B9B-029474F41FA0} - (no file)
O2 - BHO: (no name) - {566F95DB-9214-4345-BE8C-C6432A3D5115} - C:\WINDOWS\system32\pfjghe.dll
O2 - BHO: (no name) - {5C805950-4A0E-4479-A14D-A7AA92549875} - (no file)
O2 - BHO: (no name) - {5DDF5CB8-13B1-41F6-B8FF-04CC7E1C9F41} - (no file)
O2 - BHO: (no name) - {6E32E959-2263-4A9B-BBEF-665028D3A440} - (no file)
O2 - BHO: (no name) - {77E12671-A3B6-43DC-AF5F-335C817C0373} - (no file)
O2 - BHO: (no name) - {78096EB1-3BBD-40E0-A1CF-A4D5FEAF5DB6} - (no file)
O2 - BHO: (no name) - {89354DE8-D753-4A26-97A8-EAD5B195CAD2} - (no file)
O2 - BHO: (no name) - {9500916A-6A46-4232-9F60-6CF867709D30} - (no file)
O2 - BHO: (no name) - {9909F17F-975F-4390-A534-757A9C99AF8D} - (no file)
O2 - BHO: (no name) - {997B75D9-7D35-4E53-B0D7-704AE07B3A31} - (no file)
O2 - BHO: (no name) - {9CC4CA4E-EB17-4207-A72C-16893C2255F0} - (no file)
O2 - BHO: (no name) - {A2C80B8E-356F-4F40-976E-B01729FA423E} - (no file)
O2 - BHO: (no name) - {AC93A655-1221-4DD9-9BAC-01B311FC8F22} - (no file)
O2 - BHO: (no name) - {C0FD7CBA-BDC2-4F46-9EA6-9D43D9A24BF0} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: (no name) - {C5E1D489-1E89-4EB5-AF5C-F22F9F5F3055} - (no file)
O2 - BHO: (no name) - {CE3D1617-1224-4465-9DEA-D901BFB45271} - (no file)
O2 - BHO: (no name) - {CEB13376-CA0F-4F50-BD43-72092EEEB3E3} - (no file)
O2 - BHO: (no name) - {D20A32A6-87BD-48AA-B31A-8917BC81B07B} - (no file)
O2 - BHO: (no name) - {D31D311B-44CC-4E98-AF46-F4DD9D65AE1F} - (no file)
O2 - BHO: (no name) - {D4930EC3-C8B7-4599-A187-E59EA49A9FAC} - (no file)
O2 - BHO: (no name) - {D53C17A6-77CF-4C16-8667-D444A234DFF9} - (no file)
O2 - BHO: (no name) - {D67220EA-5AC3-4161-816A-E5D45D1036C0} - (no file)
O2 - BHO: (no name) - {E3E952CC-020B-47EC-ABBD-E30707324756} - (no file)
O2 - BHO: (no name) - {EA289F2E-2A55-4C8C-9B95-0B7E02EADB19} - (no file)
O2 - BHO: (no name) - {ECD630D4-D50C-4943-9514-1D7CEA34C4AA} - (no file)
O2 - BHO: (no name) - {F5F27F97-B9E5-44E7-A9BE-5EE558CC5D78} - (no file)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll,DllInstall
O16 - DPF: {11111111-1111-1111-1111-111111111123} - its:mhtml:file://C:.mht!http://69.50.191.52/3100/b.chm::/b.exe
O18 - Filter: text/html - {9136EABC-03B1-44DD-98B5-F967D5E1DF9F} - C:\WINDOWS\system32\pfjghe.dll
O18 - Filter: text/plain - {9136EABC-03B1-44DD-98B5-F967D5E1DF9F} - C:\WINDOWS\system32\pfjghe.dll
Dann neues Logfile posten.
cacatoa

Und nicht vergessen, diese Dateien manuell zu löschen:

Zitat:

C:\DOKUME~1\Karpf\LOKALE~1\Temp\se.dll
C:\WINDOWS\system32\pfjghe.dll

Sonst fängt der Spuk gleich wieder von Vorne an.... ;)

So,

@ Lutz

Habe Die beiden Dateien in den entsprechenden Ordnern Gesucht habe aber nichts gefunden.

@ cacatoa

Hier ist die neueste Logfile:

Logfile of HijackThis v1.99.0
Scan saved at 23:15:37, on 11.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Dokumente und Einstellungen\Karpf\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Hoffe es ist jetzt alles in Ordnung.