IExplorer öffnet auch bei mir von selbst die Seiten

#1 Nachdem ich mich hier umgeschaut habe, scheint diese Art von "Belästigung" stetig anzusteigen - leider hat es mich auch erwischt. Ich habe das Programm "BitDownload.exe" im Verdacht gehabt. Nach dem Löschen und anschließendem Neustart (und diversen Scans) verschwand das Problem leider nicht. Deshalb hier der HiJackThis-Report:

Logfile of HijackThis v1.99.1
Scan saved at 3:07:19 PM, on 04/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Installationen\System\Sicherheit\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programme\PartyGaming-2\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programme\PartyGaming-2\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming-2\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming-2\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148743500732
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE47255D-DF9B-4761-8464-01D9075E28A3}: NameServer = 192.168.0.1,217.237.151.33
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programme\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: McShield - Unknown owner - C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Programme\PostgreSQL\8.0\bin\pg_ctl.exe

Ich hoffe ich hab soweit richtig gemacht.
Würde mich über Ratschläge und Hilfe von euch freuen.

Besten Dank

Opi001

-----------------------------------------------------------------------------------------------------------------------------------------

Hhmmm ... ich hab jetzt mal ComboFix durchgejat .... Bericht sieht so aus:

"Erna IV" - 07-04-08 16:11:51 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Installationen\System\Sicherheit\ComboFox"


((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 ))))))))))))))))))))))))))))))))))


2007-04-08 11:22 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Spybot - Search & Destroy
2007-04-07 18:59 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Grid support rule bold
2007-04-07 18:58 <DIR> d-------- C:\Programme\STUPIDLICENSEAUDIO
2007-04-07 18:58 <DIR> d-------- C:\My Downloads
2007-04-07 18:58 <DIR> d-------- C:\DOKUME~1\ERNAIV~1\ANWEND~1\STUPIDLICENSEAUDIO
2007-04-06 15:09 <DIR> d-------- C:\Programme\Phenomedia AG
2007-04-02 20:46 <DIR> d-------- C:\Phenomedia AG
2007-04-02 17:31 <DIR> d-------- C:\Programme\GameHouse


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-07 20:11 -------- d-------- C:\Programme\pokerstars
2007-04-07 20:11 -------- d-------- C:\Programme\pokerstars
2007-04-07 19:23 -------- d-------- C:\Programme\emule
2007-04-07 19:23 -------- d-------- C:\Programme\emule
2007-04-07 18:54 -------- d--h----- C:\Programme\installshield installation information
2007-04-07 18:54 -------- d--h----- C:\Programme\installshield installation information
2007-04-07 10:38 -------- d-------- C:\Programme\poker tracker v2
2007-04-07 10:38 -------- d-------- C:\Programme\poker tracker v2
2007-04-06 22:00 -------- d-------- C:\Programme\partygaming
2007-04-06 22:00 -------- d-------- C:\Programme\partygaming
2007-04-05 21:30 -------- d-------- C:\Programme\pokerstars.net
2007-04-05 21:30 -------- d-------- C:\Programme\pokerstars.net
2007-04-05 21:25 -------- d-------- C:\Programme\pokerstars.test
2007-04-05 21:25 -------- d-------- C:\Programme\pokerstars.test
2007-03-25 09:59 86706 --a------ C:\WINDOWS\system32\perfc007.dat
2007-03-25 09:59 439748 --a------ C:\WINDOWS\system32\perfh007.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ping save"="C:\\DOKUME~1\\ERNAIV~1\\ANWEND~1\\STUPID~1\\rulesoap.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pdfFactory Pro Dispatcher v2"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /runonce"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Action Manager 32.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Action Manager 32.lnk"
"backup"="C:\\WINDOWS\\pss\\Action Manager 32.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ScannerU\\AM32.exe "
"item"="Action Manager 32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AutoCAD-Startbeschleuniger.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\AutoCAD-Startbeschleuniger.lnk"
"backup"="C:\\WINDOWS\\pss\\AutoCAD-Startbeschleuniger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\GEMEIN~1\\AUTODE~1\\ACSTAR~1.EXE "
"item"="AutoCAD-Startbeschleuniger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Dienst-Manager.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Dienst-Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Dienst-Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Dienst-Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Mixer"
"hkey"="HKLM"
"command"="Mixer.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Language"
"hkey"="HKLM"
"command"="C:\\Programme\\CyberLink\\PowerDVD\\Language\\Language.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fppdis2a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /runonce"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ping save]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rulesoap"
"hkey"="HKCU"
"command"="C:\\DOKUME~1\\ERNAIV~1\\ANWEND~1\\STUPID~1\\rulesoap.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rule Bold Store Bird]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="send ford"
"hkey"="HKLM"
"command"="C:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\Grid support rule bold\\send ford.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d80cda12-1744-11db-bdba-0015e94025da}]
Shell\AutoRun\command F:\Setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AF5A60E5904E1875.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-08 16:16:50
C:\ComboFix-quarantined-files.txt ... 07-04-08 16:16

----------------------------------------------------------------------------------------------------------

der wars :

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ping save]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rulesoap"
"hkey"="HKCU"
"command"="C:\\DOKUME~1\\ERNAIV~1\\ANWEND~1\\STUPID~1\\rulesoap.exe"
"inimapping"="0"

also hab ich das Verzeichnis C:\\DOKUME~1\\ERNAIV~1\\ANWEND~1\\STUPID~1 kurzerhand komplett gelöscht .... Neustart --> IE geöffnet und 15 Min. gesurft : NIX !! Alles wieder in Ordnung ^^.

Oder hab ich da was falsch gemacht ?

Danke für die Anregungen aus diesem Forum.

Opi001

#2 Opi001

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\Programme" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten" >>files.txt
dir "C:\Programme\Gemeinsame Dateien" >>files.txt
dir "C:\Windows\tasks" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit