Hallo

Zeit ein paar Tagen komme ich nicht mehr in mein Hotmail account, es wird automatisch auf folgende Seite umgeleitet:

http://by2fd.bay2.hotmail.msn.com/cg...9294decd46987d

Ich glaube es habe etwas aufgefangen

Gruss
Vicky

Logfile of HijackThis v1.99.0
Scan saved at 22:02:39, on 19.12.04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\CREATIVE\SHARED FILES\CAMTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE
C:\PROGRAMME\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMME\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMME\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\PROGRAMME\DAP\DAP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMME\COFFEECUP SOFTWARE\FREEZIP\CCZIP.EXE
C:\WINDOWS\TEMP\CCZIPWIZ\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by18fd.bay18.hotmail.msn.com/...=EN&country=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\SYSTEM\SWPortal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.hispeed.ch:8080;http=proxy.hispeed.ch:8080
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O1 - Hosts: 193.96.156.13 www.volkswagen.de #
O1 - Hosts: 64.38.211.7 www.slutwifecentral.com #
O1 - Hosts: 216.115.102.76 www.yahoo.com #
O1 - Hosts: 64.124.41.39 www.napster.com #
O1 - Hosts: 195.64.78.135 www.autovisie.nl #
O1 - Hosts: 217.194.102.162 www.ns.nl #
O1 - Hosts: 146.101.66.183 www.mt.com #
O1 - Hosts: 64.124.237.148 www.download.com #
O1 - Hosts: 159.153.231.60 www.needforspeed.com #
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programme\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programme\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Programme\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NETANTS\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NETANTS\NAGetAll.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzfw001
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NETANTS\NetAnts.exe (file missing)
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NETANTS\NetAnts.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pict: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mid%20: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .kar: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - file://C:\IberoDialerHTML.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab

Das eScan AntiVirus Toolkit Utility (mwav.exe) herunterladen, die Datei in den Ordner "c:\bases" (wichtig !) entpacken und danach die "kavupd.exe" (Update) ausführen.
http://www.mwti.net/antivirus/free_utilities.asp

Wechsle in den abgesicherten Modus http://www.trojaner-board.de/63335-w...s-starten.html und deinstalliere unter Software MySearchBar.

Fixe diese Einträge (Haken setzen und auf Fix Checked klicken):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by18fd.bay18.hotmail.msn.com...g=EN&country=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\SYSTEM\SWPortal.html
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O1 - Hosts: 193.96.156.13 www.volkswagen.de #
O1 - Hosts: 64.38.211.7 www.slutwifecentral.com #
O1 - Hosts: 216.115.102.76 www.yahoo.com #
O1 - Hosts: 64.124.41.39 www.napster.com #
O1 - Hosts: 195.64.78.135 www.autovisie.nl #
O1 - Hosts: 217.194.102.162 www.ns.nl #
O1 - Hosts: 146.101.66.183 www.mt.com #
O1 - Hosts: 64.124.237.148 www.download.com #
O1 - Hosts: 159.153.231.60 www.needforspeed.com #
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Programme\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - file://C:\IberoDialerHTML.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

Lösche diese Dateien:
Ordner C:\Programme\MyWebSearch
C:\IberoDialerHTML.cab
c:\windows\Java\classes\win32ie4.cab

- mit eScan scannen (den Scanner mit der "mwavscan.com" starten. Alle Häkchen setzen und "Scan" klicken.) und die Malware manuell entfernen http://www.trojaner-board.de/42731-escan-anleitung.html
- neue Startseite vergeben
- Neustart
- dein System updaten http://v5.windowsupdate.microsoft.co...r/default.aspx
- IE sicherer konfigurieren und nur noch für das Windows Update benutzen http://www.datenschutzzentrum.de/sel...sie/config.htm oder http://www.blafusel.de/ie.html
- Sichere und komfortablere Browser wie z.B. Mozilla oder Firefox verwenden http://www.mozilla.org
- neues Log-File von HijackThis und die Virus Log Information von eScan posten

Hallo Cidre

Danke für die rasche Antwort!

Ich werde deine Empfehlungen gleich ausprobieren

Viele Grüsse
Vicky