Könnte mal jemand über den LOG schauen und mir vielleicht sagen was weg muss.
Es wird mit dem IE immer specific911 gestartet. Vielen lieben Dank für die Hilfe.
Gruß Chris

Logfile of HijackThis v1.99.0
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\MZL & Novatech TrafficStatistic\bin\http_server\HTTP_Srv.exe
C:\Programme\MZL & Novatech TrafficStatistic\bin\cpm\RunCPM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\powerman.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\WINDOWS\System32\hpnra.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\MZL & Novatech TrafficStatistic\bin\gui\TrafficStatisticGUI.exe
C:\WINDOWS\system32\mshta.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\CASIO\Photo Loader\Plauto.exe
C:\Programme\Netscape\Netscape\Netscp.exe
C:\Dokumente und Einstellungen\Christian\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/slv/ycheck/as...om/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62157052-B3E6-4E5C-8BDE-AA1346C91800} - C:\Programme\CSBB\CSBB.dll (file missing)
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [powerman] "C:\WINDOWS\System32\powerman.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrafficStatisticGUI] "C:\Programme\MZL & Novatech TrafficStatistic\bin\gui\TrafficStatisticGUI.exe"
O4 - HKLM\..\Run: [tbdtrqdw] c:\windows\system32\tbdtrqdw.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOKUME~1\CHRIST~1\LOKALE~1\Temp\bundle.exe
O4 - HKLM\..\Run: [host] C:\WINDOWS\..vbs
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Programme\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader resident.lnk = C:\Programme\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {17CB20A8-9C65-46E4-A355-7200ABB0C1E6} - http://www.medionshop.de/ (file missing) (HKCU)
O13 - DefaultPrefix: http://specific911.com/se.cgi?query=
O13 - WWW Prefix: http://specific911.net/se.cgi?query=
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.midasplayer.com/midasa.cab
O23 - Service: CA-Lizenz-Client - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Hummingbird INETD - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
O23 - Service: Ereignisprotokoll-Überwachung - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework-Dienst - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Hummingbird Proxy Server - Hummingbird Ltd. - C:\Programme\Exceed\Accessories\ProxyEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: StyleXPService - Unknown - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrafficStatistic HTTPSrv Service - MZL & Novatech - C:\Programme\MZL & Novatech TrafficStatistic\bin\http_server\HTTP_Srv.exe
O23 - Service: TrafficStatistic RunCPM Service - MZL & Novatech - C:\Programme\MZL & Novatech TrafficStatistic\bin\cpm\RunCPM.exe
O23 - Service: X10 Device Network Service - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Hallo,

http://www.trojaner-board.de/42731-escan-anleitung.html

Wie beschrieben updaten und anwenden, gefundene Schädlinge (in mwav.log nach "infected" suchen) hier posten.

File C:\WINDOWS\Belt.exe infected by "Trojan-Downloader.Win32.Stubby.a" Virus. Action Taken: No Action Taken.
File c:\windows\system32\tbdtrqdw.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\2_0_1browserhelper2.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bi.dll infected by "not-a-virus:AdWare.BiSpy.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\biprep.exe infected by "not-a-virus:AdWare.BiSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wsem218.dll infected by "Trojan-Downloader.Win32.Dyfuca.cn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\bi_reco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\exul.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\Temp\DelD.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\a374ab[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\tbd_web[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\tbd_web[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\tbd_web[3].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\09MB896J\ysb_prompt[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\2F6BAXE3\vs2[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\49KYB0DV\a577ae75[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\IDWBQ1U5\cax[1].cab infected by "not-a-virus:PornWare.Dialer.OnlineDialer" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\IDWBQ1U5\connect[2].htm infected by "Trojan-Downloader.JS.Small.ac" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\CHRIST~1\LOKALE~1\TEMPOR~1\Content.IE5\ILODU1WF\vs2[1].html infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Wechsle in den abgesicherten Modus http://www.bsi.bund.de/av/texte/wiederher_xp.htm und fixe diese Einträge (Haken setzen und auf Fix Checked klicken):

Alle R0 und R1
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {62157052-B3E6-4E5C-8BDE-AA1346C91800} - C:\Programme\CSBB\CSBB.dll (file missing)
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [tbdtrqdw] c:\windows\system32\tbdtrqdw.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOKUME~1\CHRIST~1\LOKALE~1\Temp\bundle.exe
O4 - HKLM\..\Run: [host] C:\WINDOWS\..vbs
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O9 - Extra button: MedionShop - {17CB20A8-9C65-46E4-A355-7200ABB0C1E6} - http://www.medionshop.de/ (file missing) (HKCU)
O13 - DefaultPrefix: http://specific911.com/se.cgi?query=
O13 - WWW Prefix: http://specific911.net/se.cgi?query=
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)

Lösche diese Dateien:
C:/WINDOWS/winsys.hta
C:\y.exe
C:\WINDOWS\Belt.exe
Ordner C:\Programme\BullsEye Network
c:\windows\system32\tbdtrqdw.exe
C:\DOKUME~1\CHRIST~1\LOKALE~1\Temp\bundle.exe
+ die von eScan erkannten Dateien

- neue Startseite vergeben
- Neustart
- dein System updaten http://v5.windowsupdate.microsoft.co...r/default.aspx
- IE sicherer konfigurieren und nur noch für das Windows Update benutzen http://www.datenschutzzentrum.de/sel...sie/config.htm oder http://www.blafusel.de/ie.html
- Sichere und komfortablere Browser wie z.B. Mozilla oder Firefox verwenden http://www.mozilla.org
- neues Log-File von HijackThis posten

Vielen Dank. Ich hab die Probleme gefixed und nun läuft er wieder. Allerdinsg immer noch ziemlich langsam. ich glaube ich muss dass system neu aufsetzen.
Gruß Chris

Dann aber bitte mit Beachtung dieser Anleitung