Logfile of HijackThis v1.99.1
Scan saved at 19:48:40, on 02.06.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
D:\Winamp\Winampa.exe
C:\WINDOWS\System32\intmonp.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\intmon.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\Ad-aware 6\Ad-aware.exe
C:\WINDOWS\System32\hwclock.exe
C:\Dokumente und Einstellungen\Ranjeet\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.de/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
F3 - REG:win.ini: run=
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp771F.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Startup: Download Plus.lnk = C:\Dokumente und Einstellungen\Ranjeet\Anwendungsdaten\DownloadPlus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .cdx: C:\Programme\Internet Explorer\PLUGINS\Npcdp32.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54527FF7-6110-4640-AD71-8F1E24C3098A}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{874739DE-8391-45E2-97A5-19BE17BE9E09}: NameServer = 69.50.176.156 195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0C106A2-C41A-4C0D-89C5-63EE94A8C6EB}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{54527FF7-6110-4640-AD71-8F1E24C3098A}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{54527FF7-6110-4640-AD71-8F1E24C3098A}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
O21 - SSODL: System - {20A0BDF0-3C47-417C-9C31-18598DA3EC4C} - C:\WINDOWS\system32\system32.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\System32\lvhidsvc.exe

wär echt nett wenn mir jemanden helfen könnte, weiß nicht mehr was ich machen soll!
_____________
Anm.
Aktive Links editiert!
Beachte zukünftig die Hinweise dieser Anleitung: HiJackThis.

LG Cidre
S-Mod TB

@henni
du hast einiges im system
scanne dein system mit escan

chaosman

habe e scan drüber laufen lassen und eine logfile erestellt, danach habe ich wie beschrieben find rar ausgeführt, hier ist die logfile

Sun Jun 05 18:15:35 2005 => File C:\WINDOWS\system32\mptsgsvc.exe infected by "HackTool.Win32.Hidd.k" Virus! Action Taken: No Action Taken.
Sun Jun 05 18:15:38 2005 => File C:\WINDOWS\System32\hwclock.exe infected by "Backdoor.Win32.Small.eo" Virus! Action Taken: No Action Taken.
Sun Jun 05 18:15:43 2005 => System found infected with IstBAR Spyware/Adware ({0985c112-2562-46f2-8da6-92648ba4630f})! Action taken: No Action Taken.
Sun Jun 05 18:15:43 2005 => Object "IstBAR Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sun Jun 05 18:15:43 2005 => System found infected with IstBAR Spyware/Adware ({67907b3c-a6ef-4a01-99ad-3fcd5f526429})! Action taken: No Action Taken.
Sun Jun 05 18:15:43 2005 => Object "IstBAR Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sun Jun 05 18:15:43 2005 => System found infected with IstBAR Spyware/Adware ({386a771c-e96a-421f-8ba7-32f1b706892f})! Action taken: No Action Taken.
Sun Jun 05 18:15:43 2005 => Object "IstBAR Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sun Jun 05 18:15:44 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Jun 05 18:15:44 2005 => Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sun Jun 05 18:15:44 2005 => System found infected with CoolWebSearch Spyware/Adware ({4f7681e5-6caf-478d-9cb8-4ca593bee7fb})! Action taken: No Action Taken.
Sun Jun 05 18:15:44 2005 => System found infected with CoolWebSearch Spyware/Adware ({ee79d398-aaaf-47b1-8c9e-11f7d4c9111b})! Action taken: No Action Taken.
Sun Jun 05 18:15:44 2005 => System found infected with CoolWebSearch Spyware/Adware ({ac3f36d4-f905-4fe9-a926-eb937e66f591})! Action taken: No Action Taken.
Sun Jun 05 18:16:35 2005 => System found infected with peopleonpage Spyware/Adware (load.exe)! Action taken: No Action Taken.
Sun Jun 05 18:16:36 2005 => System found infected with CWS.xplugin Spyware/Adware (xplugin.dll)! Action taken: No Action Taken.
Sun Jun 05 18:16:36 2005 => System found infected with ISearchTech Spyware/Adware (istactivex.inf)! Action taken: No Action Taken.
Sun Jun 05 18:17:26 2005 => Total Disinfected Files:

danke im voraus!!

@henni
lese dich hiermal durch
http://www.sophos.de/virusinfo/analyses/w32hwbota.html

ich kann dir nur raten dein system neuafzusetzen(formatC)
hier eine Anleitung http://www.trojaner-board.de/showpos...28&postcount=2


sry
chaosman
Edit
Hi cronos

Du hast u.a. folgenden auf dem Rechner:

http://www.sophos.de/virusinfo/analyses/w32hwbota.html


Hier kann dir zu nichts anderem geraten werden, als dein PC nach dieser Anleitung Neuaufzusetzen, um ähnlich Infektionen in Zukunft zu vermeiden.
Warum eine Bereinigung hier nicht zum Erfolg führen kann:

http://www.mathematik.uni-marburg.de...al.html#sec2.1

Edit:Hi chaosman

ok, dann bleibt mir wohl nichts anderes übrig als format c. Noch eine letzte Frage chaosman, ich habe meine festplatte in 3 partitionen unterteilt, reicht es wenn ich c formatiere oder muss ich alle Partitionen formatieren?? vielen dank für deine Hilfe chaosman!!!

@henni

der sauberste und sicherste Lösung wäre alle drei zu formatieren.


chaosman