Was darf gelöscht werden bei HiJackThis?

Hier meine Logfile. habe keine Ahnung, was gelöscht werden darf. Erbitte Hilfe!

Gruß Tommi

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\T-DSLS~1\SpeedMgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\T-DSL SpeedManager\tsmsvc.exe
C:\Archiv Landmark\Downloads\HijackThis\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://bad-url.com/?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://bad-url.com/?
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA2} - C:\DOKUME~1\Tommi\LOKALE~1\Temp\mbab.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O2 - BHO: (no name) - {B0E53498-1DF7-424D-8786-C005913E3731} - C:\WINDOWS\System32\ihpfp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [T-DSL SpeedMgr] C:\PROGRA~1\T-DSLS~1\SpeedMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38112.0683564815
O17 - HKLM\System\CCS\Services\Tcpip\..\{B49BA725-B36F-486B-ACFD-7C861C9CD289}: NameServer = 192.168.120.252,192.168.120.253
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)

Bitte ergänze doch noch den Logfile-Beginn.......

Hier der Beginn:

Logfile of HijackThis v1.97.7
Scan saved at 08:42:48, on 24.05.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

SP-Hijacker, mal hier lesen und das Tool besorgen: http://www.rokop-security.de/main/article.php?sid=746&mode=thread&order=0

Tool anwenden, danach dann nochmals ein Log hier posten.

Also ich habe das Tool drüberlaufen lassen. Hier der Log:

24.05.2004 13:41:00 SPhjFix started v1.07
24.05.2004 13:41:00 Stealth-String not found -> Programm terminated
24.05.2004 13:41:19 SPhjFix started v1.07
24.05.2004 13:41:19 Stealth-String not found -> Programm terminated

Es sagt ausserdem, das keine Infizierung vorliegt.

Danach habe ich noch CWShredder (Nur den Scan) laufen lassen mit folgendem Ergebnis:

CWShredder v1.57.0 scan only report
Please understand that a CWShredder->Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Dokumente und Einstellungen\Tommi\Anwendungsdaten
Username: Tommi

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,Search
Infected data: http://out.true-counter.com/b/?344012 (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://aifind.info/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://aifind.info/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
Infected data: http://out.true-counter.com/a/?344012 (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://out.true-counter.com/b/?344012 (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant
Infected data: http://bad-url.com/?
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch
Infected data: http://bad-url.com/?
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
Infected data: http://out.true-counter.com/b/?344012 (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://C:\WINDOWS\System32\ihpfp.dll/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (820 bytes, R)
CWS.Msinfo Registry value: HKLM\..\Run [Internat Conf] C:\WINDOWS\System32\bootconf.exe
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\System32\userinit.exe
Found CWS.Therealsearch (if filesize is under 300k) file: C:\WINDOWS\editpad.exe (293 bytes, A)
Registry value: Stylesheet (HKCU) [User Stylesheet] C:\WINDOWS\Web\oslogo.bmp
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (1039 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)
CWS.Dreplace Registry key: HKLM\..\BHOs\{086AE192-23A6-48D6-96EC-715F53797E85}
Found CWS.Dreplace file: C:\WINDOWS\system32\Dreplace.dll (50176 bytes, A)

- END OF REPORT -

Also was muß ich löschen oder sonstwie bearbeiten? Bin nämlich etwas verwirrt über die Anzahl der Meldungen und was gefixt (?) werden darf und was nicht.

Dank für die Hilfe.

Den CWS kannste gleich im Fix-Modus drüberrappeln lassen.