Abox.exe (Trojaner?) entfernen

#1 Hi Leute,

ich hoffe Ihr könnt mir helfen.

Hier ein paar Hinweise:

-ständig findet der 0190 Warner YAW dieses Progamm und ernfert es auch

- nach kurzer Zeit installiert sich der (Trojaner?) aber wieder von selbst

- ein Popupfenster wird auch in regelmäßigen Abständen auf dem Bildschirm angezeigt

Wie kriege ich diesen Nervi vom System -- H i l f e ---

hier mein log:

Logfile of HijackThis v1.98.2
Scan saved at 14:01:39, on 04.01.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\PROGRAMME\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\IFRWOV.EXE
C:\PROGRAMME\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMME\HARDCOPY\HARDCOPY.EXE
V:\GROUPWISE\CLIENT\WIN32\NOTIFY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\STARTMENü\PROGRAMME\AUTOSTART\STICKIT.EXE
C:\TERMEMU\TERMEMU.EXE
C:\WINDOWS\SYSTEM\WSASRV.EXE
C:\PROGRAMME\KLICKTEL\KLICKTEL HERBST 2004\KTEL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMME\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Eigene Dateien\ws.js
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: (no name) - {5A7CAE64-3BD3-6226-A58C-37C6FF6794C6} - C:\WINDOWS\SYSTEM\RHYJ.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &WINSWEEP Toolbar - {E915E62E-41DA-40D0-8106-3438B4D24394} - C:\PROGRAMME\WINSWEEP\SURFBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [IntelliType] "C:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Bsot] C:\WINDOWS\Anwendungsdaten\desr.exe
O4 - HKCU\..\Run: [Lrjs] C:\WINDOWS\SYSTEM\ifrwov.exe
O4 - HKCU\..\Run: [YAW starten] "C:\PROGRAMME\YAW 3.5\yawguard.exe"
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Hardcopy.LNK = C:\Programme\Hardcopy\hardcopy.exe
O4 - Startup: GroupWise Notify.lnk = Groupwise\client\win32\Notify.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Programme\UltimateZip\uzqkst.exe
O4 - Startup: Stickit.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Verweisseiten - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf;jsessionid=0001pr70vZRWGrAQDNbkPStYKIh:vqdcfhip: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/dl/adv90/x.chm::/load.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.7.128.162,212.7.128.168
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - C:\WINDOWS\SYSTEM\child.dll
O21 - SSODL: Web Event Logger - {7EFBAEFF-EE02-1333-ABDF-416572E5D639} - C:\WINDOWS\SYSTEM\Encpdanm.dll

#2 Du hast dir einen ganzen Schung unangenehmes eingehandelt.

Fixe mal das im abgesihcerten Modus:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Eigene Dateien\ws.js
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: (no name) - {5A7CAE64-3BD3-6226-A58C-37C6FF6794C6} - C:\WINDOWS\SYSTEM\RHYJ.DLL
04 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Bsot] C:\WINDOWS\Anwendungsdaten\desr.exe
O4 - HKCU\..\Run: [Lrjs] C:\WINDOWS\SYSTEM\ifrwov.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/dl/adv90/x.chm::/load.exe
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - C:\WINDOWS\SYSTEM\child.dll
O21 - SSODL: Web Event Logger - {7EFBAEFF-EE02-1333-ABDF-416572E5D639} - C:\WINDOWS\SYSTEM\Encpdanm.dll

start neu und arbeite mal das ab (1-5) http://board.protecus.de/t9373.htm

Ob das bereits ausreicht oder du nicht vieleicht besser gleich dein System neu aufsetzt, kann ich dir nicht verraten.
__________
MfG Ralf
SEO-Spam Hunter