Hallo an dieses Forum,
ich bin sehr froh Euch im Internet gefunden zu haben.
Der erste google-Eintrag des Suchwortes "Win32.Agent" ist dieses Forum.
Ich habe alle Regeln des Forums gelesen und versuche diese
so gut wie möglich umzusetzten um die Arbeit etwas zu erleichtern.
Schilderung meines Problems:
Kasperky hat folgende Probleme erkannt, welche ich gescreent und
angehängt habe. ("kasperky_screenshot"). Leider lassen sich
die gefundenen Bösewichte vom Kasperky nicht entfernen.
Nach der Forumssuche habe ich ähnliche Beiträge zum Thema
"Win32.Agent" gefunden und habe anfänglich versucht die dort
beschriebenen Lösungswege abzuarbeiten. Nachdem mir Malwarebytes
nach einem KomplettScan keine Bösewichte angezeigt hat, habe ich mich
entscheiden ganz von vorne zu beginnen (dds, defogger)
Zitat:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Admin at 7:59:31 on 2012-02-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3066.2083 [GMT 1:00]
.
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Realtek Semiconductor Corp\Realtek USB 2.0 Card Reader\reset.exe
C:\Windows\SYSTEM32\Rezip.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\tsnp2uvc.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PDF24\pdf24.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.de/
uDefault_Page_URL = hxxp://www.aldi.com/
mDefault_Page_URL = hxxp://www.aldi.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky\kaspersky internet security 2012\ievkbd.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky\kaspersky internet security 2012\klwtbbho.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UCam_Menu] "c:\program files\homecinema\youcam\muitransfer\muistartmenu.exe" "c:\program files\homecinema\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [PDVD8LanguageShortcut] "c:\program files\homecinema\powerdvd8\language\Language.exe"
mRun: [MDS_Menu] "c:\program files\homecinema\mediashow4\muitransfer\muistartmenu.exe" "c:\program files\homecinema\mediashow4" updatewithcreateonce "software\cyberlink\mediashow\4.1"
mRun: [tsnp2uvc] c:\windows\tsnp2uvc.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVP] "c:\program files\kaspersky\kaspersky internet security 2012\avp.exe"
mRun: [PDFPrint] c:\program files\pdf24\pdf24.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start hxxp://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEUASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQAtAFYAUAA5AEYATgA"&"inst=NwA3AC0ANAA0ADgAOAA3ADAANgA2ADEALQB YAEwAKwAxAC0AVAA1AC0ARgBMACsAOQAtAEYAOQBNADYAKwAxAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA"&"prod=90"&"ver=9.0.872
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\{10584~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wisome~1.lnk - c:\program files\wiso\steuersoftware 2011\mshaktuell.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Easy-WebPrint - Drucken - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint - Schnelldruck - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint - Vorschau - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint - Zu Druckliste hinzufügen - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Free YouTube to MP3 Converter - c:\users\admin\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky\kaspersky internet security 2012\ievkbd.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky\kaspersky internet security 2012\klwtbbho.dll
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{585A1985-1848-42D4-AE16-01AB80CC0E32} : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{8B7CBA12-E6ED-4B51-BDE1-9F32F3DDD5A8} : DhcpNameServer = 192.168.178.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\jbi9blw3.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - www.google.de
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
============= SERVICES / DRIVERS ===============
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-3-4 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2011-3-10 23856]
R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 resetWinService;Reset Reader;c:\program files\realtek semiconductor corp\realtek usb 2.0 card reader\reset.exe [2009-6-10 70656]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-6-10 311296]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-8 64032]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-2-24 522784]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky\kaspersky internet security 2012\avp.exe [2011-4-24 202296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-13 133104]
S3 fspad_wlh32;Finger-sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh32;c:\windows\system32\drivers\fspad_wlh32.sys [2009-6-22 41984]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-13 133104]
S3 libusb0;LibUsb-Win32 - Kernel Driver 07/07/2009, 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2009-7-7 28160]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-18 40776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-17 23:31:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-15 17:20:53 -------- d-----w- C:\sh4ldr
2012-02-15 17:20:52 -------- d-----w- c:\program files\Enigma Software Group
2012-02-15 17:19:16 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-02-15 17:05:51 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-15 17:05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-15 17:00:55 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 17:00:54 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-15 17:00:53 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 07:12:09 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{309e5eeb-79e8-4127-aea2-9fa4c157ec50}\mpengine.dll
2012-01-31 00:20:04 -------- d-----w- c:\users\admin\appdata\local\PDF24
2012-01-31 00:19:30 -------- d-----w- c:\program files\PDF24
.
==================== Find3M ====================
.
2012-02-16 21:55:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-26 23:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 8:00:36,03 ===============
|
Als Anhang (logfiles.zip):
gamer.txt
Attach.txt
defogger_disable.log
Für eine Rückmeldung danke ich Euch schon jetzt!
Grüße,
kreisl
18.02.2012, 16:49
Baum-Darstellung