Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.
Trojaner verursacht popups und blaue Schrift im Browser
Bis jetzt kommen keine popups mehr
Hitman:
Code:
ATTFilter
Code:
ATTFilter
HitmanPro 3.7.9.221
www.hitmanpro.com
Computer name . . . . : BENDIX_PC
Windows . . . . . . . : 6.1.1.7601.X86/2
User name . . . . . . : bendix_pc\***
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2014-07-19 19:24:56
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 15s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 10
Objects scanned . . . : 1.082.581
Files scanned . . . . : 27.886
Remnants scanned . . : 573.111 files / 481.584 keys
Suspicious files ____________________________________________________________
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 46.2 days (2014-06-03 15:21:37)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\**\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 15.0 days (2014-07-04 19:57:43)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-0.2s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\htm\wc002342.htm
0.0s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 8.1 days (2014-07-11 17:02:16)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-76.8s C:\ProgramData\Origin\Logs\IGO_Log.Origin_5852.txt
-55.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\z47x2d07.d
-54.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\3d531h7a.d
-54.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\72crx28m.d
-53.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1aji4n98.d
-53.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\bmqyp0oq.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\ggn2f4lp.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\jtq16om6.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\12arzljt.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1qn8c1ip.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\12yqkb1g.d
-51.7s C:\ProgramData\Origin\Logs\IGO_Log.bf3_3472.txt
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\c43igswu.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\1y81out7.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zgotvc3m.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2png3cbt.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\3\2z9ulbqs.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\339nrvv8.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\3n9x7wu7.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\15k4t4zq.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\ge6b9h3r.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1m36t45u.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\1qxzizz9.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1gh0lbeu.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zmnhz5em.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\20cgy1hx.d
-49.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\3no7hs7x.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\jxwtrhjt.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3jsfncsb.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1c3v0iiu.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\2mqv07sl.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\e\1iz9gxpn.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\235mnazv.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\278ull5d.d
-49.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\cnjllooh.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\2xiix4pp.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\cgy78o5b.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\2mk2gkph.d
-48.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3hhgv4r9.d
-48.1s C:\ProgramData\Origin\Logs\IGO_Log.EACoreServer_3488.txt
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\3fpjcmxd.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\3jysjdmp.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rp2zene.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3v1xx6o9.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\ct3e2w5l.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\3fn6mk2o.d
-47.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1yii9vjp.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3r781hqr.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\3ea7jsrz.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\2xe9btom.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\2q8ak19i.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\38xol01h.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\5wxsotfq.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1wukqarx.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2sseylct.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rcc0j75.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\17mlkyx5.d
-47.1s C:\Users***\AppData\Local\Origin\Web Cache\data7\8\gnhjzon8.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\mjmep7zj.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\e82p3m9e.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\q3n9xovd.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\rmoz8moo.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1655q14z.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3uk61azl.d
-46.9s C:\Users\******\AppData\Local\Origin\Web Cache\data7\b\1cm8eqdk.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\320yldgl.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1zum3akz.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3ql6xftl.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2geqol9q.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\8\211b9ghx.d
-43.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1f25qr7y.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\1o759wp5.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\23mygxjy.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\6\xkt9dy1f.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\16bn4etw.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\3fqq8l97.d
-38.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3vjnxwle.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\221f5tqg.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\261j4ogt.d
-38.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\0\309mqmmp.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\2\3q0oc0jr.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\31j61c6e.d
-37.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\3b2cauh4.d
-36.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\a\v9n4t6zz.d
-36.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\mk3b6eb3.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\3ts3ffkc.d
-25.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\389ru9wg.d
-15.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\yeiz0yqd.d
-14.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\24srh3zs.d
-13.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2vpwv7qa.d
-12.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3v08uls5.d
-3.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3abukcae.d
0.0s C:\Users\
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:48)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\Desktop\FRST-OlderVersion\FRST.exe
Size . . . . . . . : 1.077.248 bytes
Age . . . . . . . : 0.2 days (2014-07-19 13:25:55)
Entropy . . . . . : 8.0
SHA-256 . . . . . : C2CCBE42983258BE2DE4090FCBACB726A9198499DA137BD471EF2FFFA9F14B7A
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\*\Desktop\FRST.exe
Size . . . . . . . : 1.079.808 bytes
Age . . . . . . . : 0.1 days (2014-07-19 16:49:48)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 99FBF88DE71B1D73A772E91B57AB27FE242454596C2B2A9B4176086085903A26
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\8ACRNP89.txt
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\10MCYGD8.txt
0.0s C:\Users\*\Desktop\FRST.exe
C:\Windows\system32\drivers\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.3 days (2014-06-03 12:43:31)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Repairs _____________________________________________________________________
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
Registrierungsschlüssel: 1
PUP.Optional.SupTab.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Keine Aktion durch Benutzer, [e5bc653be19a3ff79b6aa7b46f93956b],
Registrierungswerte: 1
PUP.Optional.QuickStart.A, HKU\S-1-5-21-2350961968-569790009-790667219-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, quick_start@gmail.com, Keine Aktion durch Benutzer, [8a17efb1b7c484b2fd4ef9cfdf23db25]
Registrierungsdaten: 0
(No malicious items detected)
Ordner: 1
PUP.Optional.AdPeak.A, C:\temp, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Dateien: 6
PUP.Optional.WebSearchs.A, C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage, Keine Aktion durch Benutzer, [6e330e92d5a6072fd245873be2206898],
PUP.Optional.WebSearchs.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage-journal, Keine Aktion durch Benutzer, [821f7d23cfac90a6f720b111f11133cd],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage, Keine Aktion durch Benutzer, [acf5742c3a4150e6f03fd2f0ff03d52b],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage-journal, Keine Aktion durch Benutzer, [5d444b556714979fb07f814151b15ba5],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
PUP.Optional.AdPeak.A, C:\temp\t.txt, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Physische Sektoren: 0
(No malicious items detected)
(end)
Themen zu Trojaner verursacht popups und blaue Schrift im Browser
Zum Thema Trojaner verursacht popups und blaue Schrift im Browser - Bis jetzt kommen keine popups mehr
Hitman:
Code:
Alles auswählen Aufklappen ATTFilter
Code:
Alles auswählen Aufklappen ATTFilter
HitmanPro 3.7.9.221
www.hitmanpro.com
Computer name . . . . : BENDIX_PC
Windows . - Trojaner verursacht popups und blaue Schrift im Browser...
19.07.2014, 19:44
Baum-Darstellung