CryptoApp.exe - .encrypted Files auf Desktop und persönlichen Ordner

oriepl · 13.11.2014, 01:10

Code:

ATTFilter

HitmanPro 3.7.9.232
www.hitmanpro.com

   Computer name . . . . : OLIVERPC_WIN8
   Windows . . . . . . . : 6.3.0.9600.X64/4
   User name . . . . . . : OLIVERPC_WIN8\Oliver
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2014-11-13 01:06:16
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 2m 6s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 21

   Objects scanned . . . : 2.728.174
   Files scanned . . . . : 153.377
   Remnants scanned  . . : 1.154.371 files / 1.420.426 keys

Suspicious files ____________________________________________________________

   C:\Users\Oliver\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
      Size . . . . . . . : 949.613 bytes
      Age  . . . . . . . : 691.3 days (2012-12-21 16:42:48)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Oliver\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
      Size . . . . . . . : 949.613 bytes
      Age  . . . . . . . : 671.2 days (2013-01-10 20:12:28)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Oliver\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
      Size . . . . . . . : 949.613 bytes
      Age  . . . . . . . : 691.4 days (2012-12-21 16:38:39)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Oliver\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
      Size . . . . . . . : 139.328 bytes
      Age  . . . . . . . : 691.4 days (2012-12-21 16:38:53)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : F6552C37C04FD92554BD715F9E98B41E3D711C8AC37C757FBCFDDD69738FBE5E
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.

   C:\Users\Oliver\Downloads\FRST64.exe
      Size . . . . . . . : 2.116.096 bytes
      Age  . . . . . . . : 0.1 days (2014-11-12 21:57:21)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 5688C72E8362E4813E3970E44D64B00A540BED1A12B7615E2EE9B3C0206D0BB2
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Oliver\Downloads\FRST64.exe
          4.3s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{59854B86-C896-45D1-9836-362E7880ED35}
          5.4s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\2\33\
          5.4s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\2\33\E8083667338F2889.dat
          5.5s C:\Users\Oliver\AppData\Local\Microsoft\Windows\INetCache\IE\23AP0NW3\up64[1]
          8.1s C:\FRST\Logs\
          8.1s C:\FRST\
          8.1s C:\FRST\Hives\
          8.1s C:\FRST\Quarantine\
          8.8s C:\FRST\Hives\ERDNT.INF
          8.8s C:\FRST\Hives\ERDNT.CON
          8.8s C:\FRST\Hives\BCD
          8.8s C:\FRST\Hives\SYSTEM
          8.9s C:\FRST\Hives\SOFTWARE
          9.4s C:\FRST\Hives\DEFAULT
          9.4s C:\FRST\Hives\SECURITY
          9.4s C:\FRST\Hives\SAM
          9.4s C:\FRST\Hives\Users\
          9.4s C:\FRST\Hives\Users\00000001\
          9.4s C:\FRST\Hives\Users\00000001\NTUSER.DAT
          9.5s C:\FRST\Hives\Users\00000002\
          9.5s C:\FRST\Hives\Users\00000002\UsrClass.dat
          9.6s C:\FRST\Hives\ERDNT.EXE
          9.6s C:\FRST\Hives\ERDNTWIN.LOC
          9.6s C:\FRST\Hives\ERDNTDOS.LOC
         10.2s C:\Users\Oliver\Downloads\FRST.txt
         10.3s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{8D60FF83-39DA-4706-8245-9FB5D4DF6230}
         14.1s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0B49DED4-D8F2-4B84-BC9B-A7DF112E72BC}
         14.1s C:\Windows\Prefetch\FRST64.EXE-FECE4BC6.pf


Potential Unwanted Programs _________________________________________________

   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi (Sweetpacks) -> Deleted
   sweetim.toolbar.dialogs.0.url
   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\prefs.js

   sweetim.toolbar.dialogs.2.url
   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\prefs.js

   sweetim.toolbar.rc.url
   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\prefs.js

   sweetim.toolbar.scripts.0.url
   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\prefs.js

   sweetim.toolbar.scripts.1.url
   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\prefs.js

   C:\Users\Oliver\AppData\Roaming\Mozilla\Firefox\Profiles\t07um4cv.default\SweetPacksToolbarData\ (Sweetpacks) -> Deleted
   HKLM\SOFTWARE\Wow6432Node\SweetIM\ (Sweetpacks) -> Deleted
   HKU\S-1-5-21-794392239-4017259344-355818948-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{EEE6C35B-6118-11DC-9C72-001320C79847} (Sweetpacks) -> Deleted
   HKU\S-1-5-21-794392239-4017259344-355818948-1001\Software\SweetIM\ (Sweetpacks) -> Deleted

Repairs _____________________________________________________________________

   Desktophintergrund
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

   Ordneroptionen
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

   No Context Menu
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

   Registrierungseditor (regedit.exe)
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

   Task-Manager (taskmgr.exe)
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

   Eingabeaufforderung gesperrt
   HKU\S-1-5-21-794392239-4017259344-355818948-1008\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD

CryptoApp.exe - .encrypted Files auf Desktop und persönlichen Ordner

Plagegeister aller Art und deren Bekämpfung: CryptoApp.exe - .encrypted Files auf Desktop und persönlichen Ordner

CryptoApp.exe - .encrypted Files auf Desktop und persönlichen Ordner

Ähnliche Themen: CryptoApp.exe - .encrypted Files auf Desktop und persönlichen Ordner