Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Cerber 4.0 Ransomware auf dem Rechner

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Alt 27.10.2016, 17:38   #1
wechselbalg
 
Cerber 4.0 Ransomware auf dem Rechner - Icon16

Cerber 4.0 Ransomware auf dem Rechner



Hallo liebe Trojanerbekämpfer,

heute Mittag hat mir doch glatt der Cerber 4.0 Virus meine Dateien verschlüsselt (dass es der Cerber 4 ist, habe ich hier durch Hochladen von zwei Beispielfiles gesagt bekommen: https://id-ransomware.malwarehunterteam.com/identify.php )
So weit so ärgerlich, aber die Daten, auf die es mir ankommt, hatte ich auf einer externen Platte vor drei Tagen gesichert. Wir brauchen also auf das, was sich jetzt noch auf Laufwerk C: befindet, keine große Rücksicht zu nehmen. Klar ist aber: bevor ich meine externe Festplatte mit der Sicherheitskopie wieder an den komprommittierten Rechner anschließe, will ich natürlich sicher sein, dass der Cerber weg ist, und auch keine Hintertüren offen gelassen hat.

Malwarebytes konnte ich im ersten Anlauf nur in der alten Version starten, die sich bereits auf dem Rechner befand (126 Funde). Nach Neustart habe ich dann auf die aktuelle MBAM Version updaten können, die hat dann gleich nochmal 45 Sachen gefunden.

MBAM (alte Version) Logfile:
Code:
ATTFilter
 Malwarebytes Anti-Malware 
www.malwarebytes.org

Scan Date: 27.10.2016
Scan Time: 17:37
Logfile: MBAM_2.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.04.28.05
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388861
Time Elapsed: 4 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 82
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE, Quarantined, [74813c355b2f102683706f23fa0abf41], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [797c93de3e4ca98de5e1474c01034db3], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [3abbafc2d2b8b87e2d9c761d49bb9d63], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE, Quarantined, [777e5a175931c1756a630a897e8616ea], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [dc19007159315bdb5c721f748f755aa6], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [9362b9b8f694c27408ba330dc83cdc24], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [45b020514d3d80b6fdfd6c85f112a759], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [c62ffa773c4e47ef9368b14044bfa25e], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [ae4781f07b0fe650827a1cd553b0b848], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [5c99d8995d2de056354ba0f432d239c7], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [b144b5bc2b5f191d374a771df31141bf], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [b045beb357338fa709874c488d7754ac], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE, Quarantined, [ce270170fc8e20164eac464e74901ce4], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [f7fe31407515e0567cc065300cf818e8], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [886df77acbbf3006d669484d689cc23e], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [50a5bcb51c6ed1659ba6e8ada85c35cb], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE, Quarantined, [f9fcabc67d0d171f015599fc0bf96997], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE, Quarantined, [b4419bd657338fa75b00732208fcaa56], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE, Quarantined, [52a3c6ab3159d85e80ddb2e3ca3abc44], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [896c323fc4c674c2fb667c1961a36c94], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE, Quarantined, [5c99bdb4c6c47cbaf092d5c0b252a45c], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [af468ce5dfabfe386b18d542c34151af], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [06ef066bc5c545f1cad77e1834d00cf4], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [8d685d14ee9c48ee87417f982ed6df21], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [688ded8465258ea8f6bd8d09679db050], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [1bda165baedc2c0aa91d851134d0ff01], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [a94c7bf6d8b2f73f5e53467f818325db], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [de17d79aee9c340255668a3bd034857b], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [d61f1e53d3b7d1653207c1d6fe06aa56], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE, Quarantined, [da1b7001bdcdc2747fdcb1e60bf951af], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE, Quarantined, [8b6a125fa9e177bf1fba1780aa5ae41c], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE, Quarantined, [da1b5f129cee979f796ba3f4976d52ae], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE, Quarantined, [03f2f081ee9ccb6b4bbfc7d1709428d8], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE, Quarantined, [7b7a84edd6b4a09611638d0b4bb949b7], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE, Quarantined, [4ea70e63bad085b116613266f21224dc], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, Quarantined, [36bfc6ab01891125b08a6d4492729967], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE, Quarantined, [db1aadc43b4f38fe20b22f119e667e82], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [11e4f57c761411254f7200edc73d817f], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [bf3699d86327e155d9217cbd20e5837d], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [20d5e19039515bdb799ab0ea9b69bb45], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [f302c4ad22680036200292089f6528d8], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE, Quarantined, [5a9b2b467416bc7a945f088a669e649c], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [d61f1a57fd8d95a10cbacdc65ca827d9], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [7a7b95dcf09a9c9ae6e393004aba06fa], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE, Quarantined, [2cc9f37ec3c77abc408d91025da7ac54], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [ed086809098120169935246f9a6af20e], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [f104541d4e3c989eb50d83bdc04456aa], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [8b6a561b098196a0b5459f5252b1e917], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [c43189e8b5d540f6d4277e73d1323ec2], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [52a3f47d03878ea874885998cd36966a], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [579ea7ca1377a492354b5a3af90bc739], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [6f8676fbc0ca79bd552c8014b94b21df], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [4ea76a07a2e85fd7aae62d672dd7fb05], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE, Quarantined, [7e77c5ac602a1422d4265d373acaa060], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [f9fc96db8efc2b0b23197223ba4a4fb1], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [6c89a2cf3d4d5fd7aa95b2e39d6708f8], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [84713d346b1fc1750140504501034db3], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE, Quarantined, [f104650c7e0cd066c5919401f014827e], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE, Quarantined, [fcf982efb6d43bfbb4a7365fd3318f71], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE, Quarantined, [8a6bbdb4355554e2d88544518b7942be], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [23d25021bad072c4253c1a7b6c983dc3], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE, Quarantined, [ce27373a0e7ca294483a0095749020e0], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [25d01a57ed9d64d2e59e2ee940c425db], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [fcf9145d355591a55e431383669ef709], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [01f4620f1278270f20a844d33dc75aa6], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [ee070a6767233ef8eac9fe98ce36f808], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [e70e7ff2afdbf442c303a6f01ce86e92], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [db1a2c45bdcdfb3b357ce8dd7b89ed13], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [db1aaec3870313237645e7deeb1917e9], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [21d4c1b0ddad0531f6430b8cc83ca759], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE, Quarantined, [ec09254c90facf67da81a4f339cb2cd4], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE, Quarantined, [b73ee98856343ff77465ff9855af36ca], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE, Quarantined, [c92c6d047b0f76c070748b0c0ef6a55b], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE, Quarantined, [2bca21503d4d52e4927842563cc80df3], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE, Quarantined, [ae470e631a701f17bcb8c1d7956fb050], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE, Quarantined, [05f06b062b5fbf779cdb1484e1236799], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, Quarantined, [75801e53b8d2d95d89b18031c242ba46], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE, Quarantined, [fbfaacc5a3e701354d8520205aaa6f91], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [94611a577e0cac8a744dcd207c889c64], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [fdf84d24c5c542f464967dbc6d98c13f], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [63927af7f595cf6747cc1486fb093dc3], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [8b6a84ed3456082e7da58f0bbd4717e9], 

Registry Values: 84
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE|debugger, svchost.exe, Quarantined, [74813c355b2f102683706f23fa0abf41]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|debugger, svchost.exe, Quarantined, [797c93de3e4ca98de5e1474c01034db3]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|debugger, svchost.exe, Quarantined, [3abbafc2d2b8b87e2d9c761d49bb9d63]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE|debugger, svchost.exe, Quarantined, [777e5a175931c1756a630a897e8616ea]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|debugger, svchost.exe, Quarantined, [dc19007159315bdb5c721f748f755aa6]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|debugger, svchost.exe, Quarantined, [9362b9b8f694c27408ba330dc83cdc24]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|debugger, svchost.exe, Quarantined, [45b020514d3d80b6fdfd6c85f112a759]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|debugger, svchost.exe, Quarantined, [c62ffa773c4e47ef9368b14044bfa25e]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|debugger, svchost.exe, Quarantined, [ae4781f07b0fe650827a1cd553b0b848]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|debugger, svchost.exe, Quarantined, [5c99d8995d2de056354ba0f432d239c7]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|debugger, svchost.exe, Quarantined, [b144b5bc2b5f191d374a771df31141bf]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|debugger, svchost.exe, Quarantined, [b045beb357338fa709874c488d7754ac]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE|debugger, svchost.exe, Quarantined, [ce270170fc8e20164eac464e74901ce4]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|debugger, svchost.exe, Quarantined, [f7fe31407515e0567cc065300cf818e8]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|debugger, svchost.exe, Quarantined, [886df77acbbf3006d669484d689cc23e]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|debugger, svchost.exe, Quarantined, [50a5bcb51c6ed1659ba6e8ada85c35cb]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE|debugger, svchost.exe, Quarantined, [f9fcabc67d0d171f015599fc0bf96997]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE|debugger, svchost.exe, Quarantined, [b4419bd657338fa75b00732208fcaa56]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE|debugger, svchost.exe, Quarantined, [52a3c6ab3159d85e80ddb2e3ca3abc44]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|debugger, svchost.exe, Quarantined, [896c323fc4c674c2fb667c1961a36c94]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE|debugger, svchost.exe, Quarantined, [5c99bdb4c6c47cbaf092d5c0b252a45c]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|debugger, svchost.exe, Quarantined, [af468ce5dfabfe386b18d542c34151af]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|debugger, svchost.exe, Quarantined, [06ef066bc5c545f1cad77e1834d00cf4]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|debugger, svchost.exe, Quarantined, [8d685d14ee9c48ee87417f982ed6df21]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|debugger, svchost.exe, Quarantined, [688ded8465258ea8f6bd8d09679db050]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|debugger, svchost.exe, Quarantined, [1bda165baedc2c0aa91d851134d0ff01]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|debugger, svchost.exe, Quarantined, [a94c7bf6d8b2f73f5e53467f818325db]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|debugger, svchost.exe, Quarantined, [de17d79aee9c340255668a3bd034857b]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|debugger, svchost.exe, Quarantined, [d61f1e53d3b7d1653207c1d6fe06aa56]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE|debugger, svchost.exe, Quarantined, [da1b7001bdcdc2747fdcb1e60bf951af]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE|debugger, svchost.exe, Quarantined, [8b6a125fa9e177bf1fba1780aa5ae41c]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE|debugger, svchost.exe, Quarantined, [da1b5f129cee979f796ba3f4976d52ae]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE|debugger, svchost.exe, Quarantined, [03f2f081ee9ccb6b4bbfc7d1709428d8]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE|debugger, svchost.exe, Quarantined, [7b7a84edd6b4a09611638d0b4bb949b7]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE|debugger, svchost.exe, Quarantined, [4ea70e63bad085b116613266f21224dc]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|debugger, svchost.exe, Quarantined, [36bfc6ab01891125b08a6d4492729967]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|debugger, svchost.exe, Quarantined, [8b6a2948bbcff5410cfe20793fc554ac]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger, svchost.exe, Quarantined, [db1aadc43b4f38fe20b22f119e667e82]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|debugger, svchost.exe, Quarantined, [11e4f57c761411254f7200edc73d817f]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|debugger, svchost.exe, Quarantined, [bf3699d86327e155d9217cbd20e5837d]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|debugger, svchost.exe, Quarantined, [20d5e19039515bdb799ab0ea9b69bb45]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|debugger, svchost.exe, Quarantined, [f302c4ad22680036200292089f6528d8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE|debugger, svchost.exe, Quarantined, [5a9b2b467416bc7a945f088a669e649c]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|debugger, svchost.exe, Quarantined, [d61f1a57fd8d95a10cbacdc65ca827d9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|debugger, svchost.exe, Quarantined, [7a7b95dcf09a9c9ae6e393004aba06fa]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE|debugger, svchost.exe, Quarantined, [2cc9f37ec3c77abc408d91025da7ac54]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|debugger, svchost.exe, Quarantined, [ed086809098120169935246f9a6af20e]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|debugger, svchost.exe, Quarantined, [f104541d4e3c989eb50d83bdc04456aa]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|debugger, svchost.exe, Quarantined, [8b6a561b098196a0b5459f5252b1e917]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|debugger, svchost.exe, Quarantined, [c43189e8b5d540f6d4277e73d1323ec2]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|debugger, svchost.exe, Quarantined, [52a3f47d03878ea874885998cd36966a]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|debugger, svchost.exe, Quarantined, [579ea7ca1377a492354b5a3af90bc739]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|debugger, svchost.exe, Quarantined, [6f8676fbc0ca79bd552c8014b94b21df]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|debugger, svchost.exe, Quarantined, [4ea76a07a2e85fd7aae62d672dd7fb05]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE|debugger, svchost.exe, Quarantined, [7e77c5ac602a1422d4265d373acaa060]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|debugger, svchost.exe, Quarantined, [f9fc96db8efc2b0b23197223ba4a4fb1]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|debugger, svchost.exe, Quarantined, [6c89a2cf3d4d5fd7aa95b2e39d6708f8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|debugger, svchost.exe, Quarantined, [84713d346b1fc1750140504501034db3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE|debugger, svchost.exe, Quarantined, [f104650c7e0cd066c5919401f014827e]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE|debugger, svchost.exe, Quarantined, [fcf982efb6d43bfbb4a7365fd3318f71]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE|debugger, svchost.exe, Quarantined, [8a6bbdb4355554e2d88544518b7942be]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|debugger, svchost.exe, Quarantined, [23d25021bad072c4253c1a7b6c983dc3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE|debugger, svchost.exe, Quarantined, [ce27373a0e7ca294483a0095749020e0]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|debugger, svchost.exe, Quarantined, [25d01a57ed9d64d2e59e2ee940c425db]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|debugger, svchost.exe, Quarantined, [fcf9145d355591a55e431383669ef709]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|debugger, svchost.exe, Quarantined, [01f4620f1278270f20a844d33dc75aa6]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|debugger, svchost.exe, Quarantined, [ee070a6767233ef8eac9fe98ce36f808]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|debugger, svchost.exe, Quarantined, [e70e7ff2afdbf442c303a6f01ce86e92]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|debugger, svchost.exe, Quarantined, [db1a2c45bdcdfb3b357ce8dd7b89ed13]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|debugger, svchost.exe, Quarantined, [db1aaec3870313237645e7deeb1917e9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|debugger, svchost.exe, Quarantined, [21d4c1b0ddad0531f6430b8cc83ca759]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE|debugger, svchost.exe, Quarantined, [ec09254c90facf67da81a4f339cb2cd4]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE|debugger, svchost.exe, Quarantined, [b73ee98856343ff77465ff9855af36ca]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE|debugger, svchost.exe, Quarantined, [c92c6d047b0f76c070748b0c0ef6a55b]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE|debugger, svchost.exe, Quarantined, [2bca21503d4d52e4927842563cc80df3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE|debugger, svchost.exe, Quarantined, [ae470e631a701f17bcb8c1d7956fb050]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE|debugger, svchost.exe, Quarantined, [05f06b062b5fbf779cdb1484e1236799]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|debugger, svchost.exe, Quarantined, [75801e53b8d2d95d89b18031c242ba46]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|debugger, svchost.exe, Quarantined, [9c595819d6b4b97d59b1940532d208f8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger, svchost.exe, Quarantined, [fbfaacc5a3e701354d8520205aaa6f91]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|debugger, svchost.exe, Quarantined, [94611a577e0cac8a744dcd207c889c64]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|debugger, svchost.exe, Quarantined, [fdf84d24c5c542f464967dbc6d98c13f]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|debugger, svchost.exe, Quarantined, [63927af7f595cf6747cc1486fb093dc3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|debugger, svchost.exe, Quarantined, [8b6a84ed3456082e7da58f0bbd4717e9]

Registry Data: 2
Windows.Tool.Disabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[16dfff725d2da59168c0ee1b19ede21e]
Windows.Tool.Disabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[51a475fc424821154adea960c83ee31d]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
         


MBAM (aktuelle Version) Logfile:
Code:
ATTFilter
 Malwarebytes Anti-Malware 
www.malwarebytes.org

Scan Date: 27.10.2016
Scan Time: 17:51
Logfile: MBAM_3.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.27.07
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admins

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 353720
Time Elapsed: 2 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 15
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [d063b8e6dbbffa3c699f8844db2859a7], 
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [47ec613dcbcf7fb7c1c9f4d8d82b25db], 
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [a192ff9ffaa048ee54b4e5e72cd76799], 
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [60d38f0f7e1ce5516d1d5a729e65b947], 
PUP.Optional.CrossRider, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\Sense, Quarantined, [84afd0cee3b73204c20adcfb4ab842be], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{10C7A83B-1C36-4D94-B718-3CF2712E216A}, Quarantined, [35fedec053471c1a20c5a6f88f74f709], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{13709CD4-1D45-42A2-8B51-3F395B65B1E3}, Quarantined, [979c4955dfbbca6ccd19f9a5dd26c53b], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44E0B96F-FFDC-4600-928F-215BD67E8FA7}, Quarantined, [260d4b53603a3cfab0352678c73c2ad6], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6D0AC3A1-5DC1-4AFB-87F2-A63BF7897825}, Quarantined, [0b282b735c3e092da1450f8f51b2af51], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{750BFF28-2DAD-4181-89DD-5DB239817C72}, Quarantined, [3bf8039be8b2b680b4318e1062a18b75], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9E563179-CCB8-4E1C-86D1-B5983C2D629C}, Quarantined, [df541d814357d4623bab47571be8f010], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A751E42A-5025-4000-867B-63B925853B80}, Quarantined, [2310e1bdafebb97d1acb386671922cd4], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B7AA599E-52E3-461E-9680-3D16B84B8AA2}, Quarantined, [6dc6c7d76535ce68a046b4ea3ac955ab], 
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{CE424CCA-415D-473D-B9D5-BAD3A02A1F27}, Quarantined, [68cba0fe1b7f89adb72fc1ddf50e1de3], 
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB, Quarantined, [5fd4c1ddd0ca55e19cd0208e6e95b050], 

Registry Values: 21
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|debugger, svchost.exe, Quarantined, [d063b8e6dbbffa3c699f8844db2859a7]
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|debugger, svchost.exe, Quarantined, [47ec613dcbcf7fb7c1c9f4d8d82b25db]
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|debugger, svchost.exe, Quarantined, [a192ff9ffaa048ee54b4e5e72cd76799]
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|debugger, svchost.exe, Quarantined, [60d38f0f7e1ce5516d1d5a729e65b947]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{10C7A83B-1C36-4D94-B718-3CF2712E216A}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-buttonutil.exe, Quarantined, [35fedec053471c1a20c5a6f88f74f709]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{13709CD4-1D45-42A2-8B51-3F395B65B1E3}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [979c4955dfbbca6ccd19f9a5dd26c53b]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44E0B96F-FFDC-4600-928F-215BD67E8FA7}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-buttonutil.exe, Quarantined, [260d4b53603a3cfab0352678c73c2ad6]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6D0AC3A1-5DC1-4AFB-87F2-A63BF7897825}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [0b282b735c3e092da1450f8f51b2af51]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{750BFF28-2DAD-4181-89DD-5DB239817C72}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-buttonutil.exe, Quarantined, [3bf8039be8b2b680b4318e1062a18b75]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9E563179-CCB8-4E1C-86D1-B5983C2D629C}|AppName, 85bfe029-98ca-4ec8-9176-cbab512e2e23-2.exe-codedownloader.exe, Quarantined, [df541d814357d4623bab47571be8f010]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A751E42A-5025-4000-867B-63B925853B80}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-buttonutil.exe, Quarantined, [2310e1bdafebb97d1acb386671922cd4]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B7AA599E-52E3-461E-9680-3D16B84B8AA2}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [6dc6c7d76535ce68a046b4ea3ac955ab]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{CE424CCA-415D-473D-B9D5-BAD3A02A1F27}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-codedownloader.exe, Quarantined, [68cba0fe1b7f89adb72fc1ddf50e1de3]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype1, 12/19/14 20:37:26, Quarantined, [5fd4c1ddd0ca55e19cd0208e6e95b050]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype17, 12/19/14 20:37:26, Quarantined, [df54e3bb7e1c62d4cf9dd5d90ef5b947]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype22, 12/19/14 20:37:40, Quarantined, [76bdd1cd3e5ce84e016b614dcc37916f]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype6, 12/19/14 20:40:21, Quarantined, [52e1dcc21b7fe45291db4e60ee15f40c]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype12, 12/19/14 20:40:54, Quarantined, [e84b9d015149cb6ba3c9298500036997]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype5, 12/19/14 20:41:25, Quarantined, [70c347572a7061d536365f4ffa0936ca]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype15, 12/19/14 20:41:25, Quarantined, [f043326c257560d6d4987a3436cd9f61]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype4, 12/19/14 20:41:35, Quarantined, [2c078c121c7eb581323aae0020e3c33d]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 9
Ransom.Cerber, C:\Users\inel-eins\AppData\Roaming\ProxySettings.dll, Quarantined, [d063b5e91387f64035ef61be52b326da], 
Ransom.Cerber, C:\Users\inel-eins\AppData\Local\Temp\n5zyi9qea.exe, Quarantined, [c46f2975900a8fa7d054c55a81846b95], 
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\nsb57E9.tmp, Quarantined, [8aa985199703cf672244efb356ab2fd1], 
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\nsz659B.tmp, Quarantined, [bd766539ebaf5fd7bda9ddc5936e7e82], 
Ransom.Cerber, C:\Users\inel-eins\AppData\Local\Temp\aovv1qvg1.exe, Quarantined, [4ee57a24b3e7ef47061e7aa59e676898], 
Trojan.Bunitu.ED, C:\Users\inel-eins\AppData\Local\Temp\Random486680185797814772.exe, Quarantined, [de55d5c9801ace68e028b16602ffd42c], 
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\ICReinstall_nsb57E9.tmp, Quarantined, [3df6633b4951ce68dd891d8547bab64a], 
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\ICReinstall_nsz659B.tmp, Quarantined, [9d969d013e5cf93d20467d2548b9cd33], 
PUP.Optional.ShopperPro, C:\Users\inel-eins\AppData\Local\Temp\Install_31237\ins_shopperpro.exe, Quarantined, [92a1b4ea6d2d40f6c6bf6bc2a85945bb], 

Physical Sectors: 0
(No malicious items detected)


(end)
         

Mehr habe ich an Software noch nicht drüberlaufen lassen. So wie es aussieht, hat der kompromittierte Rechner auch auf meinem Zweitrechner und den Netzwerkfreigaben, die er darauf erreichen konnte, die PST-Dateien platt gemacht. Ganz nett programmiert. Guckt links und rechts, verhindert den Start von Malwarebytes auf herkömmlichem Weg, verhindert das Update, wenn MBAM wider Erwarten doch gestartet werden konnte, verhindert den Affengriff [CTRL-ALT-ENTF]. Kostet durchaus Zeit.

Kriegen wir den Rechner sicher wieder hingebogen, oder soll ich ihn besser gleich neu aufsetzen?

Danke,
Wechselbalg

 

Themen zu Cerber 4.0 Ransomware auf dem Rechner
aufsetzen, dateien, detected, explorer, externe festplatte, festplatte, fsm, ics, internet, internet explorer, laufwerk, links, logfile, microsoft, neustart, online, rechner, software, starten, svchost.exe, system, temp, update, virus, windows




Ähnliche Themen: Cerber 4.0 Ransomware auf dem Rechner


  1. Readme.hta Ransomware
    Plagegeister aller Art und deren Bekämpfung - 21.10.2016 (8)
  2. Defender findet Ransom W32/Cerber in Libre Office
    Plagegeister aller Art und deren Bekämpfung - 20.10.2016 (9)
  3. Readme.hta Ransomware
    Alles rund um Windows - 14.10.2016 (1)
  4. Erpressungs-Trojaner Cerber lernt dazu und verschlüsselt noch mehr
    Nachrichten - 06.10.2016 (0)
  5. cerber Virus
    Log-Analyse und Auswertung - 09.09.2016 (1)
  6. Erpressungs-Trojaner Cerber rüstet sich gegen Entschlüsselungs-Tools
    Nachrichten - 19.08.2016 (0)
  7. .cerber Entschlüsseln
    Plagegeister aller Art und deren Bekämpfung - 18.08.2016 (3)
  8. Cerber eingefangen, was jetzt tun?
    Plagegeister aller Art und deren Bekämpfung - 13.07.2016 (3)
  9. Cerber Ransomware und der Umgang damit
    Plagegeister aller Art und deren Bekämpfung - 03.07.2016 (2)
  10. Cerber- Befall
    Alles rund um Windows - 01.07.2016 (0)
  11. cerber Trojaner
    Plagegeister aller Art und deren Bekämpfung - 24.06.2016 (2)
  12. Krypto-Trojaner Cerber: Angebliche Mediamarkt-Bestellung kommt Empfänger teuer zu stehen
    Nachrichten - 23.06.2016 (0)
  13. Cerber Ransomware
    Plagegeister aller Art und deren Bekämpfung - 08.06.2016 (10)
  14. Cerber eingefangen
    Plagegeister aller Art und deren Bekämpfung - 02.06.2016 (2)
  15. Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu
    Nachrichten - 24.05.2016 (0)
  16. Cerber ransomware entfernen
    Anleitungen, FAQs & Links - 10.04.2016 (2)

Zum Thema Cerber 4.0 Ransomware auf dem Rechner - Hallo liebe Trojanerbekämpfer, heute Mittag hat mir doch glatt der Cerber 4.0 Virus meine Dateien verschlüsselt (dass es der Cerber 4 ist, habe ich hier durch Hochladen von zwei Beispielfiles - Cerber 4.0 Ransomware auf dem Rechner...
Archiv
Du betrachtest: Cerber 4.0 Ransomware auf dem Rechner auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.