bis jetzt kommen keine popups mehr , ich bedanke mich schon ein mal :) ohne euch hätte ich das NIE hin bekommen
Hitman: Code:
HitmanPro 3.7.9.221
www.hitmanpro.com
Computer name . . . . : BENDIX_PC
Windows . . . . . . . : 6.1.1.7601.X86/2
User name . . . . . . : bendix_pc\***
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2014-07-19 19:24:56
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 15s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 10
Objects scanned . . . : 1.082.581
Files scanned . . . . : 27.886
Remnants scanned . . : 573.111 files / 481.584 keys
Suspicious files ____________________________________________________________
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 46.2 days (2014-06-03 15:21:37)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\**\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 15.0 days (2014-07-04 19:57:43)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-0.2s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\htm\wc002342.htm
0.0s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 8.1 days (2014-07-11 17:02:16)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-76.8s C:\ProgramData\Origin\Logs\IGO_Log.Origin_5852.txt
-55.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\z47x2d07.d
-54.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\3d531h7a.d
-54.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\72crx28m.d
-53.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1aji4n98.d
-53.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\bmqyp0oq.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\ggn2f4lp.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\jtq16om6.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\12arzljt.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1qn8c1ip.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\12yqkb1g.d
-51.7s C:\ProgramData\Origin\Logs\IGO_Log.bf3_3472.txt
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\c43igswu.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\1y81out7.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zgotvc3m.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2png3cbt.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\3\2z9ulbqs.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\339nrvv8.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\3n9x7wu7.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\15k4t4zq.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\ge6b9h3r.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1m36t45u.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\1qxzizz9.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1gh0lbeu.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zmnhz5em.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\20cgy1hx.d
-49.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\3no7hs7x.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\jxwtrhjt.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3jsfncsb.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1c3v0iiu.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\2mqv07sl.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\e\1iz9gxpn.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\235mnazv.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\278ull5d.d
-49.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\cnjllooh.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\2xiix4pp.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\cgy78o5b.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\2mk2gkph.d
-48.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3hhgv4r9.d
-48.1s C:\ProgramData\Origin\Logs\IGO_Log.EACoreServer_3488.txt
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\3fpjcmxd.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\3jysjdmp.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rp2zene.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3v1xx6o9.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\ct3e2w5l.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\3fn6mk2o.d
-47.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1yii9vjp.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3r781hqr.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\3ea7jsrz.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\2xe9btom.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\2q8ak19i.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\38xol01h.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\5wxsotfq.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1wukqarx.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2sseylct.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rcc0j75.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\17mlkyx5.d
-47.1s C:\Users***\AppData\Local\Origin\Web Cache\data7\8\gnhjzon8.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\mjmep7zj.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\e82p3m9e.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\q3n9xovd.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\rmoz8moo.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1655q14z.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3uk61azl.d
-46.9s C:\Users\******\AppData\Local\Origin\Web Cache\data7\b\1cm8eqdk.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\320yldgl.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1zum3akz.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3ql6xftl.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2geqol9q.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\8\211b9ghx.d
-43.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1f25qr7y.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\1o759wp5.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\23mygxjy.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\6\xkt9dy1f.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\16bn4etw.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\3fqq8l97.d
-38.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3vjnxwle.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\221f5tqg.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\261j4ogt.d
-38.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\0\309mqmmp.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\2\3q0oc0jr.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\31j61c6e.d
-37.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\3b2cauh4.d
-36.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\a\v9n4t6zz.d
-36.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\mk3b6eb3.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\3ts3ffkc.d
-25.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\389ru9wg.d
-15.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\yeiz0yqd.d
-14.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\24srh3zs.d
-13.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2vpwv7qa.d
-12.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3v08uls5.d
-3.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3abukcae.d
0.0s C:\Users\
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:48)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\Desktop\FRST-OlderVersion\FRST.exe
Size . . . . . . . : 1.077.248 bytes
Age . . . . . . . : 0.2 days (2014-07-19 13:25:55)
Entropy . . . . . : 8.0
SHA-256 . . . . . : C2CCBE42983258BE2DE4090FCBACB726A9198499DA137BD471EF2FFFA9F14B7A
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\*\Desktop\FRST.exe
Size . . . . . . . : 1.079.808 bytes
Age . . . . . . . : 0.1 days (2014-07-19 16:49:48)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 99FBF88DE71B1D73A772E91B57AB27FE242454596C2B2A9B4176086085903A26
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\8ACRNP89.txt
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\10MCYGD8.txt
0.0s C:\Users\*\Desktop\FRST.exe
C:\Windows\system32\drivers\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.3 days (2014-06-03 12:43:31)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Repairs _____________________________________________________________________
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210 MBAM: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 19.07.2014
Suchlauf-Zeit: 19:58:57
Logdatei: MBAM.txt
Administrator: Ja
Version: 2.00.2.1012
Malware Datenbank: v2014.07.19.06
Rootkit Datenbank: v2014.07.17.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Self-protection: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x86
Dateisystem: NTFS
Benutzer: ***
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 269214
Verstrichene Zeit: 7 Min, 18 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristics: Aktiviert
PUP: Aktiviert
PUM: Aktiviert
Prozesse: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registrierungsschlüssel: 1
PUP.Optional.SupTab.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Keine Aktion durch Benutzer, [e5bc653be19a3ff79b6aa7b46f93956b],
Registrierungswerte: 1
PUP.Optional.QuickStart.A, HKU\S-1-5-21-2350961968-569790009-790667219-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, quick_start@gmail.com, Keine Aktion durch Benutzer, [8a17efb1b7c484b2fd4ef9cfdf23db25]
Registrierungsdaten: 0
(No malicious items detected)
Ordner: 1
PUP.Optional.AdPeak.A, C:\temp, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Dateien: 6
PUP.Optional.WebSearchs.A, C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage, Keine Aktion durch Benutzer, [6e330e92d5a6072fd245873be2206898],
PUP.Optional.WebSearchs.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage-journal, Keine Aktion durch Benutzer, [821f7d23cfac90a6f720b111f11133cd],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage, Keine Aktion durch Benutzer, [acf5742c3a4150e6f03fd2f0ff03d52b],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage-journal, Keine Aktion durch Benutzer, [5d444b556714979fb07f814151b15ba5],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
PUP.Optional.AdPeak.A, C:\temp\t.txt, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Physische Sektoren: 0
(No malicious items detected)
(end) vielen dank ! :)
Hitman: Code:
Code:
HitmanPro 3.7.9.221
www.hitmanpro.com
Computer name . . . . : BENDIX_PC
Windows . . . . . . . : 6.1.1.7601.X86/2
User name . . . . . . : bendix_pc\***
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2014-07-19 19:24:56
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 15s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 10
Objects scanned . . . : 1.082.581
Files scanned . . . . : 27.886
Remnants scanned . . : 573.111 files / 481.584 keys
Suspicious files ____________________________________________________________
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 46.2 days (2014-06-03 15:21:37)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\**\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 15.0 days (2014-07-04 19:57:43)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-0.2s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\htm\wc002342.htm
0.0s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 8.1 days (2014-07-11 17:02:16)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-76.8s C:\ProgramData\Origin\Logs\IGO_Log.Origin_5852.txt
-55.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\z47x2d07.d
-54.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\3d531h7a.d
-54.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\72crx28m.d
-53.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1aji4n98.d
-53.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\bmqyp0oq.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\ggn2f4lp.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\jtq16om6.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\12arzljt.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1qn8c1ip.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\12yqkb1g.d
-51.7s C:\ProgramData\Origin\Logs\IGO_Log.bf3_3472.txt
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\c43igswu.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\1y81out7.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zgotvc3m.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2png3cbt.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\3\2z9ulbqs.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\339nrvv8.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\3n9x7wu7.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\15k4t4zq.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\ge6b9h3r.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1m36t45u.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\1qxzizz9.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1gh0lbeu.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zmnhz5em.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\20cgy1hx.d
-49.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\3no7hs7x.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\jxwtrhjt.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3jsfncsb.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1c3v0iiu.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\2mqv07sl.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\e\1iz9gxpn.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\235mnazv.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\278ull5d.d
-49.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\cnjllooh.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\2xiix4pp.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\cgy78o5b.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\2mk2gkph.d
-48.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3hhgv4r9.d
-48.1s C:\ProgramData\Origin\Logs\IGO_Log.EACoreServer_3488.txt
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\3fpjcmxd.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\3jysjdmp.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rp2zene.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3v1xx6o9.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\ct3e2w5l.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\3fn6mk2o.d
-47.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1yii9vjp.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3r781hqr.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\3ea7jsrz.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\2xe9btom.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\2q8ak19i.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\38xol01h.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\5wxsotfq.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1wukqarx.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2sseylct.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rcc0j75.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\17mlkyx5.d
-47.1s C:\Users***\AppData\Local\Origin\Web Cache\data7\8\gnhjzon8.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\mjmep7zj.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\e82p3m9e.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\q3n9xovd.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\rmoz8moo.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1655q14z.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3uk61azl.d
-46.9s C:\Users\******\AppData\Local\Origin\Web Cache\data7\b\1cm8eqdk.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\320yldgl.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1zum3akz.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3ql6xftl.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2geqol9q.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\8\211b9ghx.d
-43.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1f25qr7y.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\1o759wp5.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\23mygxjy.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\6\xkt9dy1f.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\16bn4etw.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\3fqq8l97.d
-38.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3vjnxwle.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\221f5tqg.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\261j4ogt.d
-38.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\0\309mqmmp.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\2\3q0oc0jr.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\31j61c6e.d
-37.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\3b2cauh4.d
-36.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\a\v9n4t6zz.d
-36.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\mk3b6eb3.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\3ts3ffkc.d
-25.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\389ru9wg.d
-15.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\yeiz0yqd.d
-14.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\24srh3zs.d
-13.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2vpwv7qa.d
-12.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3v08uls5.d
-3.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3abukcae.d
0.0s C:\Users\
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:48)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\Desktop\FRST-OlderVersion\FRST.exe
Size . . . . . . . : 1.077.248 bytes
Age . . . . . . . : 0.2 days (2014-07-19 13:25:55)
Entropy . . . . . : 8.0
SHA-256 . . . . . : C2CCBE42983258BE2DE4090FCBACB726A9198499DA137BD471EF2FFFA9F14B7A
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\*\Desktop\FRST.exe
Size . . . . . . . : 1.079.808 bytes
Age . . . . . . . : 0.1 days (2014-07-19 16:49:48)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 99FBF88DE71B1D73A772E91B57AB27FE242454596C2B2A9B4176086085903A26
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\8ACRNP89.txt
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\10MCYGD8.txt
0.0s C:\Users\*\Desktop\FRST.exe
C:\Windows\system32\drivers\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.3 days (2014-06-03 12:43:31)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Repairs _____________________________________________________________________
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
MBAM: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 19.07.2014
Suchlauf-Zeit: 19:58:57
Logdatei: MBAM.txt
Administrator: Ja
Version: 2.00.2.1012
Malware Datenbank: v2014.07.19.06
Rootkit Datenbank: v2014.07.17.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Self-protection: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x86
Dateisystem: NTFS
Benutzer: ***
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 269214
Verstrichene Zeit: 7 Min, 18 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristics: Aktiviert
PUP: Aktiviert
PUM: Aktiviert
Prozesse: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registrierungsschlüssel: 1
PUP.Optional.SupTab.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Keine Aktion durch Benutzer, [e5bc653be19a3ff79b6aa7b46f93956b],
Registrierungswerte: 1
PUP.Optional.QuickStart.A, HKU\S-1-5-21-2350961968-569790009-790667219-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, quick_start@gmail.com, Keine Aktion durch Benutzer, [8a17efb1b7c484b2fd4ef9cfdf23db25]
Registrierungsdaten: 0
(No malicious items detected)
Ordner: 1
PUP.Optional.AdPeak.A, C:\temp, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Dateien: 6
PUP.Optional.WebSearchs.A, C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage, Keine Aktion durch Benutzer, [6e330e92d5a6072fd245873be2206898],
PUP.Optional.WebSearchs.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage-journal, Keine Aktion durch Benutzer, [821f7d23cfac90a6f720b111f11133cd],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage, Keine Aktion durch Benutzer, [acf5742c3a4150e6f03fd2f0ff03d52b],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage-journal, Keine Aktion durch Benutzer, [5d444b556714979fb07f814151b15ba5],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
PUP.Optional.AdPeak.A, C:\temp\t.txt, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Physische Sektoren: 0
(No malicious items detected)
(end) test
wenn es jetzt geht bedanke ich mich noch ein mahl aufrichtig für diese gute Hilfe :)
hitman: Code:
Code:
HitmanPro 3.7.9.221
www.hitmanpro.com
Computer name . . . . : BENDIX_PC
Windows . . . . . . . : 6.1.1.7601.X86/2
User name . . . . . . : bendix_pc\***
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2014-07-19 19:24:56
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 15s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 10
Objects scanned . . . : 1.082.581
Files scanned . . . . : 27.886
Remnants scanned . . : 573.111 files / 481.584 keys
Suspicious files ____________________________________________________________
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 46.2 days (2014-06-03 15:21:37)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\**\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 15.0 days (2014-07-04 19:57:43)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-0.2s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\htm\wc002342.htm
0.0s C:\Users\*\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 8.1 days (2014-07-11 17:02:16)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-76.8s C:\ProgramData\Origin\Logs\IGO_Log.Origin_5852.txt
-55.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\z47x2d07.d
-54.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\3d531h7a.d
-54.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\72crx28m.d
-53.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1aji4n98.d
-53.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\bmqyp0oq.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\ggn2f4lp.d
-51.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\jtq16om6.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\12arzljt.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1qn8c1ip.d
-51.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\12yqkb1g.d
-51.7s C:\ProgramData\Origin\Logs\IGO_Log.bf3_3472.txt
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\c43igswu.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\1y81out7.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zgotvc3m.d
-50.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2png3cbt.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\3\2z9ulbqs.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\339nrvv8.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\7\3n9x7wu7.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\15k4t4zq.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\ge6b9h3r.d
-50.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1m36t45u.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\1qxzizz9.d
-49.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1gh0lbeu.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\zmnhz5em.d
-49.7s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\20cgy1hx.d
-49.6s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\3no7hs7x.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\jxwtrhjt.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3jsfncsb.d
-49.5s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\1c3v0iiu.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\2mqv07sl.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\e\1iz9gxpn.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\6\235mnazv.d
-49.4s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\278ull5d.d
-49.3s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\cnjllooh.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\2xiix4pp.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\cgy78o5b.d
-48.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\2mk2gkph.d
-48.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3hhgv4r9.d
-48.1s C:\ProgramData\Origin\Logs\IGO_Log.EACoreServer_3488.txt
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\3fpjcmxd.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\3jysjdmp.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rp2zene.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\3v1xx6o9.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\ct3e2w5l.d
-48.0s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\3fn6mk2o.d
-47.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\0\1yii9vjp.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\2\3r781hqr.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\3ea7jsrz.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\d\2xe9btom.d
-47.8s C:\Users\***\AppData\Local\Origin\Web Cache\data7\9\2q8ak19i.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\38xol01h.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\1\5wxsotfq.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\8\1wukqarx.d
-47.2s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\2sseylct.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\2rcc0j75.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\17mlkyx5.d
-47.1s C:\Users***\AppData\Local\Origin\Web Cache\data7\8\gnhjzon8.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\mjmep7zj.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\5\e82p3m9e.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\4\q3n9xovd.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\f\rmoz8moo.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1655q14z.d
-47.1s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3uk61azl.d
-46.9s C:\Users\******\AppData\Local\Origin\Web Cache\data7\b\1cm8eqdk.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\320yldgl.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\a\1zum3akz.d
-46.9s C:\Users\***\AppData\Local\Origin\Web Cache\data7\c\3ql6xftl.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2geqol9q.d
-43.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\8\211b9ghx.d
-43.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1f25qr7y.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\1o759wp5.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\23mygxjy.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\6\xkt9dy1f.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\16bn4etw.d
-43.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\3fqq8l97.d
-38.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3vjnxwle.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\221f5tqg.d
-38.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\261j4ogt.d
-38.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\0\309mqmmp.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\2\3q0oc0jr.d
-37.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\31j61c6e.d
-37.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\3b2cauh4.d
-36.9s C:\Users\*\AppData\Local\Origin\Web Cache\data7\a\v9n4t6zz.d
-36.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\mk3b6eb3.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-35.7s C:\Users\*\AppData\Local\Origin\Web Cache\data7\f\3rxktnpo.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.5s C:\Users\*\AppData\Local\Origin\Web Cache\data7\9\1rc8vdly.d
-30.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\3ts3ffkc.d
-25.2s C:\Users\*\AppData\Local\Origin\Web Cache\data7\7\389ru9wg.d
-15.1s C:\Users\*\AppData\Local\Origin\Web Cache\data7\4\yeiz0yqd.d
-14.6s C:\Users\*\AppData\Local\Origin\Web Cache\data7\3\24srh3zs.d
-13.0s C:\Users\*\AppData\Local\Origin\Web Cache\data7\1\2vpwv7qa.d
-12.8s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3v08uls5.d
-3.4s C:\Users\*\AppData\Local\Origin\Web Cache\data7\5\3abukcae.d
0.0s C:\Users\
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.2 days (2014-06-03 14:55:48)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\*\Desktop\FRST-OlderVersion\FRST.exe
Size . . . . . . . : 1.077.248 bytes
Age . . . . . . . : 0.2 days (2014-07-19 13:25:55)
Entropy . . . . . : 8.0
SHA-256 . . . . . : C2CCBE42983258BE2DE4090FCBACB726A9198499DA137BD471EF2FFFA9F14B7A
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\*\Desktop\FRST.exe
Size . . . . . . . : 1.079.808 bytes
Age . . . . . . . : 0.1 days (2014-07-19 16:49:48)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 99FBF88DE71B1D73A772E91B57AB27FE242454596C2B2A9B4176086085903A26
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\8ACRNP89.txt
-0.3s C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\10MCYGD8.txt
0.0s C:\Users\*\Desktop\FRST.exe
C:\Windows\system32\drivers\PnkBstrK.sys
Size . . . . . . . : 140.520 bytes
Age . . . . . . . : 46.3 days (2014-06-03 12:43:31)
Entropy . . . . . : 7.8
SHA-256 . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Repairs _____________________________________________________________________
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
Proxyserver auf diesem Computer (Benutzer)
127.0.0.1:51210
MBAM: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 19.07.2014
Suchlauf-Zeit: 19:58:57
Logdatei: MBAM.txt
Administrator: Ja
Version: 2.00.2.1012
Malware Datenbank: v2014.07.19.06
Rootkit Datenbank: v2014.07.17.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Self-protection: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x86
Dateisystem: NTFS
Benutzer: ***
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 269214
Verstrichene Zeit: 7 Min, 18 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristics: Aktiviert
PUP: Aktiviert
PUM: Aktiviert
Prozesse: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registrierungsschlüssel: 1
PUP.Optional.SupTab.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Keine Aktion durch Benutzer, [e5bc653be19a3ff79b6aa7b46f93956b],
Registrierungswerte: 1
PUP.Optional.QuickStart.A, HKU\S-1-5-21-2350961968-569790009-790667219-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, quick_start@gmail.com, Keine Aktion durch Benutzer, [8a17efb1b7c484b2fd4ef9cfdf23db25]
Registrierungsdaten: 0
(No malicious items detected)
Ordner: 1
PUP.Optional.AdPeak.A, C:\temp, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Dateien: 6
PUP.Optional.WebSearchs.A, C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage, Keine Aktion durch Benutzer, [6e330e92d5a6072fd245873be2206898],
PUP.Optional.WebSearchs.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_istart.webssearches.com_0.localstorage-journal, Keine Aktion durch Benutzer, [821f7d23cfac90a6f720b111f11133cd],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage, Keine Aktion durch Benutzer, [acf5742c3a4150e6f03fd2f0ff03d52b],
PUP.Optional.Boost.A, C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage-journal, Keine Aktion durch Benutzer, [5d444b556714979fb07f814151b15ba5],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
PUP.Optional.AdPeak.A, C:\temp\t.txt, Keine Aktion durch Benutzer, [71304d5380fb00363c6e0fbc0ef4e11f],
Physische Sektoren: 0
(No malicious items detected)
(end) |