Passwörter ausgepäht; Ständige Captcha Abfragen bei Google Suche; Bitcoin-Miner
Hallo,
In den letzten Wochen kam es hin und wieder vor, dass wenn ich einen neuen Tab geöffnet habe und aus der in der Browserzeile integrierten Googlesuche eine Suche gestartet habe, eine Captcha Abfrage von Google kam, da sehr laut Google sehr viele Anfragen von meinem System aus eingingen.
War aber nicht bei jeder Suche so, deswegen dachte ich erst mal nichts böses.
Heute kam, als ich mich bei Youtube anmelden wollte, die Meldung jemand hätte versucht sich mit meinem Passwort von wo anders aus anzumelden, ich sollte deswegen doch bitte mein Passwort ändern.
Mails gecheckt, Nachricht von Twitch.tv, da wäre das gleiche passiert, obwohl ich den Account seit über nem Jahr nicht mehr nutze. Habe bei Twitch aber die gleiche Mail-Adresse wie bei Youtube verwendet. Ob das alte Passwort da das gleiche war wie das alte Youtube Passwort kann ich nicht sagen.
Hab dann jedenfalls mal Malwarebytes laufen lassen.
Hier die logfiles: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 19.04.2015
Suchlauf-Zeit: 10:34:58
Logdatei: mwb,amh,prfg1.txt
Administrator: Ja
Version: 2.01.6.1022
Malware Datenbank: v2015.04.19.02
Rootkit Datenbank: v2015.03.31.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Selbstschutz: Deaktiviert
Betriebssystem: Windows Vista Service Pack 2
CPU: x64
Dateisystem: NTFS
Benutzer: WB
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 440982
Verstrichene Zeit: 26 Min, 20 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert
Prozesse: 0
(Keine schädliche Elemente gefunden)
Module: 0
(Keine schädliche Elemente gefunden)
Registrierungsschlüssel: 5
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}, , [c2aca2cc8208ca6c5ab60639a261da26],
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}, , [c2aca2cc8208ca6c5ab60639a261da26],
PUP.Optional.ICQToolbar.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{855F3B16-6D32-4FE6-8A56-BBB695989046}, , [135b1d510c7e68ce04423306c53e6997],
PUP.Optional.ICQToolbar.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{855F3B16-6D32-4FE6-8A56-BBB695989046}, , [135b1d510c7e68ce04423306c53e6997],
PUP.Optional.DVDVideoSoftTB.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1000\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nikpibnbobmbdbheedjfogjlikpgpnhp, , [7ef0274777135adc506e32ac917204fc],
Registrierungswerte: 5
Trojan.Agent.Gen, HKU\S-1-5-21-891635277-1297341078-1701692141-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Microsoft Firewall 2.9, C:\Users\WB\AppData\Roaming\WMPRWISE.EXE, , [80ee2a44c9c1c37323921a1d689c5ea2]
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}|DisplayName, Search the web (Babylon), , [a1cd125c3456ee488dd987ca41c4a060]
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}|URL, hxxp://search.babylon.com/?q={searchTerms}&tt=110112_ncp3&babsrc=SP_def&mntrId=62b5607700000000000000a1b0258e8b, , [6707bfaf47439c9ae87e2f2218ed5da3]
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}|DisplayName, Search the web (Babylon), , [e18d70feb9d171c5b2b4dc7580850df3]
PUP.Optional.Babylon.A, HKU\S-1-5-21-891635277-1297341078-1701692141-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}|URL, hxxp://search.babylon.com/?q={searchTerms}&tt=110112_ncp3&babsrc=SP_def&mntrId=62b5607700000000000000a1b0258e8b, , [77f71d51d4b6a19580e657fa14f150b0]
Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)
Ordner: 32
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa, , [c9a594da0c7e1c1ace31160124e13fc1],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\de, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\en, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\es, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\fr, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\it, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ja, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\nl, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pl, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pt, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ru, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\tr, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_CN, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_TW, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\DE, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR, , [d5990c621971e650ea2e0baf020139c7],
Dateien: 129
Trojan.Ransom.Gend, C:\Users\WB\AppData\Roaming\ntuser.dat, , [beb0f07e73175cdad50f1c1fac55e21e],
Trojan.BitMiner, C:\Users\WB\AppData\Roaming\aloj\scvhost.exe, , [3d31650994f6d1652748df02649e30d0],
Trojan.BitMiner, C:\Users\WB\AppData\Roaming\casa\scvhost.exe, , [15590b636f1bd75f4b2436ab8f73f20e],
Trojan.BitMiner, C:\Users\WB\AppData\Local\Temp\webyeryb3460vavaw.exe, , [a4ca80ee0b7f2f07e38c25bc877b7888],
Trojan.Agent.ED, C:\Users\WB\AppData\Local\Temp\webyeryb3461vavaw.exe, , [6b03b8b67515b581e83425f11ae7d729],
Backdoor.Agent.WLMS, C:\Users\WB\AppData\Local\Temp\webyeryb3462vavaw.exe, , [f5792549a7e3f93d6f9f0d11936eba46],
PUP.Optional.OpenCandy, C:\Users\WB\AppData\Local\Temp\2dcd1d63cb45e6613582211c3d5f4b23.exe, , [323c6b03cdbd3ef8236663c48680d62a],
Trojan.Agent.ED, C:\Users\WB\AppData\Local\Temp\rtmw3.exe, , [4d213e302268e05615777294936ec33d],
Adware.InstallCore, C:\Users\WB\AppData\Local\Temp\1003398.Uninstall\Uninstall.exe, , [b0bef6786e1c4cea4ee24f57c53b6c94],
PUP.Optional.Dealply, C:\Users\WB\AppData\Local\Temp\is1972027439\dealply.exe, , [81ed1f4fb6d4c472411c5ec9c640fc04],
PUP.Optional.Dealply, C:\Users\WB\AppData\Local\Temp\is2063840535\dealply.exe, , [1e50046ab8d23402f96452d51ee8fb05],
Virus.Expiro, C:\Users\WB\AppData\Local\Temp\tmp165b2a09\qw.exe, , [9bd39fcfa8e2cb6ba92e3752b24f45bb],
PUP.Optional.BabylonToolBar.A, C:\Users\WB\AppData\Local\Temp\A036546C-BAB0-7891-85D2-4A11532196B4\MyBabylonTB.exe, , [6fff303e3c4ef2447cd6ea5ea75acd33],
Adware.InstallCore, C:\Users\WB\AppData\Local\Temp\ICReinstall\AudioConverterSetup.exe, , [c8a648267e0cd16568c8c4e29c6448b8],
PUP.Optional.BabylonToolBar.A, C:\Users\WB\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe, , [84ea462886048babc092f157bc45966a],
Virus.Expiro, C:\Users\WB\AppData\Local\Temp\tmp64e3122f\74.exe, , [6608d896048685b132a58801897811ef],
Exploit.Drop.GS, C:\Users\WB\AppData\Local\Temp\webyeryb3463vavaw.exe, , [cea05e107416e254b621d15a94709868],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\miner.php, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\API.class, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\bio.bat, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\diablo121016.cl, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\diakgcn121016.cl, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\libblkmaker-0.1-0.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\libblkmaker_jansson-0.1-0.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\libcurl-4.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\libjansson-4.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\libusb-1.0.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\pdcurses.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\phatk121016.cl, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\poclbm121016.cl, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\pthreadGC2.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\scrypt121016.cl, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\aloj\zlib1.dll, , [c3ab630b8a000531bb3c1afd1fe643bd],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\miner.php, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\1.bat, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\API.class, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\diablo121016.cl, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\diakgcn121016.cl, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\guni.bat, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\libblkmaker-0.1-0.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\libblkmaker_jansson-0.1-0.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\libcurl-4.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\libjansson-4.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\libusb-1.0.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\pdcurses.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\phatk121016.cl, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\poclbm121016.cl, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\pthreadGC2.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\scrypt121016.cl, , [c9a594da0c7e1c1ace31160124e13fc1],
Trojan.BitcoinMiner, C:\Users\WB\AppData\Roaming\casa\zlib1.dll, , [c9a594da0c7e1c1ace31160124e13fc1],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\background.html, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\background.js, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_freeyoutubedownload.css, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_freeyoutubedownload.js, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_logo.ico, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_logo_128.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_logo_32.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\dvs_logo_48.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\errorRunProgramm.html, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\manifest.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\np_dvs_plugin.dll, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\options.html, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\options.js, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\page_action.html, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\backbar.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\download.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\fs.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\headphone.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\logo.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\manager.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\YoutubeDownloader.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\images\YoutubeToMp3.png, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\de\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\en\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\es\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\fr\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\it\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ja\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\nl\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pl\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pt\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ru\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\tr\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_CN\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_TW\messages.json, , [1a5481edf991a1955942c1e87d8616ea],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR\Configuration.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR\OptionDlg.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR\RegionalSettings.xml, , [d5990c621971e650ea2e0baf020139c7],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR\UserInterface.xml, , [d5990c621971e650ea2e0baf020139c7],
Physische Sektoren: 0
(Keine schädliche Elemente gefunden)
(end)
Sieht so aus, als hätte jemand meinen PC irgendwie zum Bitcoin minen missbraucht, der sich unter „scvhost.exe” versteckt hat. Der eigentliche Windows Prozess heißt ja svchost..
Nachdem ich auf ich bei Malwarebytes auf „Entfernen” gedrückt und die Logfile gespeichert habe, Hitman laufen lassen, der auch noch einiges gefunden: Code:
HitmanPro 3.7.9.240
www.hitmanpro.com
Computer name . . . . : WB-PC
Windows . . . . . . . : 6.0.2.6002.X64/3
User name . . . . . . : WB-PC\WB
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2015-04-19 11:19:38
Scan mode . . . . . . : Normal
Scan duration . . . . : 39m 26s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 81
Objects scanned . . . : 6.094.314
Files scanned . . . . : 74.019
Remnants scanned . . : 555.108 files / 5.465.187 keys
Miniport ____________________________________________________________________
Primary
DriverObject . . . : FFFFFA8004B34700
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA8003F782C0 +0
Solution
DriverObject . . . : FFFFFA8004B34700
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA6000AF7D08 \SystemRoot\system32\drivers\ataport.SYS+19720
Suspicious files ____________________________________________________________
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002288.dll
Size . . . . . . . : 948.118 bytes
Age . . . . . . . : 1177.4 days (2012-01-28 02:37:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 3192353354FE593051B33886088D4C312ACB9A653D874281B2EBF131B80415CB
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002291.dll
Size . . . . . . . : 965.329 bytes
Age . . . . . . . : 1109.8 days (2012-04-04 16:39:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : CAE3128772295AC4F1179B881A00B061DB00505275CB258F9F0C84CC1DF9B2A5
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002292.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1108.5 days (2012-04-05 23:42:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
Size . . . . . . . : 949.613 bytes
Age . . . . . . . : 938.9 days (2012-09-22 12:58:47)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll
Size . . . . . . . : 959.376 bytes
Age . . . . . . . : 792.5 days (2013-02-15 22:49:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 579.9 days (2013-09-16 14:26:23)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002344.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 1292.5 days (2011-10-04 22:08:28)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcls.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1163.6 days (2012-02-10 21:08:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 139.944 bytes
Age . . . . . . . : 1292.5 days (2011-10-04 22:08:40)
Entropy . . . . . : 7.7
SHA-256 . . . . . : E0AB414DBD7AA5888B861AE64B0F9674CED054C755502DDE124A91D6CD6CE97A
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF4\pb\PnkBstrK.sys
Size . . . . . . . : 139.552 bytes
Age . . . . . . . : 564.5 days (2013-10-02 00:28:43)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 7A47CB7814643DAFDF81D3E2E03C60A162A49525962ECE651187371853E507E5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\pbcl.dll
Size . . . . . . . : 915.149 bytes
Age . . . . . . . : 1318.3 days (2011-09-09 03:11:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : E189EF452F559BFAC0C0A91EFADC78EAA569B915985A213F99666BE56FC86165
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\PnkBstrK.sys
Size . . . . . . . : 138.264 bytes
Age . . . . . . . : 1318.3 days (2011-09-09 03:12:29)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 4194EFFC7236F018722B6DBF76253E1D833FEEEC158835C4DFAAD0555E7A7D91
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\WAW\pb\pbcl.dll
Size . . . . . . . : 733.004 bytes
Age . . . . . . . : 1276.7 days (2011-10-20 18:14:42)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 8715126E77E8E6F98B4487C11B4656ADAC59145A86D56A0370F2FAE86E40FDC7
Fuzzy . . . . . . : 25.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Potential Unwanted Programs _________________________________________________
C:\Program Files (x86)\Babylon\ (Babylon)
C:\Program Files\Babylon\ (Babylon)
C:\Program Files\Babylon\Babylon-Pro\ (Babylon)
C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe (Babylon)
Size . . . . . . . : 129.536 bytes
Age . . . . . . . : 1183.4 days (2012-01-22 02:24:48)
Entropy . . . . . : 5.7
SHA-256 . . . . . : 5E68C077375F4F06357CA19F1894DAA4966EEC1864A16D033B6C4F32380F57E0
Product . . . . . : BabylonHelper
Publisher . . . . : Babylon
Description . . . : Support for 64-bit OS
Version . . . . . : 1.0.0.1
Copyright . . . . : Babylon.com All rights reserved.
LanguageID . . . . : 1033
Fuzzy . . . . . . : 0.0
C:\Program Files\Babylon\Babylon-Pro\captlib64.dll (Babylon)
Size . . . . . . . : 286.208 bytes
Age . . . . . . . : 1183.4 days (2012-01-22 02:24:46)
Entropy . . . . . : 5.9
SHA-256 . . . . . : 85108948A6DD19929799100C0868C6B51499C77608D3249A3E59306DAF586BDB
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Information Tool
Version . . . . . : 9.0.3.12
Copyright . . . . : Copyright © Babylon Ltd. 1997-2011
LanguageID . . . . : 1033
Fuzzy . . . . . . : 0.0
C:\Users\Administrator\AppData\Local\Babylon\ (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\ (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\BabylonTC.conf (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\BabylonTC.log (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\FLStat.dat (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\log_file.txt (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\MyList.dat (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\ocr_cache (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\updates\ (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\updates\convert.dat (Babylon)
C:\Users\Administrator\AppData\Roaming\Babylon\updates\rates.dat (Babylon)
HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon)
HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon)
HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon)
HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\bbylntlbr.bbylntlbrHlpr.1\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\bbylntlbr.bbylntlbrHlpr\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\Prod.cap\ (Claro)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Office\PowerPoint\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Office\PowerPoint\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon)
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon)
Logfile nach der Bereinigung durch Hitman: Code:
HitmanPro 3.7.9.240
www.hitmanpro.com
Computer name . . . . : WB-PC
Windows . . . . . . . : 6.0.2.6002.X64/3
User name . . . . . . : WB-PC\WB
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2015-04-19 11:19:38
Scan mode . . . . . . : Normal
Scan duration . . . . : 39m 26s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : Yes
Threats . . . . . . . : 0
Traces . . . . . . . : 81
Objects scanned . . . : 6.094.314
Files scanned . . . . : 74.019
Remnants scanned . . : 555.108 files / 5.465.187 keys
Miniport ____________________________________________________________________
Primary
DriverObject . . . : FFFFFA8004B34700
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA8003F782C0 +0
Solution
DriverObject . . . : FFFFFA8004B34700
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA6000AF7D08 \SystemRoot\system32\drivers\ataport.SYS+19720
Suspicious files ____________________________________________________________
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002288.dll
Size . . . . . . . : 948.118 bytes
Age . . . . . . . : 1177.4 days (2012-01-28 02:37:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 3192353354FE593051B33886088D4C312ACB9A653D874281B2EBF131B80415CB
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002291.dll
Size . . . . . . . : 965.329 bytes
Age . . . . . . . : 1109.8 days (2012-04-04 16:39:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : CAE3128772295AC4F1179B881A00B061DB00505275CB258F9F0C84CC1DF9B2A5
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002292.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1108.5 days (2012-04-05 23:42:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
Size . . . . . . . : 949.613 bytes
Age . . . . . . . : 938.9 days (2012-09-22 12:58:47)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll
Size . . . . . . . : 959.376 bytes
Age . . . . . . . : 792.5 days (2013-02-15 22:49:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 579.9 days (2013-09-16 14:26:23)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002344.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 1292.5 days (2011-10-04 22:08:28)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcls.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1163.6 days (2012-02-10 21:08:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 139.944 bytes
Age . . . . . . . : 1292.5 days (2011-10-04 22:08:40)
Entropy . . . . . : 7.7
SHA-256 . . . . . : E0AB414DBD7AA5888B861AE64B0F9674CED054C755502DDE124A91D6CD6CE97A
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF4\pb\PnkBstrK.sys
Size . . . . . . . : 139.552 bytes
Age . . . . . . . : 564.5 days (2013-10-02 00:28:43)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 7A47CB7814643DAFDF81D3E2E03C60A162A49525962ECE651187371853E507E5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\pbcl.dll
Size . . . . . . . : 915.149 bytes
Age . . . . . . . : 1318.3 days (2011-09-09 03:11:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : E189EF452F559BFAC0C0A91EFADC78EAA569B915985A213F99666BE56FC86165
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\PnkBstrK.sys
Size . . . . . . . : 138.264 bytes
Age . . . . . . . : 1318.3 days (2011-09-09 03:12:29)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 4194EFFC7236F018722B6DBF76253E1D833FEEEC158835C4DFAAD0555E7A7D91
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\WAW\pb\pbcl.dll
Size . . . . . . . : 733.004 bytes
Age . . . . . . . : 1276.7 days (2011-10-20 18:14:42)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 8715126E77E8E6F98B4487C11B4656ADAC59145A86D56A0370F2FAE86E40FDC7
Fuzzy . . . . . . : 25.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Potential Unwanted Programs _________________________________________________
C:\Program Files (x86)\Babylon\ (Babylon) -> Deleted
C:\Program Files\Babylon\ (Babylon) -> Deleted
C:\Program Files\Babylon\Babylon-Pro\ (Babylon) -> Deleted
C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe (Babylon) -> Deleted
Size . . . . . . . : 129.536 bytes
Age . . . . . . . : 1183.4 days (2012-01-22 02:24:48)
Entropy . . . . . : 5.7
SHA-256 . . . . . : 5E68C077375F4F06357CA19F1894DAA4966EEC1864A16D033B6C4F32380F57E0
Product . . . . . : BabylonHelper
Publisher . . . . : Babylon
Description . . . : Support for 64-bit OS
Version . . . . . : 1.0.0.1
Copyright . . . . : Babylon.com All rights reserved.
LanguageID . . . . : 1033
Fuzzy . . . . . . : 0.0
C:\Program Files\Babylon\Babylon-Pro\captlib64.dll (Babylon) -> Deleted
Size . . . . . . . : 286.208 bytes
Age . . . . . . . : 1183.4 days (2012-01-22 02:24:46)
Entropy . . . . . : 5.9
SHA-256 . . . . . : 85108948A6DD19929799100C0868C6B51499C77608D3249A3E59306DAF586BDB
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Information Tool
Version . . . . . : 9.0.3.12
Copyright . . . . : Copyright © Babylon Ltd. 1997-2011
LanguageID . . . . : 1033
Fuzzy . . . . . . : 0.0
C:\Users\Administrator\AppData\Local\Babylon\ (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\ (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\BabylonTC.conf (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\BabylonTC.log (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\FLStat.dat (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\log_file.txt (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\MyList.dat (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\ocr_cache (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\updates\ (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\updates\convert.dat (Babylon) -> Deleted
C:\Users\Administrator\AppData\Roaming\Babylon\updates\rates.dat (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods) -> Deleted
HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods) -> Deleted
HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\Prod.cap\ (Claro) -> Deleted
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods) -> PendingDelete
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods) -> Deleted
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\Wow6432Node\bbylntlbr.bbylntlbrHlpr.1\ (Babylon) -> PendingDelete
HKLM\SOFTWARE\Classes\Wow6432Node\bbylntlbr.bbylntlbrHlpr\ (Babylon) -> PendingDelete
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\Wow6432Node\Prod.cap\ (Claro) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000\Software\Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\Interface\{EFDCAF05-D29C-4D4D-9836-8CDCD606A6B2}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1000_Classes\Wow6432Node\TypeLib\{5C9A2304-70A5-11D5-AFB0-0050DAC67890}\ (Babylon) -> PendingDelete
HKU\S-1-5-21-891635277-1297341078-1701692141-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Office\PowerPoint\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Office\PowerPoint\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon) -> Deleted
HKU\S-1-5-21-891635277-1297341078-1701692141-500\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon) -> Deleted
Und nochmal Hitman, nach dem anschließenden Neustart: Code:
HitmanPro 3.7.9.240
www.hitmanpro.com
Computer name . . . . : WB-PC
Windows . . . . . . . : 6.0.2.6002.X64/3
User name . . . . . . : WB-PC\WB
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2015-04-19 12:44:54
Scan mode . . . . . . : Normal
Scan duration . . . . : 20m 35s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 15
Objects scanned . . . : 5.820.298
Files scanned . . . . : 73.424
Remnants scanned . . : 550.289 files / 5.196.585 keys
Miniport ____________________________________________________________________
Primary
DriverObject . . . : FFFFFA8004A80E70
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA8003F752C0 +0
Solution
DriverObject . . . : FFFFFA8004A80E70
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 0000000000000000 +0
IRP_MJ_SCSI . . . : FFFFFA6000AFCD08 \SystemRoot\system32\drivers\ataport.SYS+19720
Suspicious files ____________________________________________________________
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002288.dll
Size . . . . . . . : 948.118 bytes
Age . . . . . . . : 1177.4 days (2012-01-28 02:37:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 3192353354FE593051B33886088D4C312ACB9A653D874281B2EBF131B80415CB
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002291.dll
Size . . . . . . . : 965.329 bytes
Age . . . . . . . : 1109.8 days (2012-04-04 16:39:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : CAE3128772295AC4F1179B881A00B061DB00505275CB258F9F0C84CC1DF9B2A5
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002292.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1108.5 days (2012-04-05 23:42:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
Size . . . . . . . : 949.613 bytes
Age . . . . . . . : 939.0 days (2012-09-22 12:58:47)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll
Size . . . . . . . : 959.376 bytes
Age . . . . . . . : 792.6 days (2013-02-15 22:49:05)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 579.9 days (2013-09-16 14:26:23)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\dll\wc002344.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 140.5 days (2014-11-30 00:24:08)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 1292.6 days (2011-10-04 22:08:28)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\pbcls.dll
Size . . . . . . . : 956.681 bytes
Age . . . . . . . : 1163.7 days (2012-02-10 21:08:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 7218A15A9890CE82EB25F7AB5AC7AA60B4E3055C5574B70A6CABA4274D6DE493
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 139.944 bytes
Age . . . . . . . : 1292.6 days (2011-10-04 22:08:40)
Entropy . . . . . : 7.7
SHA-256 . . . . . : E0AB414DBD7AA5888B861AE64B0F9674CED054C755502DDE124A91D6CD6CE97A
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BF4\pb\PnkBstrK.sys
Size . . . . . . . : 139.552 bytes
Age . . . . . . . : 564.5 days (2013-10-02 00:28:43)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 7A47CB7814643DAFDF81D3E2E03C60A162A49525962ECE651187371853E507E5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\pbcl.dll
Size . . . . . . . : 915.149 bytes
Age . . . . . . . : 1318.4 days (2011-09-09 03:11:53)
Entropy . . . . . : 7.6
SHA-256 . . . . . : E189EF452F559BFAC0C0A91EFADC78EAA569B915985A213F99666BE56FC86165
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\WB\AppData\Local\PunkBuster\BFP4F\pb\PnkBstrK.sys
Size . . . . . . . : 138.264 bytes
Age . . . . . . . : 1318.4 days (2011-09-09 03:12:29)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 4194EFFC7236F018722B6DBF76253E1D833FEEEC158835C4DFAAD0555E7A7D91
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\WB\AppData\Local\PunkBuster\WAW\pb\pbcl.dll
Size . . . . . . . : 733.004 bytes
Age . . . . . . . : 1276.8 days (2011-10-20 18:14:42)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 8715126E77E8E6F98B4487C11B4656ADAC59145A86D56A0370F2FAE86E40FDC7
Fuzzy . . . . . . : 25.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Und nach dem Neustart auch noch mal Malwarebytes: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 19.04.2015
Suchlauf-Zeit: 13:28:57
Logdatei: mwb,amh,prfg2.txt
Administrator: Ja
Version: 2.01.6.1022
Malware Datenbank: v2015.04.19.02
Rootkit Datenbank: v2015.03.31.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Selbstschutz: Deaktiviert
Betriebssystem: Windows Vista Service Pack 2
CPU: x64
Dateisystem: NTFS
Benutzer: WB
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 440405
Verstrichene Zeit: 25 Min, 47 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert
Prozesse: 0
(Keine schädliche Elemente gefunden)
Module: 0
(Keine schädliche Elemente gefunden)
Registrierungsschlüssel: 0
(Keine schädliche Elemente gefunden)
Registrierungswerte: 0
(Keine schädliche Elemente gefunden)
Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)
Ordner: 27
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\es, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\fr, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\it, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ja, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\nl, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pl, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\pt, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\ru, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\tr, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_CN, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.DVDVideoSoftTB.A, C:\Users\WB\AppData\Local\Google\Chrome\User Data\Default\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp\1.0.1.1_0\_locales\zh_TW, , [99d52d41dbaf2313eead2d7cd23144bc],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\BG, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\CZ, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\DE, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\EN, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\ES, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\FR, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\HE, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\IT, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\RU, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\SK, , [1f4fea842e5c8fa77b9df5c59d6643bd],
PUP.Optional.ICQToolbar.A, C:\ProgramData\ICQ\ICQToolbar\XML\TR, , [1f4fea842e5c8fa77b9df5c59d6643bd],
Dateien: 0
(Keine schädliche Elemente gefunden)
Physische Sektoren: 0
(Keine schädliche Elemente gefunden)
(end)
Allerdings ist beim durchlaufen von sowohl von Hitman, als auch von Malwarebytes immer wieder eine Fenster von Avira aufgepopt, dass gesagt hat, der Zugriff auf diese oder jene Datei wäre verhindert worden.
Beispiel:
„Der Zugriff auf die Datei vqlyj.exe wurde verhindert, da sie die Schadsoftware tr/moure.a.19 enthält.” Nicht wortwörtlich so, aber vom Inhalt.
Hätte ich Avira Antivir bei den Durchläufen von Malwarebytes und Hitman ausschalten sollen?
Ich hab Antivir zwar installiert, bin mir aber nicht sicher, ob das nicht ein Fenster von einem Virus ist, der Antivir imitiert.
Wie ratet ihr mir weiter Vorzugehen? |
FRST 32-Bit | FRST 64-Bit
Lesestoff:
Malwarebytes Anti-Malware 
AdwCleaner auf deinen Desktop.
