wechselbalg | 27.10.2016 17:38 | Cerber 4.0 Ransomware auf dem Rechner Hallo liebe Trojanerbekämpfer,
heute Mittag hat mir doch glatt der Cerber 4.0 Virus meine Dateien verschlüsselt (dass es der Cerber 4 ist, habe ich hier durch Hochladen von zwei Beispielfiles gesagt bekommen: https://id-ransomware.malwarehunterteam.com/identify.php )
So weit so ärgerlich, aber die Daten, auf die es mir ankommt, hatte ich auf einer externen Platte vor drei Tagen gesichert. Wir brauchen also auf das, was sich jetzt noch auf Laufwerk C: befindet, keine große Rücksicht zu nehmen. Klar ist aber: bevor ich meine externe Festplatte mit der Sicherheitskopie wieder an den komprommittierten Rechner anschließe, will ich natürlich sicher sein, dass der Cerber weg ist, und auch keine Hintertüren offen gelassen hat.
Malwarebytes konnte ich im ersten Anlauf nur in der alten Version starten, die sich bereits auf dem Rechner befand (126 Funde). Nach Neustart habe ich dann auf die aktuelle MBAM Version updaten können, die hat dann gleich nochmal 45 Sachen gefunden.
MBAM (alte Version) Logfile: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 27.10.2016
Scan Time: 17:37
Logfile: MBAM_2.txt
Administrator: Yes
Version: 2.00.4.1028
Malware Database: v2015.04.28.05
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Enabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388861
Time Elapsed: 4 min, 6 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 82
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE, Quarantined, [74813c355b2f102683706f23fa0abf41],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [797c93de3e4ca98de5e1474c01034db3],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [3abbafc2d2b8b87e2d9c761d49bb9d63],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE, Quarantined, [777e5a175931c1756a630a897e8616ea],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [dc19007159315bdb5c721f748f755aa6],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [9362b9b8f694c27408ba330dc83cdc24],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [45b020514d3d80b6fdfd6c85f112a759],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [c62ffa773c4e47ef9368b14044bfa25e],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [ae4781f07b0fe650827a1cd553b0b848],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [5c99d8995d2de056354ba0f432d239c7],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [b144b5bc2b5f191d374a771df31141bf],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [b045beb357338fa709874c488d7754ac],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE, Quarantined, [ce270170fc8e20164eac464e74901ce4],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [f7fe31407515e0567cc065300cf818e8],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [886df77acbbf3006d669484d689cc23e],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [50a5bcb51c6ed1659ba6e8ada85c35cb],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE, Quarantined, [f9fcabc67d0d171f015599fc0bf96997],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE, Quarantined, [b4419bd657338fa75b00732208fcaa56],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE, Quarantined, [52a3c6ab3159d85e80ddb2e3ca3abc44],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [896c323fc4c674c2fb667c1961a36c94],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE, Quarantined, [5c99bdb4c6c47cbaf092d5c0b252a45c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [af468ce5dfabfe386b18d542c34151af],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [06ef066bc5c545f1cad77e1834d00cf4],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [8d685d14ee9c48ee87417f982ed6df21],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [688ded8465258ea8f6bd8d09679db050],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [1bda165baedc2c0aa91d851134d0ff01],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [a94c7bf6d8b2f73f5e53467f818325db],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [de17d79aee9c340255668a3bd034857b],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [d61f1e53d3b7d1653207c1d6fe06aa56],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE, Quarantined, [da1b7001bdcdc2747fdcb1e60bf951af],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE, Quarantined, [8b6a125fa9e177bf1fba1780aa5ae41c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE, Quarantined, [da1b5f129cee979f796ba3f4976d52ae],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE, Quarantined, [03f2f081ee9ccb6b4bbfc7d1709428d8],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE, Quarantined, [7b7a84edd6b4a09611638d0b4bb949b7],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE, Quarantined, [4ea70e63bad085b116613266f21224dc],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, Quarantined, [36bfc6ab01891125b08a6d4492729967],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE, Quarantined, [db1aadc43b4f38fe20b22f119e667e82],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [11e4f57c761411254f7200edc73d817f],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [bf3699d86327e155d9217cbd20e5837d],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [20d5e19039515bdb799ab0ea9b69bb45],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [f302c4ad22680036200292089f6528d8],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE, Quarantined, [5a9b2b467416bc7a945f088a669e649c],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [d61f1a57fd8d95a10cbacdc65ca827d9],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [7a7b95dcf09a9c9ae6e393004aba06fa],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE, Quarantined, [2cc9f37ec3c77abc408d91025da7ac54],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [ed086809098120169935246f9a6af20e],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [f104541d4e3c989eb50d83bdc04456aa],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [8b6a561b098196a0b5459f5252b1e917],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [c43189e8b5d540f6d4277e73d1323ec2],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [52a3f47d03878ea874885998cd36966a],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [579ea7ca1377a492354b5a3af90bc739],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [6f8676fbc0ca79bd552c8014b94b21df],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [4ea76a07a2e85fd7aae62d672dd7fb05],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE, Quarantined, [7e77c5ac602a1422d4265d373acaa060],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [f9fc96db8efc2b0b23197223ba4a4fb1],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [6c89a2cf3d4d5fd7aa95b2e39d6708f8],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [84713d346b1fc1750140504501034db3],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE, Quarantined, [f104650c7e0cd066c5919401f014827e],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE, Quarantined, [fcf982efb6d43bfbb4a7365fd3318f71],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE, Quarantined, [8a6bbdb4355554e2d88544518b7942be],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [23d25021bad072c4253c1a7b6c983dc3],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE, Quarantined, [ce27373a0e7ca294483a0095749020e0],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [25d01a57ed9d64d2e59e2ee940c425db],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [fcf9145d355591a55e431383669ef709],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [01f4620f1278270f20a844d33dc75aa6],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [ee070a6767233ef8eac9fe98ce36f808],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [e70e7ff2afdbf442c303a6f01ce86e92],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [db1a2c45bdcdfb3b357ce8dd7b89ed13],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [db1aaec3870313237645e7deeb1917e9],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [21d4c1b0ddad0531f6430b8cc83ca759],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE, Quarantined, [ec09254c90facf67da81a4f339cb2cd4],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE, Quarantined, [b73ee98856343ff77465ff9855af36ca],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE, Quarantined, [c92c6d047b0f76c070748b0c0ef6a55b],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE, Quarantined, [2bca21503d4d52e4927842563cc80df3],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE, Quarantined, [ae470e631a701f17bcb8c1d7956fb050],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE, Quarantined, [05f06b062b5fbf779cdb1484e1236799],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, Quarantined, [75801e53b8d2d95d89b18031c242ba46],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE, Quarantined, [fbfaacc5a3e701354d8520205aaa6f91],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [94611a577e0cac8a744dcd207c889c64],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [fdf84d24c5c542f464967dbc6d98c13f],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [63927af7f595cf6747cc1486fb093dc3],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [8b6a84ed3456082e7da58f0bbd4717e9],
Registry Values: 84
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE|debugger, svchost.exe, Quarantined, [74813c355b2f102683706f23fa0abf41]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|debugger, svchost.exe, Quarantined, [797c93de3e4ca98de5e1474c01034db3]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|debugger, svchost.exe, Quarantined, [3abbafc2d2b8b87e2d9c761d49bb9d63]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE|debugger, svchost.exe, Quarantined, [777e5a175931c1756a630a897e8616ea]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|debugger, svchost.exe, Quarantined, [dc19007159315bdb5c721f748f755aa6]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|debugger, svchost.exe, Quarantined, [9362b9b8f694c27408ba330dc83cdc24]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|debugger, svchost.exe, Quarantined, [45b020514d3d80b6fdfd6c85f112a759]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|debugger, svchost.exe, Quarantined, [c62ffa773c4e47ef9368b14044bfa25e]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|debugger, svchost.exe, Quarantined, [ae4781f07b0fe650827a1cd553b0b848]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|debugger, svchost.exe, Quarantined, [5c99d8995d2de056354ba0f432d239c7]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|debugger, svchost.exe, Quarantined, [b144b5bc2b5f191d374a771df31141bf]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|debugger, svchost.exe, Quarantined, [b045beb357338fa709874c488d7754ac]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE|debugger, svchost.exe, Quarantined, [ce270170fc8e20164eac464e74901ce4]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|debugger, svchost.exe, Quarantined, [f7fe31407515e0567cc065300cf818e8]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|debugger, svchost.exe, Quarantined, [886df77acbbf3006d669484d689cc23e]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|debugger, svchost.exe, Quarantined, [50a5bcb51c6ed1659ba6e8ada85c35cb]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE|debugger, svchost.exe, Quarantined, [f9fcabc67d0d171f015599fc0bf96997]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE|debugger, svchost.exe, Quarantined, [b4419bd657338fa75b00732208fcaa56]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE|debugger, svchost.exe, Quarantined, [52a3c6ab3159d85e80ddb2e3ca3abc44]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|debugger, svchost.exe, Quarantined, [896c323fc4c674c2fb667c1961a36c94]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE|debugger, svchost.exe, Quarantined, [5c99bdb4c6c47cbaf092d5c0b252a45c]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|debugger, svchost.exe, Quarantined, [af468ce5dfabfe386b18d542c34151af]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|debugger, svchost.exe, Quarantined, [06ef066bc5c545f1cad77e1834d00cf4]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|debugger, svchost.exe, Quarantined, [8d685d14ee9c48ee87417f982ed6df21]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|debugger, svchost.exe, Quarantined, [688ded8465258ea8f6bd8d09679db050]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|debugger, svchost.exe, Quarantined, [1bda165baedc2c0aa91d851134d0ff01]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|debugger, svchost.exe, Quarantined, [a94c7bf6d8b2f73f5e53467f818325db]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|debugger, svchost.exe, Quarantined, [de17d79aee9c340255668a3bd034857b]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|debugger, svchost.exe, Quarantined, [d61f1e53d3b7d1653207c1d6fe06aa56]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE|debugger, svchost.exe, Quarantined, [da1b7001bdcdc2747fdcb1e60bf951af]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE|debugger, svchost.exe, Quarantined, [8b6a125fa9e177bf1fba1780aa5ae41c]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE|debugger, svchost.exe, Quarantined, [da1b5f129cee979f796ba3f4976d52ae]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE|debugger, svchost.exe, Quarantined, [03f2f081ee9ccb6b4bbfc7d1709428d8]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE|debugger, svchost.exe, Quarantined, [7b7a84edd6b4a09611638d0b4bb949b7]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE|debugger, svchost.exe, Quarantined, [4ea70e63bad085b116613266f21224dc]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|debugger, svchost.exe, Quarantined, [36bfc6ab01891125b08a6d4492729967]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|debugger, svchost.exe, Quarantined, [8b6a2948bbcff5410cfe20793fc554ac]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger, svchost.exe, Quarantined, [db1aadc43b4f38fe20b22f119e667e82]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|debugger, svchost.exe, Quarantined, [11e4f57c761411254f7200edc73d817f]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|debugger, svchost.exe, Quarantined, [bf3699d86327e155d9217cbd20e5837d]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|debugger, svchost.exe, Quarantined, [20d5e19039515bdb799ab0ea9b69bb45]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|debugger, svchost.exe, Quarantined, [f302c4ad22680036200292089f6528d8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACS.EXE|debugger, svchost.exe, Quarantined, [5a9b2b467416bc7a945f088a669e649c]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|debugger, svchost.exe, Quarantined, [d61f1a57fd8d95a10cbacdc65ca827d9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|debugger, svchost.exe, Quarantined, [7a7b95dcf09a9c9ae6e393004aba06fa]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKSERVICE.EXE|debugger, svchost.exe, Quarantined, [2cc9f37ec3c77abc408d91025da7ac54]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|debugger, svchost.exe, Quarantined, [ed086809098120169935246f9a6af20e]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|debugger, svchost.exe, Quarantined, [f104541d4e3c989eb50d83bdc04456aa]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|debugger, svchost.exe, Quarantined, [8b6a561b098196a0b5459f5252b1e917]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|debugger, svchost.exe, Quarantined, [c43189e8b5d540f6d4277e73d1323ec2]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|debugger, svchost.exe, Quarantined, [52a3f47d03878ea874885998cd36966a]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|debugger, svchost.exe, Quarantined, [579ea7ca1377a492354b5a3af90bc739]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|debugger, svchost.exe, Quarantined, [6f8676fbc0ca79bd552c8014b94b21df]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|debugger, svchost.exe, Quarantined, [4ea76a07a2e85fd7aae62d672dd7fb05]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EMLPROXY.EXE|debugger, svchost.exe, Quarantined, [7e77c5ac602a1422d4265d373acaa060]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|debugger, svchost.exe, Quarantined, [f9fc96db8efc2b0b23197223ba4a4fb1]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|debugger, svchost.exe, Quarantined, [6c89a2cf3d4d5fd7aa95b2e39d6708f8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|debugger, svchost.exe, Quarantined, [84713d346b1fc1750140504501034db3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSGK32.EXE|debugger, svchost.exe, Quarantined, [f104650c7e0cd066c5919401f014827e]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSM32.EXE|debugger, svchost.exe, Quarantined, [fcf982efb6d43bfbb4a7365fd3318f71]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSMA32.EXE|debugger, svchost.exe, Quarantined, [8a6bbdb4355554e2d88544518b7942be]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|debugger, svchost.exe, Quarantined, [23d25021bad072c4253c1a7b6c983dc3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDXSERVICE.EXE|debugger, svchost.exe, Quarantined, [ce27373a0e7ca294483a0095749020e0]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|debugger, svchost.exe, Quarantined, [25d01a57ed9d64d2e59e2ee940c425db]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|debugger, svchost.exe, Quarantined, [fcf9145d355591a55e431383669ef709]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|debugger, svchost.exe, Quarantined, [01f4620f1278270f20a844d33dc75aa6]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|debugger, svchost.exe, Quarantined, [ee070a6767233ef8eac9fe98ce36f808]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|debugger, svchost.exe, Quarantined, [e70e7ff2afdbf442c303a6f01ce86e92]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|debugger, svchost.exe, Quarantined, [db1a2c45bdcdfb3b357ce8dd7b89ed13]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|debugger, svchost.exe, Quarantined, [db1aaec3870313237645e7deeb1917e9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|debugger, svchost.exe, Quarantined, [21d4c1b0ddad0531f6430b8cc83ca759]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONLINENT.EXE|debugger, svchost.exe, Quarantined, [ec09254c90facf67da81a4f339cb2cd4]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE|debugger, svchost.exe, Quarantined, [b73ee98856343ff77465ff9855af36ca]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PSANHOST.EXE|debugger, svchost.exe, Quarantined, [c92c6d047b0f76c070748b0c0ef6a55b]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QUHLPSVC.EXE|debugger, svchost.exe, Quarantined, [2bca21503d4d52e4927842563cc80df3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANNER.EXE|debugger, svchost.exe, Quarantined, [ae470e631a701f17bcb8c1d7956fb050]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCANWSCS.EXE|debugger, svchost.exe, Quarantined, [05f06b062b5fbf779cdb1484e1236799]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|debugger, svchost.exe, Quarantined, [75801e53b8d2d95d89b18031c242ba46]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|debugger, svchost.exe, Quarantined, [9c595819d6b4b97d59b1940532d208f8]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger, svchost.exe, Quarantined, [fbfaacc5a3e701354d8520205aaa6f91]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|debugger, svchost.exe, Quarantined, [94611a577e0cac8a744dcd207c889c64]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|debugger, svchost.exe, Quarantined, [fdf84d24c5c542f464967dbc6d98c13f]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|debugger, svchost.exe, Quarantined, [63927af7f595cf6747cc1486fb093dc3]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|debugger, svchost.exe, Quarantined, [8b6a84ed3456082e7da58f0bbd4717e9]
Registry Data: 2
Windows.Tool.Disabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[16dfff725d2da59168c0ee1b19ede21e]
Windows.Tool.Disabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[51a475fc424821154adea960c83ee31d]
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
MBAM (aktuelle Version) Logfile: Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 27.10.2016
Scan Time: 17:51
Logfile: MBAM_3.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.10.27.07
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admins
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 353720
Time Elapsed: 2 min, 39 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 15
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [d063b8e6dbbffa3c699f8844db2859a7],
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [47ec613dcbcf7fb7c1c9f4d8d82b25db],
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [a192ff9ffaa048ee54b4e5e72cd76799],
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [60d38f0f7e1ce5516d1d5a729e65b947],
PUP.Optional.CrossRider, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\Sense, Quarantined, [84afd0cee3b73204c20adcfb4ab842be],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{10C7A83B-1C36-4D94-B718-3CF2712E216A}, Quarantined, [35fedec053471c1a20c5a6f88f74f709],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{13709CD4-1D45-42A2-8B51-3F395B65B1E3}, Quarantined, [979c4955dfbbca6ccd19f9a5dd26c53b],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44E0B96F-FFDC-4600-928F-215BD67E8FA7}, Quarantined, [260d4b53603a3cfab0352678c73c2ad6],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6D0AC3A1-5DC1-4AFB-87F2-A63BF7897825}, Quarantined, [0b282b735c3e092da1450f8f51b2af51],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{750BFF28-2DAD-4181-89DD-5DB239817C72}, Quarantined, [3bf8039be8b2b680b4318e1062a18b75],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9E563179-CCB8-4E1C-86D1-B5983C2D629C}, Quarantined, [df541d814357d4623bab47571be8f010],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A751E42A-5025-4000-867B-63B925853B80}, Quarantined, [2310e1bdafebb97d1acb386671922cd4],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B7AA599E-52E3-461E-9680-3D16B84B8AA2}, Quarantined, [6dc6c7d76535ce68a046b4ea3ac955ab],
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{CE424CCA-415D-473D-B9D5-BAD3A02A1F27}, Quarantined, [68cba0fe1b7f89adb72fc1ddf50e1de3],
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB, Quarantined, [5fd4c1ddd0ca55e19cd0208e6e95b050],
Registry Values: 21
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|debugger, svchost.exe, Quarantined, [d063b8e6dbbffa3c699f8844db2859a7]
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|debugger, svchost.exe, Quarantined, [47ec613dcbcf7fb7c1c9f4d8d82b25db]
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|debugger, svchost.exe, Quarantined, [a192ff9ffaa048ee54b4e5e72cd76799]
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|debugger, svchost.exe, Quarantined, [60d38f0f7e1ce5516d1d5a729e65b947]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{10C7A83B-1C36-4D94-B718-3CF2712E216A}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-buttonutil.exe, Quarantined, [35fedec053471c1a20c5a6f88f74f709]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{13709CD4-1D45-42A2-8B51-3F395B65B1E3}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [979c4955dfbbca6ccd19f9a5dd26c53b]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44E0B96F-FFDC-4600-928F-215BD67E8FA7}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-buttonutil.exe, Quarantined, [260d4b53603a3cfab0352678c73c2ad6]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6D0AC3A1-5DC1-4AFB-87F2-A63BF7897825}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [0b282b735c3e092da1450f8f51b2af51]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{750BFF28-2DAD-4181-89DD-5DB239817C72}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-buttonutil.exe, Quarantined, [3bf8039be8b2b680b4318e1062a18b75]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9E563179-CCB8-4E1C-86D1-B5983C2D629C}|AppName, 85bfe029-98ca-4ec8-9176-cbab512e2e23-2.exe-codedownloader.exe, Quarantined, [df541d814357d4623bab47571be8f010]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{A751E42A-5025-4000-867B-63B925853B80}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-buttonutil.exe, Quarantined, [2310e1bdafebb97d1acb386671922cd4]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B7AA599E-52E3-461E-9680-3D16B84B8AA2}|AppName, 856c6d2a-3524-4dff-8b60-60a0fc194b36-2.exe-codedownloader.exe, Quarantined, [6dc6c7d76535ce68a046b4ea3ac955ab]
PUP.Optional.CrossRider, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{CE424CCA-415D-473D-B9D5-BAD3A02A1F27}|AppName, fae77da2-4beb-441e-a80f-2233145b4246-2.exe-codedownloader.exe, Quarantined, [68cba0fe1b7f89adb72fc1ddf50e1de3]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype1, 12/19/14 20:37:26, Quarantined, [5fd4c1ddd0ca55e19cd0208e6e95b050]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype17, 12/19/14 20:37:26, Quarantined, [df54e3bb7e1c62d4cf9dd5d90ef5b947]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype22, 12/19/14 20:37:40, Quarantined, [76bdd1cd3e5ce84e016b614dcc37916f]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype6, 12/19/14 20:40:21, Quarantined, [52e1dcc21b7fe45291db4e60ee15f40c]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype12, 12/19/14 20:40:54, Quarantined, [e84b9d015149cb6ba3c9298500036997]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype5, 12/19/14 20:41:25, Quarantined, [70c347572a7061d536365f4ffa0936ca]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype15, 12/19/14 20:41:25, Quarantined, [f043326c257560d6d4987a3436cd9f61]
PUP.Optional.OutBrowse, HKU\S-1-5-21-3418458991-977026470-3051313295-1000\SOFTWARE\OB|monitype4, 12/19/14 20:41:35, Quarantined, [2c078c121c7eb581323aae0020e3c33d]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 9
Ransom.Cerber, C:\Users\inel-eins\AppData\Roaming\ProxySettings.dll, Quarantined, [d063b5e91387f64035ef61be52b326da],
Ransom.Cerber, C:\Users\inel-eins\AppData\Local\Temp\n5zyi9qea.exe, Quarantined, [c46f2975900a8fa7d054c55a81846b95],
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\nsb57E9.tmp, Quarantined, [8aa985199703cf672244efb356ab2fd1],
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\nsz659B.tmp, Quarantined, [bd766539ebaf5fd7bda9ddc5936e7e82],
Ransom.Cerber, C:\Users\inel-eins\AppData\Local\Temp\aovv1qvg1.exe, Quarantined, [4ee57a24b3e7ef47061e7aa59e676898],
Trojan.Bunitu.ED, C:\Users\inel-eins\AppData\Local\Temp\Random486680185797814772.exe, Quarantined, [de55d5c9801ace68e028b16602ffd42c],
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\ICReinstall_nsb57E9.tmp, Quarantined, [3df6633b4951ce68dd891d8547bab64a],
PUP.Optional.InstallCore, C:\Users\inel-eins\AppData\Local\Temp\ICReinstall_nsz659B.tmp, Quarantined, [9d969d013e5cf93d20467d2548b9cd33],
PUP.Optional.ShopperPro, C:\Users\inel-eins\AppData\Local\Temp\Install_31237\ins_shopperpro.exe, Quarantined, [92a1b4ea6d2d40f6c6bf6bc2a85945bb],
Physical Sectors: 0
(No malicious items detected)
(end)
Mehr habe ich an Software noch nicht drüberlaufen lassen. So wie es aussieht, hat der kompromittierte Rechner auch auf meinem Zweitrechner und den Netzwerkfreigaben, die er darauf erreichen konnte, die PST-Dateien platt gemacht. Ganz nett programmiert. Guckt links und rechts, verhindert den Start von Malwarebytes auf herkömmlichem Weg, verhindert das Update, wenn MBAM wider Erwarten doch gestartet werden konnte, verhindert den Affengriff [CTRL-ALT-ENTF]. Kostet durchaus Zeit.
Kriegen wir den Rechner sicher wieder hingebogen, oder soll ich ihn besser gleich neu aufsetzen?
Danke,
Wechselbalg |