Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.
Guten Abend
hier sind die von Ihnen angeforderten Inhalte:
Code:
ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-04-2015
Ran by User at 2015-04-24 15:29:33 Run:2
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available profiles: User)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
S3 XDva391; \??\C:\Windows\system32\XDva391.sys [X]
S1 netfilter2; system32\drivers\netfilter2.sys [X]
c:\windows\system32\drivers\netfilter2.sys
CustomCLSID: HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{4E77131D-3629-431C-9818-C5679DC83E81}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 -> No File Path
Task: {87EB7DF7-6D18-4D17-A603-60C19D81D0D8} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2980554796-842610410-1348767362-1000
RemoveProxy:
EmptyTemp:
end
*****************
Processes closed successfully.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => Key not found.
XDva391 => Service not found.
netfilter2 => Service not found.
"c:\windows\system32\drivers\netfilter2.sys" => File/Directory not found.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} => Key not found.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} => Key not found.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{4E77131D-3629-431C-9818-C5679DC83E81} => Key not found.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87EB7DF7-6D18-4D17-A603-60C19D81D0D8} => Key not found.
C:\Windows\System32\Tasks\Games\UpdateCheck_S-1-5-21-2980554796-842610410-1348767362-1000 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Games\UpdateCheck_S-1-5-21-2980554796-842610410-1348767362-1000 => Key not found.
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
========= End of RemoveProxy: =========
EmptyTemp: => Removed 126.3 MB temporary data.
The system needed a reboot.
==== End of Fixlog 15:29:52 ====
Code:
ATTFilter
Code:
ATTFilter
HitmanPro 3.7.9.240
www.hitmanpro.com
Computer name . . . . : USER-PC
Windows . . . . . . . : 6.1.1.7601.X86/4
User name . . . . . . : User-PC\User
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2015-04-24 15:36:41
Scan mode . . . . . . : Normal
Scan duration . . . . : 28m 18s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : Yes
Threats . . . . . . . : 0
Traces . . . . . . . : 27
Objects scanned . . . : 1.860.527
Files scanned . . . . : 33.449
Remnants scanned . . : 483.481 files / 1.343.597 keys
Suspicious files ____________________________________________________________
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll -> Deleted
Size . . . . . . . : 963.480 bytes
Age . . . . . . . : 637.3 days (2013-07-26 08:19:48)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll -> Deleted
Size . . . . . . . : 969.032 bytes
Age . . . . . . . : 287.8 days (2014-07-10 19:43:48)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\dll\wc002344.dll -> Deleted
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 180.9 days (2014-10-25 18:45:14)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\pbcl.dll -> Deleted
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 81.9 days (2015-02-01 18:06:26)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\pbclold.dll -> Deleted
Size . . . . . . . : 1.014.616 bytes
Age . . . . . . . : 637.3 days (2013-07-26 08:15:11)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 64D8D164CC4FF898DDCCBD5D588E88AF2C1F7EA464C2B7519C78BF0D30CC6F24
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys -> PendingDelete
Size . . . . . . . : 139.944 bytes
Age . . . . . . . : 637.3 days (2013-07-26 08:15:23)
Entropy . . . . . : 7.7
SHA-256 . . . . . : E0AB414DBD7AA5888B861AE64B0F9674CED054C755502DDE124A91D6CD6CE97A
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\BLR\pb\pbcl.dll -> Deleted
Size . . . . . . . : 949.190 bytes
Age . . . . . . . : 180.7 days (2014-10-25 22:38:48)
Entropy . . . . . : 7.6
SHA-256 . . . . . : DAF43E93528BEEECC015FA98D6EE6D6FD6D19A049321E47A65665144E4511F41
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\User\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys -> PendingDelete
Size . . . . . . . : 140.360 bytes
Age . . . . . . . : 180.7 days (2014-10-25 22:39:00)
Entropy . . . . . : 7.8
SHA-256 . . . . . : 0F41B3843E2D2D1BB1ACF8B7CAA293309CC1CF8CF478B1AC86DD6BB214928DC4
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\AppData\Local\PunkBuster\HEROES\pb\pbcl.dll -> Deleted
Size . . . . . . . : 947.283 bytes
Age . . . . . . . : 918.2 days (2012-10-18 10:21:38)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 26898E20DB3E20E2986684F1726D3421B0EA9D381F4BD56D6370AAE63973F5B8
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
C:\Users\User\AppData\Local\PunkBuster\HEROES\pb\PnkBstrK.sys -> PendingDelete
Size . . . . . . . : 139.080 bytes
Age . . . . . . . : 918.2 days (2012-10-18 10:22:29)
Entropy . . . . . : 7.8
SHA-256 . . . . . : FAE59652245B6F30D2B5173E1EBC7079F8BBB1CBAC168BBF151AE81879F26AB7
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
C:\Users\User\Desktop\FRST-OlderVersion\FRST.exe -> Deleted
Size . . . . . . . : 1.137.664 bytes
Age . . . . . . . : 4.9 days (2015-04-19 19:03:24)
Entropy . . . . . : 8.0
SHA-256 . . . . . : BCA0FF63987C3861A6905C969117D1476482F359FEFB3575C275E3EB42E84AFE
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\User\Desktop\FRST.exe -> Deleted
Size . . . . . . . : 1.139.200 bytes
Age . . . . . . . : 2.9 days (2015-04-21 17:26:34)
Entropy . . . . . : 8.0
SHA-256 . . . . . : D2BA07C78220EAD912D3C9043C8E2F8538709E2F2B0A4A73C745699D677C672E
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
-8.7s C:\Windows\servicing\Sessions\30440519_2282106510.back.xml
-8.7s C:\Windows\servicing\Sessions\30440519_2282106510.xml
0.0s C:\Users\User\Desktop\FRST.exe
1.0s C:\Windows\servicing\Sessions\30440519_2380506687.xml
1.0s C:\Windows\servicing\Sessions\30440519_2380506687.back.xml
C:\Windows\system32\drivers\PnkBstrK.sys -> PendingDelete
Size . . . . . . . : 140.360 bytes
Age . . . . . . . : 103.7 days (2015-01-10 21:43:38)
Entropy . . . . . : 7.8
SHA-256 . . . . . : 0F41B3843E2D2D1BB1ACF8B7CAA293309CC1CF8CF478B1AC86DD6BB214928DC4
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 26.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Potential Unwanted Programs _________________________________________________
HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\ (UniDeals) -> Deleted
HKU\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\ElectroLyrics-16\ (iPumper) -> Deleted
HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\ (UniDeals) -> PendingDelete
HKU\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\ElectroLyrics-16\ (iPumper) -> PendingDelete
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\ElectroLyrics-16\ (iPumper) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B} (Claro) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro) -> Deleted
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) -> PendingDelete
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\ElectroLyrics-16\ (iPumper) -> PendingDelete
HKU\S-1-5-21-2980554796-842610410-1348767362-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals) -> PendingDelete
Cookies _____________________________________________________________________
C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3xqfoxkz.default-1421944932997\cookies.sqlite:doubleclick.net
Results of screen317's Security Check version 1.00
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
ESET NOD32 Antivirus 4.2
Antivirus out of date!`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
Spybot - Search & Destroy
Java 8 Update 45
Java version 32-bit out of Date!
Adobe Flash Player 17.0.0.169
Adobe Reader XI
Mozilla Firefox (37.0.1)
Google Chrome (41.0.2272.118)
Google Chrome (42.0.2311.90)
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
ESET NOD32 Antivirus ekrn.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Spybot Teatimer.exe is disabled!
Malwarebytes Anti-Malware mbamscheduler.exe
Ruiware WinPatrol WinPatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
Und darf ich nun wieder Sachen downloaden?
MFG
feuerstein98
Zum Thema Computer seit Freitag sehr langsam - Guten Abend
hier sind die von Ihnen angeforderten Inhalte:
Code:
Alles auswählen Aufklappen ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-04-2015
Ran by User - Computer seit Freitag sehr langsam...
24.04.2015, 20:16
Baum-Darstellung