Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   HitmanPro 2 verdächtige Objekte (https://www.trojaner-board.de/137545-hitmanpro-2-verdaechtige-objekte.html)

mossi 01.07.2013 20:53
HitmanPro 2 verdächtige Objekte
 
Liebes Trojaner-Board-Team,

beim Hochfahren des Rechners, hat der HitmanPro Scan 2 verdächtige Objekte gefunden:

pbcl.dll und PnkBstrK.sys


Sind diese gefährlich, und wenn ja, wie beseitige ich sie.

Vielen Dank

Code:

       
Code:

       
HitmanPro 3.7.6.201
www.hitmanpro.com

   Computer name . . . . : MOSSI-HP
   Windows . . . . . . . : 6.1.1.7601.X64/1
   User name . . . . . . : mossi-HP\mossi
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-07-01 21:36:55
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 7m 38s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 21

   Objects scanned . . . : 1.807.039
   Files scanned . . . . : 22.612
   Remnants scanned  . . : 504.754 files / 1.279.673 keys

Suspicious files ____________________________________________________________

   C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
      Size . . . . . . . : 949.190 bytes
      Age  . . . . . . . : 19.2 days (2013-06-12 16:33:35)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : DAF43E93528BEEECC015FA98D6EE6D6FD6D19A049321E47A65665144E4511F41
      Fuzzy  . . . . . . : 30.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
      Forensic Cluster
         -0.2s C:\Program Files (x86)\Steam\SteamApps\common\blacklightretribution\Blacklight Retribution\Live\Binaries\Win32\pb\pbcl.log
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbclgame.cfg
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.cfg
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.db
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbag.dll
          0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.log
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\scrnshot\
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\dll\
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\htm\
          1.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrB.exe
          5.2s C:\Windows\SysWOW64\PnkBstrB.xtr
         15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
         15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrA.exe

   C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
      Size . . . . . . . : 140.360 bytes
      Age  . . . . . . . : 19.2 days (2013-06-12 16:33:51)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 0F41B3843E2D2D1BB1ACF8B7CAA293309CC1CF8CF478B1AC86DD6BB214928DC4
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 23.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
      Forensic Cluster
         -15.7s C:\Program Files (x86)\Steam\SteamApps\common\blacklightretribution\Blacklight Retribution\Live\Binaries\Win32\pb\pbcl.log
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbclgame.cfg
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.cfg
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.db
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbag.dll
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.log
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\scrnshot\
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\dll\
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\htm\
         -14.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrB.exe
         -10.3s C:\Windows\SysWOW64\PnkBstrB.xtr
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
          0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrA.exe

schrauber 02.07.2013 06:21
Hi,

Die gehören zu PunkBuster. Nutzt Du das?

mossi 02.07.2013 14:07
Nein. Ich nutze es nicht.

schrauber 02.07.2013 16:22
Es ist nicht installiert?

Systemscan mit FRST
Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Start > Computer (Rechtsklick) > Eigenschaften)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Scan.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

mossi 02.07.2013 20:34
Es war installiert.
Ich habe es jetzt einfach deinstalliert.

schrauber 03.07.2013 07:58
Ah ok :)

mossi 03.07.2013 12:11
Hitman Pro zeigt immer noch die beiden Punk Buster Sachen an.
Außerdem sind heute 2 neue dazu gekommen!

wc002282.dll ---> Verdächtige Datei

BLR.exe ----> Malware

Code:

       
Code:

       
HitmanPro 3.7.6.201
www.hitmanpro.com

   Computer name . . . . : MOSSI-HP
   Windows . . . . . . . : 6.1.1.7601.X64/1
   User name . . . . . . : mossi-HP\mossi
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-07-03 12:50:10
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 15m 3s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 10
   Traces  . . . . . . . : 54

   Objects scanned . . . : 1.853.652
   Files scanned . . . . : 22.451
   Remnants scanned  . . : 551.493 files / 1.279.708 keys

Malware _____________________________________________________________________

   C:\Program Files (x86)\Steam\SteamApps\downloading\209870\Blacklight Retribution\Live\Binaries\Win32\BLR.exe
      Size . . . . . . . : 20.420.608 bytes
      Age  . . . . . . . : 0.6 days (2013-07-02 22:27:15)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : 1891C89B6E4461BB36FC9D1EAC1CB199D14BF084669229205DD374BF7375EF1B
      Product  . . . . . : Blacklight: Retribution
      Publisher  . . . . : Zombie, Inc.
      Description
      Version  . . . . . : 1.100
      Copyright  . . . . : Copyright 2013 Zombie, Inc. All Rights Reserved.
    > G Data . . . . . . : Gen:Heur.FKP.5
      Fuzzy  . . . . . . : 94.0


Suspicious files ____________________________________________________________

   C:\Program Files (x86)\Steam\SteamApps\downloading\209870\Blacklight Retribution\Live\Binaries\Win32\pb\dll\wc002282.dll
      Size . . . . . . . : 951.602 bytes
      Age  . . . . . . . : 0.6 days (2013-07-02 22:27:15)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : EBA3E3C3F91BCAF644678C5364C81E327DE9577E6BF7C0F4C0ACB56B1C09DC17
      Fuzzy  . . . . . . : 23.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file appears to be part of an installation package or setup program. This is typical for most programs.

   C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
      Size . . . . . . . : 949.190 bytes
      Age  . . . . . . . : 20.8 days (2013-06-12 16:33:35)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : DAF43E93528BEEECC015FA98D6EE6D6FD6D19A049321E47A65665144E4511F41
      Fuzzy  . . . . . . : 30.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
      Forensic Cluster
         -0.2s C:\Program Files (x86)\Steam\SteamApps\common\blacklightretribution\Blacklight Retribution\Live\Binaries\Win32\pb\pbcl.log
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\
         -0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbclgame.cfg
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.cfg
         -0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.db
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbag.dll
          0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.log
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\scrnshot\
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\dll\
          0.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\htm\
          1.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrB.exe
          5.2s C:\Windows\SysWOW64\PnkBstrB.xtr
         15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
         15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrA.exe

   C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
      Size . . . . . . . : 140.360 bytes
      Age  . . . . . . . : 20.8 days (2013-06-12 16:33:51)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 0F41B3843E2D2D1BB1ACF8B7CAA293309CC1CF8CF478B1AC86DD6BB214928DC4
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 23.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
      Forensic Cluster
         -15.7s C:\Program Files (x86)\Steam\SteamApps\common\blacklightretribution\Blacklight Retribution\Live\Binaries\Win32\pb\pbcl.log
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\
         -15.6s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbclgame.cfg
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.cfg
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.db
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
         -15.5s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbag.dll
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\pbcl.log
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\scrnshot\
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\dll\
         -15.3s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\htm\
         -14.2s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrB.exe
         -10.3s C:\Windows\SysWOW64\PnkBstrB.xtr
          0.0s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
          0.1s C:\Users\mossi\AppData\Local\PunkBuster\BLR\pb\PnkBstrA.exe

schrauber 03.07.2013 12:44
Zitat:
C:\Users\mossi\AppData\Local\PunkBuster
Ordner von Hand löschen. Steam deinstallieren.

mossi 03.07.2013 13:55
Geht das nicht auch anders, als Steam zu deinstallieren.
Ich habe ein Spiel gekauft, das nur über Steam läuft.
Man kann es nur 1mal installieren. Dann wäre das Geld verschwendet.

schrauber 03.07.2013 14:10
Jo, indem Du Steam anschliessend neu installierst und weitere Meldungen von Hitman ignorierst ;)


Alle Zeitangaben in WEZ +1. Es ist jetzt 15:09 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131