Viren und Antispyware Programme lassen sich nicht mehr starten bzw. installieren

BlueBall · 16.11.2014, 11:35

Hallo Cummunity,

mir ist heute Morgen beim Start des Rechners aufgefallen, dass Microsoft Security Essentials nicht in der Taskleiste erschienen ist. Ein manueller Start bzw. Neuinstallationen waren erfolglos. Auch andere Antivirenprogramme lassen sich nicht installieren. In der Registry sind mir mehrere Disable und Debugger Einträge (nqij.exe) aufgefallen. Daher vermute ich mit meinem begrenzten Wissen einen Schädling... Die Logs lt. Checkliste habe ich beigefügt.
Schon mal vielen Dank für eure Bemühungen!

Viele Grüße

Stefan

GMER

Code:

ATTFilter

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-11-16 10:46:16
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST315005 rev.CC34 1397,27GB
Running: cesj47z0.exe; Driver: C:\Users\STEFAN~1\AppData\Local\Temp\axriyuow.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528                                                                                                                                                                                   fffff80003204000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575                                                                                                                                                                                   fffff8000320402f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text     C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe[2984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                      0000000074c51465 2 bytes [C5, 74]
.text     C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe[2984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                     0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject                                                                                                                                   00000000770df8bc 5 bytes JMP 00000001769a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                                                                                                              00000000770df8f0 5 bytes JMP 0000000176ea0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                                                                                                             00000000770df928 5 bytes JMP 0000000176ec0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                 00000000770df9e0 5 bytes JMP 0000000176e20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                                                                           00000000770df9f8 5 bytes JMP 0000000176520000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile                                                                                                                                  00000000770dfa10 5 bytes JMP 0000000176e40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                                                                               00000000770dfa28 5 bytes JMP 0000000176820000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                                                                     00000000770dfa40 5 bytes JMP 00000001768c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                                                                              00000000770dfa90 5 bytes JMP 00000001767e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                                                                         00000000770dfaa8 5 bytes JMP 0000000176620000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess                                                                                                                               00000000770dfad8 5 bytes JMP 00000001764a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                                                                             00000000770dfb40 5 bytes JMP 0000000176940000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                    00000000770dfc38 5 bytes JMP 0000000176e60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                                                                                                      00000000770dfc50 5 bytes JMP 0000000176c60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                                                                                                    00000000770dfc80 5 bytes JMP 0000000176c20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                                                                          00000000770dfd4c 5 bytes JMP 00000001768e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                              00000000770dfd64 5 bytes JMP 00000001770b0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                                                                    00000000770dfd98 5 bytes JMP 0000000176b80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                           00000000770dfdc8 5 bytes JMP 0000000176de0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile                                                                                                                                         00000000770dfdf8 5 bytes JMP 00000001769e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                                                                       00000000770dfe44 5 bytes JMP 0000000176c00000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                                                                   00000000770dfe5c 5 bytes JMP 0000000176da0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile                                                                                                                            00000000770dff8c 2 bytes JMP 0000000176bc0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3                                                                                                                        00000000770dff8f 2 bytes [AE, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                         00000000770dffa4 2 bytes JMP 0000000176e00000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3                                                                                                                                     00000000770dffa7 2 bytes [D2, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile                                                                                                                                      00000000770dffbc 2 bytes JMP 0000000176b20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3                                                                                                                                  00000000770dffbf 2 bytes [A4, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection                                                                                                                                          00000000770e0050 5 bytes JMP 0000000176c40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                            00000000770e00b4 5 bytes JMP 0000000177090000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects                                                                                                                                00000000770e0148 5 bytes JMP 0000000176980000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                           00000000770e01c4 5 bytes JMP 0000000176580000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck                                                                                                                                           00000000770e0228 5 bytes JMP 0000000176460000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                                                                            00000000770e09e4 5 bytes JMP 0000000176e80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                                                                             00000000770e09fc 5 bytes JMP 0000000176920000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                        00000000770e0a44 5 bytes JMP 0000000176900000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection                                                                                                                                         00000000770e0b1c 5 bytes JMP 0000000176960000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                                                                              00000000770e0b80 5 bytes JMP 00000001768a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory                                                                                                                                    00000000770e0bb4 5 bytes JMP 0000000176dc0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey                                                                                                                                               00000000770e0e0c 5 bytes JMP 0000000176880000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2                                                                                                                                              00000000770e0e24 5 bytes JMP 0000000176860000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLockFile                                                                                                                                              00000000770e0e54 5 bytes JMP 0000000176b60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile                                                                                                                             00000000770e0f58 5 bytes JMP 00000001769c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                                                                       00000000770e0f70 5 bytes JMP 0000000176840000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                                                                             00000000770e1018 5 bytes JMP 0000000176800000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                                                                               00000000770e133c 5 bytes JMP 0000000176be0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                                                                 00000000770e147c 5 bytes JMP 0000000176640000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                                                                   00000000770e1528 5 bytes JMP 0000000176480000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                                                                             00000000770e1718 5 bytes JMP 0000000176540000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey                                                                                                                                            00000000770e1748 5 bytes JMP 0000000176600000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey                                                                                                                                            00000000770e17e0 5 bytes JMP 00000001765e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey                                                                                                                                               00000000770e1874 5 bytes JMP 00000001765c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                                                                     00000000770e1a58 5 bytes JMP 00000001765a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                                                                     00000000770e1b9c 5 bytes JMP 0000000176d80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile                                                                                                                              00000000770e1c9c 5 bytes JMP 0000000176ba0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey                                                                                                                                             00000000770e1e70 5 bytes JMP 0000000176560000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile                                                                                                                                            00000000770e1eb8 5 bytes JMP 0000000176b40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext                                                                                                                    00000000770fba2c 5 bytes JMP 0000000176500000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                                                                              00000000770fc4dd 5 bytes JMP 00000001764e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                            0000000077101287 5 bytes JMP 00000001764c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                                                       00000000751c103d 5 bytes JMP 0000000174ed0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                                                       00000000751c1072 5 bytes JMP 0000000174fe0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateActCtxW                                                                                                                                        00000000751c920f 5 bytes JMP 0000000175000000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                                                                              0000000075242ff1 5 bytes JMP 0000000174eb0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW                                                                                                                                 0000000074a8c532 5 bytes JMP 0000000174a70000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW                                                                                                                                         0000000074ac28f8 5 bytes JMP 0000000174a50000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW                                                                                                                                         0000000074ac2947 5 bytes JMP 0000000174a30000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject                                                                                                                                   00000000758c21e1 5 bytes JMP 00000001758a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoGetClassObject                                                                                                                                        00000000758e54ad 5 bytes JMP 0000000175800000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                                                                                                        00000000758f9d0b 5 bytes JMP 0000000175840000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                                      00000000758f9d4e 5 bytes JMP 0000000175820000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject                                                                                                                                     000000007593eacf 5 bytes JMP 0000000175880000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries                                                                                                                                   0000000075940cc2 5 bytes JMP 0000000175860000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate                                                                                                                                     00000000759909bf 5 bytes JMP 00000001757e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                               0000000074c51465 2 bytes [C5, 74]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                              0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject                                                                                                                                   00000000770df8bc 5 bytes JMP 00000001769a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                                                                                                              00000000770df8f0 5 bytes JMP 0000000176ea0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                                                                                                             00000000770df928 5 bytes JMP 0000000176ec0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                 00000000770df9e0 5 bytes JMP 0000000176e20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                                                                           00000000770df9f8 5 bytes JMP 0000000176520000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile                                                                                                                                  00000000770dfa10 5 bytes JMP 0000000176e40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                                                                               00000000770dfa28 5 bytes JMP 0000000176820000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                                                                     00000000770dfa40 5 bytes JMP 00000001768c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                                                                              00000000770dfa90 5 bytes JMP 00000001767e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                                                                         00000000770dfaa8 5 bytes JMP 0000000176620000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess                                                                                                                               00000000770dfad8 5 bytes JMP 00000001764a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                                                                             00000000770dfb40 5 bytes JMP 0000000176940000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                    00000000770dfc38 5 bytes JMP 0000000176e60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                                                                                                      00000000770dfc50 5 bytes JMP 0000000176c60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                                                                                                    00000000770dfc80 5 bytes JMP 0000000176c20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                                                                          00000000770dfd4c 5 bytes JMP 00000001768e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                              00000000770dfd64 5 bytes JMP 00000001770b0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                                                                    00000000770dfd98 5 bytes JMP 0000000176b80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                           00000000770dfdc8 5 bytes JMP 0000000176de0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile                                                                                                                                         00000000770dfdf8 5 bytes JMP 00000001769e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                                                                       00000000770dfe44 5 bytes JMP 0000000176c00000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                                                                   00000000770dfe5c 5 bytes JMP 0000000176da0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile                                                                                                                            00000000770dff8c 2 bytes JMP 0000000176bc0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3                                                                                                                        00000000770dff8f 2 bytes [AE, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                         00000000770dffa4 2 bytes JMP 0000000176e00000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3                                                                                                                                     00000000770dffa7 2 bytes [D2, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile                                                                                                                                      00000000770dffbc 2 bytes JMP 0000000176b20000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3                                                                                                                                  00000000770dffbf 2 bytes [A4, FF]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection                                                                                                                                          00000000770e0050 5 bytes JMP 0000000176c40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                            00000000770e00b4 5 bytes JMP 0000000177090000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects                                                                                                                                00000000770e0148 5 bytes JMP 0000000176980000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                           00000000770e01c4 5 bytes JMP 0000000176580000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck                                                                                                                                           00000000770e0228 5 bytes JMP 0000000176460000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                                                                            00000000770e09e4 5 bytes JMP 0000000176e80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                                                                             00000000770e09fc 5 bytes JMP 0000000176920000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                        00000000770e0a44 5 bytes JMP 0000000176900000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection                                                                                                                                         00000000770e0b1c 5 bytes JMP 0000000176960000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                                                                              00000000770e0b80 5 bytes JMP 00000001768a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory                                                                                                                                    00000000770e0bb4 5 bytes JMP 0000000176dc0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey                                                                                                                                               00000000770e0e0c 5 bytes JMP 0000000176880000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2                                                                                                                                              00000000770e0e24 5 bytes JMP 0000000176860000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtLockFile                                                                                                                                              00000000770e0e54 5 bytes JMP 0000000176b60000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile                                                                                                                             00000000770e0f58 5 bytes JMP 00000001769c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                                                                       00000000770e0f70 5 bytes JMP 0000000176840000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                                                                             00000000770e1018 5 bytes JMP 0000000176800000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                                                                               00000000770e133c 5 bytes JMP 0000000176be0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                                                                 00000000770e147c 5 bytes JMP 0000000176640000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                                                                   00000000770e1528 5 bytes JMP 0000000176480000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                                                                             00000000770e1718 5 bytes JMP 0000000176540000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey                                                                                                                                            00000000770e1748 5 bytes JMP 0000000176600000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey                                                                                                                                            00000000770e17e0 5 bytes JMP 00000001765e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey                                                                                                                                               00000000770e1874 5 bytes JMP 00000001765c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                                                                     00000000770e1a58 5 bytes JMP 00000001765a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                                                                     00000000770e1b9c 5 bytes JMP 0000000176d80000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile                                                                                                                              00000000770e1c9c 5 bytes JMP 0000000176ba0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey                                                                                                                                             00000000770e1e70 5 bytes JMP 0000000176560000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile                                                                                                                                            00000000770e1eb8 5 bytes JMP 0000000176b40000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext                                                                                                                    00000000770fba2c 5 bytes JMP 0000000176500000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                                                                              00000000770fc4dd 5 bytes JMP 00000001764e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                            0000000077101287 5 bytes JMP 00000001764c0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                                                       00000000751c103d 5 bytes JMP 0000000174ed0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                                                       00000000751c1072 5 bytes JMP 0000000174fe0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\kernel32.dll!CreateActCtxW                                                                                                                                        00000000751c920f 5 bytes JMP 0000000175000000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                                                                              0000000075242ff1 5 bytes JMP 0000000174eb0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW                                                                                                                                 0000000074a8c532 5 bytes JMP 0000000174a70000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW                                                                                                                                         0000000074ac28f8 5 bytes JMP 0000000174a50000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW                                                                                                                                         0000000074ac2947 5 bytes JMP 0000000174a30000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject                                                                                                                                   00000000758c21e1 5 bytes JMP 00000001758a0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoGetClassObject                                                                                                                                        00000000758e54ad 5 bytes JMP 0000000175800000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                                                                                                        00000000758f9d0b 5 bytes JMP 0000000175840000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                                      00000000758f9d4e 5 bytes JMP 0000000175820000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject                                                                                                                                     000000007593eacf 5 bytes JMP 0000000175880000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries                                                                                                                                   0000000075940cc2 5 bytes JMP 0000000175860000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate                                                                                                                                     00000000759909bf 5 bytes JMP 00000001757e0000
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                               0000000074c51465 2 bytes [C5, 74]
.text     C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                              0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Program Files (x86)\Steam\Steam.exe[1416] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                                                                                                                 0000000074c51465 2 bytes [C5, 74]
.text     C:\Program Files (x86)\Steam\Steam.exe[1416] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                                                                                                                0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2388] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint                                                                                                                           00000000770d000c 1 byte [C3]
.text     C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2388] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin                                                                                                                      000000007715f8ea 5 bytes JMP 000000017710d5c1
.text     C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                              0000000074c51465 2 bytes [C5, 74]
.text     C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                             0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                    0000000074c51465 2 bytes [C5, 74]
.text     C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                   0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2
.text     C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3496] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                                                                                             0000000074c51465 2 bytes [C5, 74]
.text     C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3496] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                                                                                            0000000074c514bb 2 bytes [C5, 74]
.text     ...                                                                                                                                                                                                                                                  * 2

---- Threads - GMER 2.1 ----

Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2664]                                                                                                                                                                                 0000000001deca30
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2676]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2692]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:1764]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2700]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2732]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2832]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2752]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188:2816]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3516]                                                                                                                                                                                 0000000001deca30
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3520]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3524]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3528]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3532]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3536]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3540]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3544]                                                                                                                                                                                 0000000001dec3c0
Thread    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564:3548]                                                                                                                                                                                 0000000001dec3c0
---- Processes - GMER 2.1 ----

Process   C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe (*** suspicious ***) @ C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe [2984] (Microsoft® Windows® Operating System/Microsoft Corporation)(2014-10-09 16:39:51)  0000000001230000
Library   C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe (*** suspicious ***) @ C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe [2984] (Microsoft® Windows® Operating System/Microsoft Corporation)(2014-10-09 16:39:51)  0000000000400000
Library   :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\2188\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188]                                                                                               0000000010000000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188]                                                                                                   0000000070800000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188]                                                                                                       0000000062e80000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2188]                                                                                                  0000000062480000
Library   :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\2564\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564]                                                                                               0000000010000000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564]                                                                                                   0000000070800000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564]                                                                                                       0000000062e80000
Library   C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [2564]                                                                                                  0000000062480000

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC                                                                                                                                                                     ????????????????????????????????????????????????????????????rdpwd???? ???w???????????P??????os???????????????????????????s??s??????????????????s??????N???????????D??????????????????????????????????????????????????????????????/??LegacyDriver?E??????????? ???????i?????ft???????S??????????????????????????????????????????????????????????????????????? ????s?????sen??Microsoft???Microsoft????}?<?}???????????????????????????????????????~???6??????????gdi32.dll???????????? ????????????????????????????*?????????????????????????????????s???netfxcustomperfcounters.1.0?SharedPerfIPCBlock?Cor_Private_IPCBlock?Cor_Public_IPCBlock_?????????????????????????/??? ?????????????????????????????????? ???????????? ?????????????????????,????????,?????????s?????????????????????advapi32.dll????????????????????COMDLG32.dll??????,?????????????????%SystemRoot%\system32?????,?????????????????%SystemRoot%\syswow64???????????? ??????????????????2???????????????????IERTUTIL.dll????????????? ??????????IMAGEHLP.dll????????????????2??????????
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                                                                                                                     
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                                                                                                                  C:\Program Files (x86)\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                                                                                                  0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                                                                                                  0
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                                                                                                               0x04 0x72 0x15 0xE8 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                                                                                                         0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                                                                                                      0x9E 0xDE 0xEF 0x64 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                                                                                                                                       
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                                                                                                                 0x34 0xB4 0x89 0xC0 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1                                                                                                                                                       
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                                                                                                                                                 0xA7 0x97 0xFA 0x17 ...
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2                                                                                                                                                       
Reg       HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12                                                                                                                                                 0x1E 0x86 0x96 0xAE ...
Reg       HKLM\SYSTEM\ControlSet002\Control\BackupRestore\FilesNotToSnapshot@OfficeODC                                                                                                                                                                         ?????????????????????????????????????????????????f??Of??????Fi???????&????????0?4?(?? d?????????????????{00000000-0000-0000-0000-000000000000}??????????????????????VolumeSnapshot?0?0??????????????????????????disk_install????{8ECC055D-047F-11D1-A537-0000F8753ED1}????????????????????????N???????????D??????????????o??me???????????b???????m??WPD??????????????????s???a??{66ab4164-9472-555d-929d-a4ee336ac12b}?tor??????????????????????????????????????????????????????????? ???????l?????004??UmBus_Device????{8ECC055D-047F-11D1-A537-0000F8753ED1}?dow???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????~??????????????6-21-2006??????????????????d?????????????d?????????????ett??????????????????????? ????????????????????????????r?????????????USB\Class_03&SubClass_01&Prot_02?USB\Class_03&SubClass_01?USB\Class_03??????6.1.7600.16385?g?r???????????????f???????????????????????????????f????????????????????????N??????U?????????????????????????????????????????
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                                                                                                                 
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                                                                                                                      C:\Program Files (x86)\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                                                                                                      0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                                                                                                      0
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                                                                                                                   0x04 0x72 0x15 0xE8 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                                                                                                        
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                                                                                                             0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                                                                                                          0x9E 0xDE 0xEF 0x64 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                                                                                                                   
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                                                                                                                     0x34 0xB4 0x89 0xC0 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)                                                                                                                                   
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                                                                                                                                                     0xA7 0x97 0xFA 0x17 ...
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)                                                                                                                                   
Reg       HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12                                                                                                                                                     0x1E 0x86 0x96 0xAE ...
Reg       HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Stefan M\xf7ller\Desktop\ComboFix.exe                                                                                                    1

---- Disk sectors - GMER 2.1 ----

Disk      \Device\Harddisk0\DR0                                                                                                                                                                                                                                unknown MBR code

---- EOF - GMER 2.1 ----

FRST

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2014
Ran by S M (administrator) on SM-PC on 16-11-2014 09:09:30
Running from C:\Users\S M\Desktop
Loaded Profile: S M (Available profiles: S M & Internet)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(iAnywhere Solutions, Inc.) C:\Program Files (x86)\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
(Microsoft Corporation) C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-12-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AllShareAgent] => C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe [285072 2012-03-01] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [LexwareInfoService] => C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe [208424 2013-10-08] (Haufe-Lexware GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [152872 2008-01-22] (Nero AG)
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Run: [Xpadder] => C:\Users\Stefan Möller\Downloads\Xpadder.exe [1009664 2013-07-07] ()
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1940160 2014-11-12] (Valve Corporation)
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844656 2013-07-26] (Samsung)
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\...\Winlogon: [Shell] C:\Users\Stefan Möller\AppData\Roaming\Realtek\Audio\RtHDVCpl.exe [354304 2014-11-14] (Microsoft Corporation) <==== ATTENTION 
IFEO\AvastSvc.exe: [Debugger] nqij.exe
IFEO\AvastUI.exe: [Debugger] nqij.exe
IFEO\avcenter.exe: [Debugger] nqij.exe
IFEO\avconfig.exe: [Debugger] nqij.exe
IFEO\avgcsrvx.exe: [Debugger] nqij.exe
IFEO\avgidsagent.exe: [Debugger] nqij.exe
IFEO\avgnt.exe: [Debugger] nqij.exe
IFEO\avgrsx.exe: [Debugger] nqij.exe
IFEO\avguard.exe: [Debugger] nqij.exe
IFEO\avgui.exe: [Debugger] nqij.exe
IFEO\avgwdsvc.exe: [Debugger] nqij.exe
IFEO\avp.exe: [Debugger] nqij.exe
IFEO\avscan.exe: [Debugger] nqij.exe
IFEO\bdagent.exe: [Debugger] nqij.exe
IFEO\blindman.exe: [Debugger] nqij.exe
IFEO\ccuac.exe: [Debugger] nqij.exe
IFEO\ComboFix.exe: [Debugger] nqij.exe
IFEO\egui.exe: [Debugger] nqij.exe
IFEO\hijackthis.exe: [Debugger] nqij.exe
IFEO\instup.exe: [Debugger] nqij.exe
IFEO\keyscrambler.exe: [Debugger] nqij.exe
IFEO\mbam.exe: [Debugger] nqij.exe
IFEO\mbamgui.exe: [Debugger] nqij.exe
IFEO\mbampt.exe: [Debugger] nqij.exe
IFEO\mbamscheduler.exe: [Debugger] nqij.exe
IFEO\mbamservice.exe: [Debugger] nqij.exe
IFEO\MpCmdRun.exe: [Debugger] nqij.exe
IFEO\MSASCui.exe: [Debugger] nqij.exe
IFEO\MsMpEng.exe: [Debugger] nqij.exe
IFEO\msseces.exe: [Debugger] nqij.exe
IFEO\NisSrv.exe: [Debugger] nqij.exe
IFEO\rstrui.exe: [Debugger] nqij.exe
IFEO\SDFiles.exe: [Debugger] nqij.exe
IFEO\SDMain.exe: [Debugger] nqij.exe
IFEO\SDWinSec.exe: [Debugger] nqij.exe
IFEO\spybotsd.exe: [Debugger] nqij.exe
IFEO\wireshark.exe: [Debugger] nqij.exe
IFEO\zlclient.exe: [Debugger] nqij.exe
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-26567397-2684912437-3830085727-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {F097D89E-E315-4C3F-9760-15AA4E34C76E} URL = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=827316&p={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Windows Live ID-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Handler: haufereader - No CLSID Value
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Stefan Möller\AppData\Roaming\Mozilla\Firefox\Profiles\iepy89s1.default
FF Homepage: hxxp://www.google.de/
FF Keyword.URL: hxxp://de.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=827316&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-26567397-2684912437-3830085727-1000: amazon.com/AmazonMP3DownloaderPlugin -> C:\Users\Stefan Möller\AppData\Local\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll (Amazon.com, Inc.)
FF Plugin HKU\S-1-5-21-26567397-2684912437-3830085727-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
FF user.js: detected! => C:\Users\Stefan Möller\AppData\Roaming\Mozilla\Firefox\Profiles\iepy89s1.default\user.js
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\ddg.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: NoScript - C:\Users\Stefan Möller\AppData\Roaming\Mozilla\Firefox\Profiles\iepy89s1.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013-03-25]
FF Extension: Adblock Plus - C:\Users\Stefan Möller\AppData\Roaming\Mozilla\Firefox\Profiles\iepy89s1.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-08-18]

Chrome: 
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2436280 2014-09-25] (Microsoft Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 Lexware_Datenbank_Plus; C:\Program Files (x86)\Sybase\SQL Anywhere 9\win32\dbsrv9.exe [83248 2011-06-29] (iAnywhere Solutions, Inc.)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [275752 2008-01-22] (Nero AG)
S4 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-05-16] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-11-10] (DT Soft Ltd)
S3 IAMTVE; C:\Windows\system32\DRIVERS\IAMTVE.sys [43416 2007-04-11] (Intel Corporation)
S3 IAMTXPE; C:\Windows\system32\DRIVERS\IAMTXPE.sys [51096 2007-04-11] (Intel Corporation)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-05-16] ()
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-05-13] (Duplex Secure Ltd.)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-12] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 09:09 - 2014-11-16 09:09 - 00015873 _____ () C:\Users\Stefan Möller\Desktop\FRST.txt
2014-11-16 09:09 - 2014-11-16 09:09 - 00000000 ____D () C:\FRST
2014-11-16 09:06 - 2014-11-16 09:07 - 00000540 _____ () C:\Users\Stefan Möller\Desktop\defogger_disable.log
2014-11-16 09:06 - 2014-11-16 09:06 - 00000188 _____ () C:\Users\Stefan Möller\defogger_reenable
2014-11-16 09:04 - 2014-11-16 09:04 - 00380416 _____ () C:\Users\Stefan Möller\Desktop\cesj47z0.exe
2014-11-16 09:03 - 2014-11-16 09:03 - 02116608 _____ (Farbar) C:\Users\Stefan Möller\Desktop\FRST64.exe
2014-11-16 09:02 - 2014-11-16 09:02 - 00050477 _____ () C:\Users\Stefan Möller\Desktop\Defogger.exe
2014-11-16 08:11 - 2014-11-16 08:13 - 00000000 ____D () C:\9d7e071c4c1227e05ff695065779
2014-11-16 08:10 - 2014-11-16 08:11 - 14107296 _____ (Microsoft Corporation) C:\Users\Stefan Möller\Downloads\mseinstall(4).exe
2014-11-16 08:08 - 2014-11-16 08:08 - 00321848 _____ (Malwarebytes Corporation) C:\Users\Stefan Möller\Downloads\mbam-clean-2.1.1.1001.exe
2014-11-16 07:51 - 2014-11-16 07:51 - 14107296 _____ (Microsoft Corporation) C:\Users\Stefan Möller\Downloads\mseinstall(3).exe
2014-11-16 07:36 - 2014-11-16 07:36 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Stefan Möller\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-16 07:27 - 2014-11-16 07:27 - 14107296 _____ (Microsoft Corporation) C:\Users\Stefan Möller\Downloads\mseinstall(2).exe
2014-11-15 10:26 - 2014-11-15 10:27 - 00000000 __SHD () C:\ProgramData\Realtek Audio
2014-11-14 09:06 - 2014-11-14 09:06 - 00000000 ____D () C:\Users\Stefan Möller\Desktop\Xpadder v2014 01 Multilingual - BRD
2014-11-14 09:05 - 2014-11-16 09:12 - 00054188 _____ () C:\Users\Stefan Möller\AppData\Roaming\msconfig.ini
2014-11-14 09:05 - 2014-11-14 09:05 - 00000000 __SHD () C:\Windows\SysWOW64\Realtek Audio
2014-11-13 13:37 - 2014-11-13 13:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2014-11-13 13:30 - 2014-11-13 13:30 - 00001849 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-11-13 13:30 - 2014-11-13 13:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-11-13 13:30 - 2014-11-13 13:30 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-11-13 07:44 - 2014-11-13 07:45 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-11-13 07:38 - 2014-11-05 18:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-13 07:38 - 2014-11-05 18:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-13 07:38 - 2014-11-05 18:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-13 07:38 - 2014-10-27 21:32 - 17870336 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-13 07:38 - 2014-10-27 21:13 - 02339840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-13 07:38 - 2014-10-27 21:12 - 10921472 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-13 07:38 - 2014-10-27 21:07 - 01388032 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-13 07:38 - 2014-10-27 21:06 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-13 07:38 - 2014-10-27 21:05 - 01494016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-13 07:38 - 2014-10-27 21:05 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-11-13 07:38 - 2014-10-27 21:05 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 02157056 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-13 07:38 - 2014-10-27 21:04 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-13 07:38 - 2014-10-27 21:03 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-13 07:38 - 2014-10-27 21:03 - 00282112 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-13 07:38 - 2014-10-27 21:03 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-13 07:38 - 2014-10-27 21:03 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-13 07:38 - 2014-10-27 21:03 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-11-13 07:38 - 2014-10-27 21:03 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-11-13 07:38 - 2014-10-27 21:03 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-11-13 07:38 - 2014-10-27 20:10 - 12366848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-13 07:38 - 2014-10-27 20:05 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-13 07:38 - 2014-10-27 20:02 - 09739776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-13 07:38 - 2014-10-27 19:59 - 01139712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-13 07:38 - 2014-10-27 19:59 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-13 07:38 - 2014-10-27 19:58 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-13 07:38 - 2014-10-27 19:57 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2014-11-13 07:38 - 2014-10-27 19:57 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-13 07:38 - 2014-10-27 19:56 - 01802752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-13 07:38 - 2014-10-27 19:56 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-13 07:38 - 2014-10-27 19:56 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-13 07:38 - 2014-10-27 19:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-13 07:38 - 2014-10-27 19:56 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-13 07:38 - 2014-10-27 19:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-13 07:38 - 2014-10-27 19:55 - 00353792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-13 07:38 - 2014-10-27 19:55 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-13 07:38 - 2014-10-27 19:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-13 07:38 - 2014-10-27 19:55 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2014-11-13 07:38 - 2014-10-27 19:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2014-11-13 07:38 - 2014-10-27 19:55 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2014-11-13 07:38 - 2014-10-27 19:54 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-13 07:38 - 2014-10-14 03:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-13 07:38 - 2014-10-14 03:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-13 07:38 - 2014-10-14 03:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-13 07:38 - 2014-10-14 03:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-13 07:38 - 2014-10-14 03:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-13 07:38 - 2014-10-14 02:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-13 07:38 - 2014-10-14 02:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-13 07:38 - 2014-10-14 02:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-13 07:38 - 2014-10-14 02:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-13 07:38 - 2014-08-21 07:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-13 07:38 - 2014-08-21 07:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-13 07:38 - 2014-08-21 07:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-13 07:38 - 2014-08-21 07:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-13 07:38 - 2014-08-12 03:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-13 07:38 - 2014-08-12 02:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-13 07:37 - 2014-10-25 02:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-13 07:37 - 2014-10-25 02:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-13 07:37 - 2014-10-18 03:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-13 07:37 - 2014-10-18 02:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-13 07:37 - 2014-10-14 03:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-13 07:37 - 2014-10-14 02:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-13 07:37 - 2014-10-10 01:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-13 07:37 - 2014-10-03 03:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-13 07:37 - 2014-10-03 03:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-13 07:37 - 2014-10-03 03:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-13 07:37 - 2014-10-03 03:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-13 07:37 - 2014-10-03 03:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-13 07:37 - 2014-10-03 02:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-13 07:37 - 2014-10-03 02:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-13 07:37 - 2014-10-03 02:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-13 07:37 - 2014-09-19 10:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-13 07:37 - 2014-09-19 10:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-30 20:17 - 2014-10-30 20:17 - 00001787 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-10-30 20:17 - 2014-10-30 20:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-10-30 20:17 - 2014-10-30 20:17 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-30 20:17 - 2014-10-30 20:17 - 00000000 ____D () C:\Program Files\iTunes
2014-10-30 20:17 - 2014-10-30 20:17 - 00000000 ____D () C:\Program Files\iPod
2014-10-30 20:17 - 2014-10-30 20:17 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-10-25 11:10 - 2014-10-25 11:11 - 00000000 ____D () C:\Users\Stefan Möller\AppData\Local\{5E073B6A-9506-412A-84AA-9A87D7E5A3D8}
2014-10-25 11:04 - 2014-10-25 11:04 - 00000000 ____D () C:\Users\Stefan Möller\restore
2014-10-25 10:59 - 2014-10-25 10:59 - 00000994 _____ () C:\Users\Public\Desktop\Pixum Fotobuch.lnk
2014-10-25 10:59 - 2014-10-25 10:59 - 00000969 _____ () C:\Users\Public\Desktop\Fotoschau.lnk
2014-10-25 10:59 - 2014-10-25 10:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pixum Fotobuch
2014-10-25 10:56 - 2014-10-25 10:56 - 00000000 ____D () C:\Program Files\Pixum
2014-10-25 10:55 - 2014-10-25 10:55 - 01631072 _____ () C:\Users\Stefan Möller\Downloads\setup_Pixum_Fotobuch.exe
2014-10-23 12:01 - 2014-10-25 11:15 - 00000000 ____D () C:\Users\Stefan Möller\Desktop\Fotos Mama
2014-10-23 08:48 - 2014-10-23 08:48 - 00770048 _____ () C:\Users\Stefan Möller\Documents\image.jpeg
2014-10-23 08:47 - 2014-10-23 08:47 - 00000000 ____D () C:\Users\Stefan Möller\AppData\Local\{05EE08F2-9514-40C8-8B37-FA80196225FE}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 09:06 - 2011-05-13 11:42 - 00000000 ____D () C:\Users\Stefan Möller
2014-11-16 09:03 - 2011-05-21 18:31 - 00000000 ____D () C:\Users\Stefan Möller\Documents\Outlook-Dateien
2014-11-16 08:17 - 2009-07-14 05:45 - 00018704 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-16 08:17 - 2009-07-14 05:45 - 00018704 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-16 08:15 - 2011-05-13 11:39 - 02046938 _____ () C:\Windows\WindowsUpdate.log
2014-11-16 08:13 - 2011-05-22 09:47 - 00002115 _____ () C:\Windows\epplauncher.mif
2014-11-16 08:09 - 2011-06-28 14:40 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-11-16 08:09 - 2010-11-29 14:52 - 00352048 _____ () C:\Windows\PFRO.log
2014-11-16 08:09 - 2009-07-14 05:51 - 00250738 _____ () C:\Windows\setupact.log
2014-11-14 21:39 - 2012-10-16 18:04 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-14 20:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-11-14 19:21 - 2011-08-14 06:05 - 00000000 ____D () C:\Users\Stefan Möller\AppData\Roaming\vlc
2014-11-14 12:24 - 2011-05-13 12:05 - 00000000 ____D () C:\Users\Stefan Möller\AppData\Roaming\UseNeXT
2014-11-14 12:23 - 2011-05-13 12:05 - 00000000 ___RD () C:\Users\Stefan Möller\Documents\UseNeXT
2014-11-14 09:06 - 2014-10-09 17:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xpadder
2014-11-14 09:06 - 2014-10-09 17:39 - 00000000 ____D () C:\Program Files (x86)\Xpadder
2014-11-14 09:05 - 2013-07-12 22:20 - 00001778 _____ () C:\Users\Stefan Möller\Desktop\Xpadder.ini
2014-11-14 08:57 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-14 08:57 - 2009-07-14 05:45 - 00449640 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-14 08:54 - 2014-05-06 22:15 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-14 01:59 - 2013-08-14 22:42 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-14 01:56 - 2010-11-26 18:57 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-13 16:22 - 2011-06-06 17:41 - 00000000 ____D () C:\Users\Stefan Möller\Desktop\Britta Carstensen (Dipl. Juristin)
2014-11-13 08:50 - 2012-05-03 17:30 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-11-12 13:39 - 2012-10-16 18:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-12 13:39 - 2012-04-09 09:09 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-12 13:39 - 2011-05-27 18:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-10 21:12 - 2011-06-27 20:27 - 00000000 ____D () C:\Program Files (x86)\ElsterFormular
2014-11-10 21:10 - 2010-11-25 17:28 - 00699432 _____ () C:\Windows\system32\perfh007.dat
2014-11-10 21:10 - 2010-11-25 17:28 - 00149572 _____ () C:\Windows\system32\perfc007.dat
2014-11-10 21:10 - 2009-07-14 06:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-08 05:51 - 2011-05-13 13:52 - 00000000 ____D () C:\Users\Stefan Möller\AppData\Local\Adobe
2014-10-30 20:17 - 2014-09-18 12:51 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-10-30 20:17 - 2014-04-17 07:42 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-10-30 12:25 - 2010-11-26 18:22 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-25 12:12 - 2013-08-02 12:25 - 00000000 ____D () C:\ProgramData\tmp
2014-10-25 10:59 - 2013-08-02 12:25 - 00000000 ____D () C:\ProgramData\hps
2014-10-22 18:19 - 2011-11-04 09:40 - 02315776 ___SH () C:\Users\Stefan Möller\Desktop\Thumbs.db
2014-10-21 09:31 - 2013-06-14 18:52 - 00000000 ____D () C:\Program Files\Microsoft Office 15

Files to move or delete:
====================
C:\Users\Stefan Möller\Civ5GDF.dll
C:\Users\Stefan Möller\CvGameCoreDLLFinal Release.dll
C:\Users\Stefan Möller\CvGameDatabaseWin32Final Release.dll
C:\Users\Stefan Möller\CvLocalizationWin32Final Release.dll
C:\Users\Stefan Möller\dbghelp.dll
C:\Users\Stefan Möller\libeay32.dll
C:\Users\Stefan Möller\lua51_Win32.dll
C:\Users\Stefan Möller\Mss32.dll
C:\Users\Stefan Möller\mss32midi.dll
C:\Users\Stefan Möller\ssleay32.dll
C:\Users\Stefan Möller\steam_api.dll
C:\Users\Stefan Möller\zlib1.dll
C:\Users\Stefan Möller\AppData\Roaming\msconfig.ini


Some content of TEMP:
====================
C:\Users\Stefan Möller\AppData\Local\Temp\HardwareCheck.exe
C:\Users\Stefan Möller\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Stefan Möller\AppData\Local\Temp\vlc-2.1.4-win64.exe
C:\Users\Stefan Möller\AppData\Local\Temp\xmwkwy5e.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!


LastRegBack: 2014-11-08 18:48

==================== End Of Log ============================

--- --- ---

--- --- ---

Viren und Antispyware Programme lassen sich nicht mehr starten bzw. installieren

Log-Analyse und Auswertung: Viren und Antispyware Programme lassen sich nicht mehr starten bzw. installieren

Viren und Antispyware Programme lassen sich nicht mehr starten bzw. installieren

Ähnliche Themen: Viren und Antispyware Programme lassen sich nicht mehr starten bzw. installieren