Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Log-Analyse und Auswertung: Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 25.11.2014, 14:08   #1
MobyDick
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Hallo!

Ich bin hier Neuling und habe gestern DETEKT-Check ausgeführt. Ich war erstaunt, dass mein Computer 4 Staatstrojaner injiziert wurde. Wie kann ich alle Trojaner löschen? Ich hoffe dass jemand von hier mich helfen kann.

siehe Anhang...



Vielen Dank für ihre Mühe im Voraus!!

Beste Grüße
Miniaturansicht angehängter Grafiken
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!-detekt-trojan.jpg  

Alt 25.11.2014, 15:30   #2
schrauber
/// the machine
/// TB-Ausbilder
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________
Alt 25.11.2014, 17:48   #3
MobyDick
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Code:
ATTFilter
2014-11-24 16:25:18,648 - detector - INFO - Starting with process ID 6256
2014-11-24 16:25:18,651 - detector - ERROR - The user is not an Administrator, aborting
2014-11-24 16:26:01,507 - detector - INFO - Starting with process ID 6628
2014-11-24 16:26:01,533 - detector - INFO - Selected Profile Name: Win7SP1x64
2014-11-24 16:26:01,536 - detector - INFO - Selected Driver: C:\Users\superior\AppData\Local\Temp\_MEI62962\drivers\winpmem64.sys
2014-11-24 16:26:01,536 - detector.service - INFO - Launching service destroyer...
2014-11-24 16:26:01,542 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-24 16:26:01,542 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-24 16:26:01,542 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-24 16:26:01,542 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-24 16:26:02,048 - detector.service - INFO - Trying to start the winpmem service...
2014-11-24 16:26:02,096 - detector - INFO - Service started
2014-11-24 16:26:02,098 - detector - INFO - Selected Yara signature file at C:\Users\superior\AppData\Local\Temp\_MEI62962\rules\signatures.yar
2014-11-24 16:26:02,098 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-24 16:26:05,229 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x08BAC9F0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x07F45B50>
2014-11-24 16:26:05,229 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x07F4D190>, DTB: 0x187000
2014-11-24 16:26:05,230 - detector - INFO - Starting yara scanner...
2014-11-24 19:19:35,884 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52921A3, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 46 72 65 65 48 53 74 72 69 6e 67 00 50 74 72 .FreeHString.Ptr
54 6f 53 74 72 69 6e 67 48 53 74 72 69 6e 67 00 ToStringHString.
53 74 72 69 6e 67 54 6f 48 53 74 72 69 6e 67 00 StringToHString.
67 65 74 5f 53 74 72 69 6e 67 00 73 65 74 5f 53 get_String.set_S
74 72 69 6e 67 00 47 65 74 52 61 77 43 65 72 74 tring.GetRawCert
44 61 74 61 53 74 72 69 6e 67 00 4d 75 69 52 65 DataString.MuiRe
73 6f 75 72 63 65 4d 61 70 5f 52 65 73 6f 75 72 sourceMap_Resour
63 65 54 79 70 65 49 64 53 74 72 69 6e 67 00 67 ceTypeIdString.g
65 74 5f 52 65 73 6f 75 72 63 65 54 79 70 65 49 et_ResourceTypeI
64 53 74 72 69 6e 67 00 52 65 61 64 53 74 72 69 dString.ReadStri
6e 67 00 41 64 64 53 74 72 69 6e 67 00 46 72 6f ng.AddString.Fro
6d 53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e mSerializedStrin
67 00 54 6f 53 65 72 69 61 6c 69 7a 65 64 53 74 g.ToSerializedSt
72 69 6e 67 00 47 65 74 53 65 72 69 61 6c 69 7a ring.GetSerializ
65 64 53 74 72 69 6e 67 00 45 78 70 61 6e 64 53 edString.ExpandS

2014-11-24 19:19:35,887 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527F2A3, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 47 65 74 Base64String.Get
43 6f 6d 49 55 6e 6b 6e 6f 77 6e 00 53 69 7a 65 ComIUnknown.Size
64 52 65 66 65 72 65 6e 63 65 00 45 76 69 64 65 dReference.Evide
6e 63 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 50 72 nceCollection.Pr
6f 76 69 64 65 64 53 65 63 75 72 69 74 79 49 6e ovidedSecurityIn
66 6f 00 43 72 65 61 74 6f 72 73 53 65 63 75 72 fo.CreatorsSecur
69 74 79 49 6e 66 6f 00 4f 6e 53 65 72 69 61 6c ityInfo.OnSerial
69 7a 69 6e 67 41 74 74 72 69 62 75 74 65 00 73 izingAttribute.s
65 63 75 72 69 74 79 45 76 69 64 65 6e 63 65 00 ecurityEvidence.
53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e System.Security.
50 6f 6c 69 63 79 00 6d 5f 65 76 69 64 65 6e 63 Policy.m_evidenc
65 00 6d 5f 64 65 73 65 72 69 61 6c 69 7a 65 64 e.m_deserialized
54 61 72 67 65 74 45 76 69 64 65 6e 63 65 00 6d TargetEvidence.m
5f 68 6f 73 74 4c 69 73 74 00 6d 5f 61 73 73 65 _hostList.m_asse
6d 62 6c 79 4c 69 73 74 00 6d 5f 6c 6f 63 6b 65 mblyList.m_locke
64 00 47 65 74 45 76 69 64 65 6e 63 65 54 79 70 d.GetEvidenceTyp

2014-11-24 19:19:35,892 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52921A7, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 46 72 65 Base64String.Fre
65 48 53 74 72 69 6e 67 00 50 74 72 54 6f 53 74 eHString.PtrToSt
72 69 6e 67 48 53 74 72 69 6e 67 00 53 74 72 69 ringHString.Stri
6e 67 54 6f 48 53 74 72 69 6e 67 00 67 65 74 5f ngToHString.get_
53 74 72 69 6e 67 00 73 65 74 5f 53 74 72 69 6e String.set_Strin
67 00 47 65 74 52 61 77 43 65 72 74 44 61 74 61 g.GetRawCertData
53 74 72 69 6e 67 00 4d 75 69 52 65 73 6f 75 72 String.MuiResour
63 65 4d 61 70 5f 52 65 73 6f 75 72 63 65 54 79 ceMap_ResourceTy
70 65 49 64 53 74 72 69 6e 67 00 67 65 74 5f 52 peIdString.get_R
65 73 6f 75 72 63 65 54 79 70 65 49 64 53 74 72 esourceTypeIdStr
69 6e 67 00 52 65 61 64 53 74 72 69 6e 67 00 41 ing.ReadString.A
64 64 53 74 72 69 6e 67 00 46 72 6f 6d 53 65 72 ddString.FromSer
69 61 6c 69 7a 65 64 53 74 72 69 6e 67 00 54 6f ializedString.To
53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e 67 SerializedString
00 47 65 74 53 65 72 69 61 6c 69 7a 65 64 53 74 .GetSerializedSt
72 69 6e 67 00 45 78 70 61 6e 64 53 74 72 69 6e ring.ExpandStrin

2014-11-24 19:19:35,898 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52B832B, Value:

43 6f 6e 6e 65 63 74 65 64 00 53 65 74 46 75 6c Connected.SetFul
6c 79 43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 lyConnected.IsRe
6d 6f 74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 moteDisconnected
00 49 73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 .IsDisconnected.
49 73 46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 IsFullyDisconnec
74 65 64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 ted.IsHandleRedi
72 65 63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 rected._isStdInR
65 64 69 72 65 63 74 65 64 00 5f 69 73 45 72 72 edirected._isErr
6f 72 54 65 78 74 57 72 69 74 65 72 52 65 64 69 orTextWriterRedi
72 65 63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 rected._isOutTex
74 57 72 69 74 65 72 52 65 64 69 72 65 63 74 65 tWriterRedirecte
64 00 5f 69 73 53 74 64 45 72 72 52 65 64 69 72 d._isStdErrRedir
65 63 74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 ected._isStdOutR
65 64 69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f edirected.bOldFo
72 6d 61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 rmatDetected.m_p
72 6f 74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 rotected.s_PermU

2014-11-24 19:19:35,903 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52B833D, Value:

43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 6d 6f Connected.IsRemo
74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 teDisconnected.I
73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 73 sDisconnected.Is
46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 74 65 FullyDisconnecte
64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 72 65 d.IsHandleRedire
63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 65 64 cted._isStdInRed
69 72 65 63 74 65 64 00 5f 69 73 45 72 72 6f 72 irected._isError
54 65 78 74 57 72 69 74 65 72 52 65 64 69 72 65 TextWriterRedire
63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 74 57 cted._isOutTextW
72 69 74 65 72 52 65 64 69 72 65 63 74 65 64 00 riterRedirected.
5f 69 73 53 74 64 45 72 72 52 65 64 69 72 65 63 _isStdErrRedirec
74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 65 64 ted._isStdOutRed
69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f 72 6d irected.bOldForm
61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 72 6f atDetected.m_pro
74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 6e 72 tected.s_PermUnr
65 73 74 72 69 63 74 65 64 00 47 65 74 55 6e 72 estricted.GetUnr

2014-11-24 19:19:35,904 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52798C1, Value:

52 65 63 65 69 76 65 72 00 44 61 74 65 54 69 6d Receiver.DateTim
65 50 61 72 73 65 00 46 75 73 69 6f 6e 00 54 69 eParse.Fusion.Ti
6d 65 53 70 61 6e 54 68 72 6f 77 53 74 79 6c 65 meSpanThrowStyle
00 53 79 6e 63 48 61 73 68 74 61 62 6c 65 00 52 .SyncHashtable.R
53 41 50 4b 43 53 31 53 48 41 31 53 69 67 6e 61 SAPKCS1SHA1Signa
74 75 72 65 44 65 73 63 72 69 70 74 69 6f 6e 00 tureDescription.
5f 53 74 72 6f 6e 67 4e 61 6d 65 4b 65 79 50 61 _StrongNameKeyPa
69 72 00 50 61 64 64 69 6e 67 4d 6f 64 65 00 4d ir.PaddingMode.M
65 74 68 6f 64 49 6d 70 6c 4f 70 74 69 6f 6e 73 ethodImplOptions
00 63 5f 74 69 63 6b 73 50 65 72 44 61 79 52 61 .c_ticksPerDayRa
6e 67 65 00 44 6f 6d 61 69 6e 53 70 65 63 69 66 nge.DomainSpecif
69 63 52 65 6d 6f 74 69 6e 67 44 61 74 61 00 41 icRemotingData.A
72 67 75 6d 65 6e 74 5f 49 6e 76 61 6c 69 64 52 rgument_InvalidR
65 67 69 73 74 72 79 4b 65 79 50 65 72 6d 69 73 egistryKeyPermis
73 69 6f 6e 43 68 65 63 6b 00 53 74 6f 72 65 54 sionCheck.StoreT
72 61 6e 73 61 63 74 69 6f 6e 00 3c 52 65 61 64 ransaction.<Read

2014-11-24 19:19:35,917 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527BEE9, Value:

52 65 63 65 69 76 65 72 48 6f 6f 6b 00 49 73 6f ReceiverHook.Iso
6c 61 74 65 64 53 74 6f 72 61 67 65 46 69 6c 65 latedStorageFile
00 74 79 70 65 6f 66 53 6f 61 70 49 64 72 65 66 .typeofSoapIdref
73 00 52 65 67 69 73 74 65 72 65 64 43 68 61 6e s.RegisteredChan
6e 65 6c 00 61 73 73 65 6d 62 6c 79 52 65 73 6f nel.assemblyReso
6c 76 65 72 00 4f 62 6a 65 63 74 49 44 47 65 6e lver.ObjectIDGen
65 72 61 74 6f 72 00 44 69 63 74 69 6f 6e 61 72 erator.Dictionar
79 45 6e 75 6d 65 72 61 74 6f 72 42 79 4b 65 79 yEnumeratorByKey
73 00 42 69 74 43 6f 6e 76 65 72 74 65 72 00 45 s.BitConverter.E
76 65 6e 74 4c 69 73 74 65 6e 65 72 00 47 65 74 ventListener.Get
4d 6f 64 75 6c 65 48 61 6e 64 6c 65 00 53 74 64 ModuleHandle.Std
43 6f 6e 55 6e 69 63 6f 64 65 45 6e 63 6f 64 69 ConUnicodeEncodi
6e 67 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 6f ng.InternalGetSo
72 74 56 65 72 73 69 6f 6e 00 52 53 41 4f 41 45 rtVersion.RSAOAE
50 4b 65 79 45 78 63 68 61 6e 67 65 46 6f 72 6d PKeyExchangeForm
61 74 74 65 72 00 54 79 70 65 4c 69 62 56 61 72 atter.TypeLibVar

2014-11-24 19:19:35,920 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5291242, Value:

52 65 63 65 69 76 65 00 41 72 63 68 69 76 65 00 Receive.Archive.
67 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 3c 3e get_KeepAlive.<>
33 5f 5f 66 72 6f 6d 49 6e 63 6c 75 73 69 76 65 3__fromInclusive
00 67 65 74 5f 53 63 68 65 64 75 6c 65 64 45 78 .get_ScheduledEx
63 6c 75 73 69 76 65 00 3c 3e 33 5f 5f 74 6f 45 clusive.<>3__toE
78 63 6c 75 73 69 76 65 00 4d 61 72 73 68 61 6c xclusive.Marshal
4d 61 6e 61 67 65 64 54 6f 4e 61 74 69 76 65 00 ManagedToNative.
50 61 63 6b 46 6f 72 4e 61 74 69 76 65 00 53 65 PackForNative.Se
74 50 72 69 6f 72 69 74 79 4e 61 74 69 76 65 00 tPriorityNative.
41 73 73 75 6d 65 4e 65 67 61 74 69 76 65 00 53 AssumeNegative.S
65 6c 66 52 65 6c 61 74 69 76 65 00 53 65 74 54 elfRelative.SetT
68 72 6f 77 4f 6e 52 65 6c 61 74 69 76 65 00 4e hrowOnRelative.N
61 74 69 76 65 52 65 67 69 73 74 65 72 52 65 6c ativeRegisterRel
61 74 69 76 65 00 49 73 43 75 72 72 65 6e 74 41 ative.IsCurrentA
63 74 69 76 69 74 79 41 63 74 69 76 65 00 67 65 ctivityActive.ge
74 5f 55 73 65 72 49 6e 74 65 72 61 63 74 69 76 t_UserInteractiv

2014-11-24 19:19:35,921 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52AEA28, Value:

52 65 63 65 69 76 65 72 43 6f 75 6e 74 00 6e 6f ReceiverCount.no
64 65 73 43 6f 75 6e 74 00 5f 6f 75 74 41 72 67 desCount._outArg
73 43 6f 75 6e 74 00 72 65 70 6c 61 63 65 6d 65 sCount.replaceme
6e 74 73 43 6f 75 6e 74 00 70 72 65 76 69 6f 75 ntsCount.previou
73 43 6f 75 6e 74 00 72 65 70 65 61 74 43 6f 75 sCount.repeatCou
6e 74 00 74 61 72 67 65 74 43 6f 75 6e 74 00 62 nt.targetCount.b
75 63 6b 65 74 43 6f 75 6e 74 00 72 69 67 68 74 ucketCount.right
42 69 74 53 68 69 66 74 43 6f 75 6e 74 00 65 6c BitShiftCount.el
65 6d 65 6e 74 43 6f 75 6e 74 00 67 65 74 5f 41 ementCount.get_A
72 67 75 6d 65 6e 74 43 6f 75 6e 74 00 44 65 66 rgumentCount.Def
61 75 6c 74 43 6f 6d 70 6f 6e 65 6e 74 43 6f 75 aultComponentCou
6e 74 00 5f 74 6f 6b 65 6e 4c 69 73 74 43 6f 75 nt._tokenListCou
6e 74 00 6d 65 74 68 6f 64 49 6e 73 74 43 6f 75 nt.methodInstCou
6e 74 00 74 79 70 65 49 6e 73 74 43 6f 75 6e 74 nt.typeInstCount
00 69 6e 70 75 74 43 6f 75 6e 74 00 6d 5f 6d 61 .inputCount.m_ma
78 43 6f 75 6e 74 00 6b 65 79 43 6f 75 6e 74 00 xCount.keyCount.

2014-11-24 19:19:35,924 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C73E8, Value:

52 65 63 65 69 76 65 72 00 47 65 74 52 65 73 6f Receiver.GetReso
6c 76 65 72 00 47 65 74 55 6e 77 72 61 70 70 65 lver.GetUnwrappe
64 53 65 72 76 65 72 00 44 65 74 61 63 68 53 65 dServer.DetachSe
72 76 65 72 00 41 74 74 61 63 68 53 65 72 76 65 rver.AttachServe
72 00 5f 73 65 72 76 65 72 00 53 65 74 45 72 72 r._server.SetErr
6f 72 4d 6f 64 65 5f 57 69 6e 37 41 6e 64 4e 65 orMode_Win7AndNe
77 65 72 00 4d 61 6b 65 55 52 49 4b 65 79 4e 6f wer.MakeURIKeyNo
4c 6f 77 65 72 00 52 75 6e 49 6e 69 74 69 61 6c Lower.RunInitial
69 7a 65 72 00 4c 65 61 73 65 54 69 6d 65 41 6e izer.LeaseTimeAn
61 6c 79 7a 65 72 00 5f 6c 6f 63 61 6c 44 61 74 alyzer._localDat
61 53 74 6f 72 65 4d 67 72 00 6d 5f 49 73 43 6f aStoreMgr.m_IsCo
72 72 65 6c 61 74 69 6f 6e 4d 67 72 00 53 79 73 rrelationMgr.Sys
74 65 6d 52 65 73 4d 67 72 00 6d 5f 6d 67 72 00 temResMgr.m_mgr.
73 5f 61 70 70 44 61 74 61 44 69 72 00 6d 5f 53 s_appDataDir.m_S
75 62 44 69 72 00 6d 5f 6e 53 75 62 44 69 72 00 ubDir.m_nSubDir.
47 65 74 44 65 6d 61 6e 64 44 69 72 00 64 65 6d GetDemandDir.dem

2014-11-24 19:19:35,926 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5023007, Value:

53 65 6e 64 54 6f 00 53 74 61 72 74 4d 65 6e 75 SendTo.StartMenu
00 4d 79 4d 75 73 69 63 00 4d 79 56 69 64 65 6f .MyMusic.MyVideo
73 00 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f s.DesktopDirecto
72 79 00 4d 79 43 6f 6d 70 75 74 65 72 00 4e 65 ry.MyComputer.Ne
74 77 6f 72 6b 53 68 6f 72 74 63 75 74 73 00 46 tworkShortcuts.F
6f 6e 74 73 00 54 65 6d 70 6c 61 74 65 73 00 43 onts.Templates.C
6f 6d 6d 6f 6e 53 74 61 72 74 4d 65 6e 75 00 43 ommonStartMenu.C
6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 73 00 43 6f ommonPrograms.Co
6d 6d 6f 6e 53 74 61 72 74 75 70 00 43 6f 6d 6d mmonStartup.Comm
6f 6e 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f onDesktopDirecto
72 79 00 41 70 70 6c 69 63 61 74 69 6f 6e 44 61 ry.ApplicationDa
74 61 00 50 72 69 6e 74 65 72 53 68 6f 72 74 63 ta.PrinterShortc
75 74 73 00 4c 6f 63 61 6c 41 70 70 6c 69 63 61 uts.LocalApplica
74 69 6f 6e 44 61 74 61 00 49 6e 74 65 72 6e 65 tionData.Interne
74 43 61 63 68 65 00 43 6f 6f 6b 69 65 73 00 48 tCache.Cookies.H
69 73 74 6f 72 79 00 43 6f 6d 6d 6f 6e 41 70 70 istory.CommonApp

2014-11-24 19:19:35,930 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5263340, Value:

53 00 65 00 6e 00 64 00 00 17 77 00 69 00 6e 00 S.e.n.d...w.i.n.
3a 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 :.R.e.c.e.i.v.e.
00 11 20 00 3c 00 74 00 61 00 73 00 6b 00 73 00 ....<.t.a.s.k.s.
3e 00 00 1d 20 00 20 00 3c 00 74 00 61 00 73 00 >.......<.t.a.s.
6b 00 20 00 6e 00 61 00 6d 00 65 00 3d 00 22 00 k...n.a.m.e.=.".
00 13 22 00 20 00 76 00 61 00 6c 00 75 00 65 00 .."...v.a.l.u.e.
3d 00 22 00 00 07 22 00 2f 00 3e 00 00 13 20 00 =."..."./.>.....
3c 00 2f 00 74 00 61 00 73 00 6b 00 73 00 3e 00 <./.t.a.s.k.s.>.
00 0f 20 00 3c 00 6d 00 61 00 70 00 73 00 3e 00 ....<.m.a.p.s.>.
00 11 76 00 61 00 6c 00 75 00 65 00 4d 00 61 00 ..v.a.l.u.e.M.a.
70 00 00 0d 62 00 69 00 74 00 4d 00 61 00 70 00 p...b.i.t.M.a.p.
00 07 20 00 20 00 3c 00 00 0f 20 00 6e 00 61 00 ......<.....n.a.
6d 00 65 00 3d 00 22 00 00 03 78 00 00 23 20 00 m.e.=."...x..#..
20 00 20 00 3c 00 6d 00 61 00 70 00 20 00 76 00 ....<.m.a.p...v.
61 00 6c 00 75 00 65 00 3d 00 22 00 30 00 78 00 a.l.u.e.=.".0.x.
00 07 6d 00 61 00 70 00 00 09 20 00 20 00 3c 00 ..m.a.p.......<.

2014-11-24 19:19:35,931 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5274F93, Value:

53 65 6e 64 65 72 00 50 72 6f 63 65 73 73 53 69 Sender.ProcessSi
6e 6b 50 72 6f 76 69 64 65 72 44 61 74 61 00 41 nkProviderData.A
70 70 6c 69 63 61 74 69 6f 6e 54 72 75 73 74 45 pplicationTrustE
6e 75 6d 65 72 61 74 6f 72 00 53 61 66 65 56 69 numerator.SafeVi
65 77 4f 66 46 69 6c 65 48 61 6e 64 6c 65 00 42 ewOfFileHandle.B
69 6e 61 72 79 4f 62 6a 65 63 74 57 69 74 68 4d inaryObjectWithM
61 70 54 79 70 65 64 00 73 65 74 5f 44 61 74 65 apTyped.set_Date
54 69 6d 65 46 6f 72 6d 61 74 00 49 64 6e 4d 61 TimeFormat.IdnMa
70 70 69 6e 67 00 43 6f 6d 45 76 65 6e 74 49 6e pping.ComEventIn
74 65 72 66 61 63 65 41 74 74 72 69 62 75 74 65 terfaceAttribute
00 53 74 6f 72 65 54 72 61 6e 73 61 63 74 69 6f .StoreTransactio
6e 4f 70 65 72 61 74 69 6f 6e 00 4d 61 6e 69 66 nOperation.Manif
65 73 74 45 6e 76 65 6c 6f 70 65 00 3c 57 72 69 estEnvelope.<Wri
74 65 41 73 79 6e 63 49 6e 74 65 72 6e 61 6c 3e teAsyncInternal>
64 5f 5f 65 00 49 6e 74 65 72 6e 61 6c 45 6e 63 d__e.InternalEnc
6f 64 69 6e 67 44 61 74 61 49 74 65 6d 00 54 68 odingDataItem.Th

2014-11-24 19:19:35,934 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527C538, Value:

53 65 6e 64 4f 72 50 6f 73 74 43 61 6c 6c 62 61 SendOrPostCallba
63 6b 00 41 73 73 65 6d 62 6c 79 41 74 74 72 69 ck.AssemblyAttri
62 75 74 65 73 47 6f 48 65 72 65 00 49 45 6e 75 butesGoHere.IEnu
6d 44 65 66 69 6e 69 74 69 6f 6e 49 64 65 6e 74 mDefinitionIdent
69 74 79 00 53 79 73 74 65 6d 5f 4c 61 7a 79 44 ity.System_LazyD
65 62 75 67 56 69 65 77 60 31 00 73 5f 63 72 65 ebugView`1.s_cre
61 74 65 43 6f 6e 74 69 6e 67 65 6e 74 50 72 6f ateContingentPro
70 65 72 74 69 65 73 00 49 53 74 72 75 63 74 75 perties.IStructu
72 61 6c 43 6f 6d 70 61 72 61 62 6c 65 00 6d 5f ralComparable.m_
6e 65 77 4d 75 74 65 78 00 73 65 74 5f 44 65 63 newMutex.set_Dec
6f 64 65 72 46 61 6c 6c 62 61 63 6b 00 52 65 6d oderFallback.Rem
6f 74 69 6e 67 54 79 70 65 43 61 63 68 65 64 44 otingTypeCachedD
61 74 61 00 4d 75 69 52 65 73 6f 75 72 63 65 4d ata.MuiResourceM
61 70 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 apEntryFieldId.D
65 73 63 72 69 70 74 69 6f 6e 4d 65 74 61 64 61 escriptionMetada
74 61 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 taEntryFieldId.D

2014-11-24 19:19:35,936 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527FB8A, Value:

53 65 6e 64 4d 61 6e 69 66 65 73 74 00 45 6e 73 SendManifest.Ens
75 72 65 49 6e 69 74 69 61 6c 69 7a 65 64 00 41 ureInitialized.A
6e 79 45 76 65 6e 74 45 6e 61 62 6c 65 64 00 56 nyEventEnabled.V
61 6c 69 64 61 74 65 45 76 65 6e 74 4f 70 63 6f alidateEventOpco
64 65 46 6f 72 54 72 61 6e 73 66 65 72 00 49 73 deForTransfer.Is
45 6e 61 62 6c 65 64 42 79 44 65 66 61 75 6c 74 EnabledByDefault
00 57 72 69 74 65 53 74 72 69 6e 67 54 6f 41 6c .WriteStringToAl
6c 4c 69 73 74 65 6e 65 72 73 00 57 72 69 74 65 lListeners.Write
45 76 65 6e 74 53 74 72 69 6e 67 00 57 72 69 74 EventString.Writ
65 54 6f 41 6c 6c 4c 69 73 74 65 6e 65 72 73 00 eToAllListeners.
57 72 69 74 65 45 76 65 6e 74 56 61 72 61 72 67 WriteEventVararg
73 00 47 65 74 44 69 73 70 61 74 63 68 65 72 00 s.GetDispatcher.
44 65 63 6f 64 65 4f 62 6a 65 63 74 00 47 65 6e DecodeObject.Gen
65 72 61 74 65 47 75 69 64 46 72 6f 6d 4e 61 6d erateGuidFromNam
65 00 52 65 70 6f 72 74 4f 75 74 4f 66 42 61 6e e.ReportOutOfBan
64 4d 65 73 73 61 67 65 00 4f 75 74 70 75 74 44 dMessage.OutputD

2014-11-24 19:19:35,940 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527FD07, Value:

53 65 6e 64 43 6f 6d 6d 61 6e 64 00 57 72 69 74 SendCommand.Writ
65 45 76 65 6e 74 57 69 74 68 52 65 6c 61 74 65 eEventWithRelate
64 41 63 74 69 76 69 74 79 49 64 00 57 72 69 74 dActivityId.Writ
65 45 76 65 6e 74 00 57 72 69 74 65 45 76 65 6e eEvent.WriteEven
74 57 69 74 68 52 65 6c 61 74 65 64 41 63 74 69 tWithRelatedActi
76 69 74 79 49 64 43 6f 72 65 00 57 72 69 74 65 vityIdCore.Write
45 76 65 6e 74 43 6f 72 65 00 57 72 69 74 65 53 EventCore.WriteS
74 72 69 6e 67 54 6f 4c 69 73 74 65 6e 65 72 00 tringToListener.
45 76 65 6e 74 57 72 69 74 65 53 74 72 69 6e 67 EventWriteString
00 67 65 74 5f 43 6f 6e 73 74 72 75 63 74 69 6f .get_Constructio
6e 45 78 63 65 70 74 69 6f 6e 00 67 65 74 5f 46 nException.get_F
61 6c 6c 62 61 63 6b 41 63 74 69 76 69 74 79 49 allbackActivityI
64 00 67 65 74 5f 49 6e 74 65 72 6e 61 6c 43 75 d.get_InternalCu
72 72 65 6e 74 54 68 72 65 61 64 41 63 74 69 76 rrentThreadActiv
69 74 79 49 64 00 67 65 74 5f 43 75 72 72 65 6e ityId.get_Curren
74 54 68 72 65 61 64 41 63 74 69 76 69 74 79 49 tThreadActivityI

2014-11-24 19:19:35,941 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528C9BD, Value:

53 65 6e 64 00 67 65 74 5f 41 70 70 65 6e 64 00 Send.get_Append.
73 65 74 5f 41 70 70 65 6e 64 00 53 75 73 70 65 set_Append.Suspe
6e 64 00 46 52 65 76 65 72 73 65 42 69 6e 64 00 nd.FReverseBind.
46 49 6d 6d 65 64 69 61 74 65 42 69 6e 64 00 46 FImmediateBind.F
44 65 66 61 75 6c 74 42 69 6e 64 00 46 44 69 73 DefaultBind.FDis
70 6c 61 79 42 69 6e 64 00 47 65 74 50 45 4b 69 playBind.GetPEKi
6e 64 00 67 65 74 5f 4b 69 6e 64 00 41 72 67 5f nd.get_Kind.Arg_
52 65 67 53 65 74 4d 69 73 6d 61 74 63 68 65 64 RegSetMismatched
4b 69 6e 64 00 67 65 74 5f 46 61 69 6c 75 72 65 Kind.get_Failure
4b 69 6e 64 00 47 65 74 56 61 6c 75 65 4b 69 6e Kind.GetValueKin
64 00 47 65 74 43 6f 72 72 65 73 70 6f 6e 64 69 d.GetCorrespondi
6e 67 4b 69 6e 64 00 52 6f 75 6e 64 74 72 69 70 ngKind.Roundtrip
4b 69 6e 64 00 67 65 74 5f 41 64 64 72 65 73 73 Kind.get_Address
4b 69 6e 64 00 53 70 65 63 69 66 79 4b 69 6e 64 Kind.SpecifyKind
00 66 75 6e 63 6b 69 6e 64 00 74 79 70 65 6b 69 .funckind.typeki
6e 64 00 76 61 72 6b 69 6e 64 00 73 79 73 6b 69 nd.varkind.syski

2014-11-24 19:19:35,944 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5296AB1, Value:

53 65 6e 64 54 6f 00 4d 6f 76 65 54 6f 00 52 65 SendTo.MoveTo.Re
6c 61 74 69 76 65 50 61 74 68 54 6f 00 45 71 75 lativePathTo.Equ
61 6c 54 6f 00 67 65 74 5f 45 78 74 72 61 49 6e alTo.get_ExtraIn
66 6f 00 73 65 74 5f 45 78 74 72 61 49 6e 66 6f fo.set_ExtraInfo
00 46 6f 72 6d 61 74 53 74 75 62 49 6e 66 6f 00 .FormatStubInfo.
49 6e 74 65 72 6e 61 6c 47 65 74 43 6f 6d 53 6c InternalGetComSl
6f 74 46 6f 72 4d 65 74 68 6f 64 49 6e 66 6f 00 otForMethodInfo.
47 65 74 4d 65 74 68 6f 64 49 6e 66 6f 00 47 65 GetMethodInfo.Ge
74 44 65 73 65 72 69 61 6c 69 7a 65 64 54 69 6d tDeserializedTim
65 5a 6f 6e 65 49 6e 66 6f 00 67 65 74 5f 54 79 eZoneInfo.get_Ty
70 65 49 6e 66 6f 00 73 65 74 5f 54 79 70 65 49 peInfo.set_TypeI
6e 66 6f 00 43 72 65 61 74 65 54 79 70 65 49 6e nfo.CreateTypeIn
66 6f 00 47 65 74 52 65 66 54 79 70 65 49 6e 66 fo.GetRefTypeInf
6f 00 52 65 66 6c 65 63 74 69 6f 6e 54 79 70 65 o.ReflectionType
49 6e 66 6f 00 53 79 73 74 65 6d 2e 52 75 6e 74 Info.System.Runt
69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 ime.InteropServi

2014-11-24 19:19:35,946 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52AF093, Value:

53 65 6e 64 4d 65 73 73 61 67 65 54 69 6d 65 6f SendMessageTimeo
75 74 00 73 5f 69 73 53 70 6f 6e 73 6f 72 73 68 ut.s_isSponsorsh
69 70 54 69 6d 65 6f 75 74 00 5f 73 70 6f 6e 73 ipTimeout._spons
6f 72 73 68 69 70 54 69 6d 65 6f 75 74 00 6f 72 orshipTimeout.or
69 67 69 6e 61 6c 57 61 69 74 4d 69 6c 6c 69 73 iginalWaitMillis
65 63 6f 6e 64 73 54 69 6d 65 6f 75 74 00 74 69 econdsTimeout.ti
6d 65 6f 75 74 00 73 73 6f 75 74 00 53 65 74 43 meout.ssout.SetC
6c 61 73 73 4c 61 79 6f 75 74 00 56 61 6c 69 64 lassLayout.Valid
61 74 65 50 75 73 68 50 6f 70 52 61 6e 67 65 49 atePushPopRangeI
6e 70 75 74 00 52 65 61 64 43 6f 6e 73 6f 6c 65 nput.ReadConsole
49 6e 70 75 74 00 68 43 6f 6e 73 6f 6c 65 49 6e Input.hConsoleIn
70 75 74 00 50 65 65 6b 43 6f 6e 73 6f 6c 65 49 put.PeekConsoleI
6e 70 75 74 00 73 74 72 49 6e 70 75 74 00 64 77 nput.strInput.dw
49 6e 70 75 74 00 69 6e 70 75 74 00 52 65 61 64 Input.input.Read
43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 00 57 72 ConsoleOutput.Wr
69 74 65 43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 iteConsoleOutput

2014-11-24 19:19:35,947 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52BA3D4, Value:

53 65 6e 64 69 6e 67 4d 65 73 73 61 67 65 00 43 SendingMessage.C
4f 52 50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 ORProfilerRemoti
6e 67 53 65 72 76 65 72 52 65 63 65 69 76 69 6e ngServerReceivin
67 4d 65 73 73 61 67 65 00 41 63 74 69 76 61 74 gMessage.Activat
65 57 69 74 68 4d 65 73 73 61 67 65 00 5f 6e 75 eWithMessage._nu
6c 6c 4d 65 73 73 61 67 65 00 53 65 74 43 61 6c llMessage.SetCal
6c 43 6f 6e 74 65 78 74 49 6e 4d 65 73 73 61 67 lContextInMessag
65 00 46 6f 72 6d 61 74 46 69 6c 65 4c 6f 61 64 e.FormatFileLoad
45 78 63 65 70 74 69 6f 6e 4d 65 73 73 61 67 65 ExceptionMessage
00 48 61 6e 64 6c 65 52 65 74 75 72 6e 4d 65 73 .HandleReturnMes
73 61 67 65 00 50 72 6f 70 61 67 61 74 65 43 61 sage.PropagateCa
6c 6c 43 6f 6e 74 65 78 74 46 72 6f 6d 54 68 72 llContextFromThr
65 61 64 54 6f 4d 65 73 73 61 67 65 00 50 72 6f eadToMessage.Pro
70 61 67 61 74 65 4f 75 74 67 6f 69 6e 67 48 65 pagateOutgoingHe
61 64 65 72 73 54 6f 4d 65 73 73 61 67 65 00 67 adersToMessage.g
65 74 5f 43 6f 6e 73 74 72 75 63 74 6f 72 4d 65 et_ConstructorMe

2014-11-24 19:19:35,950 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C3857, Value:

53 65 6e 64 43 72 6f 73 73 44 6f 6d 61 69 6e 00 SendCrossDomain.
6d 5f 69 73 53 61 66 65 43 72 6f 73 73 44 6f 6d m_isSafeCrossDom
61 69 6e 00 6d 5f 74 61 72 67 65 74 44 6f 6d 61 ain.m_targetDoma
69 6e 00 47 65 74 44 65 66 61 75 6c 74 44 6f 6d in.GetDefaultDom
61 69 6e 00 49 6e 64 69 63 42 65 67 69 6e 00 52 ain.IndicBegin.R
65 61 64 42 65 67 69 6e 00 57 72 69 74 65 42 65 eadBegin.WriteBe
67 69 6e 00 4d 75 6c 74 69 42 79 74 65 42 65 67 gin.MultiByteBeg
69 6e 00 41 70 70 65 6e 64 4f 72 69 67 69 6e 00 in.AppendOrigin.
45 6e 74 65 72 4d 79 4c 6f 63 6b 53 70 69 6e 00 EnterMyLockSpin.
73 5f 52 63 6f 6e 00 67 65 74 5f 52 65 67 69 6f s_Rcon.get_Regio
6e 00 47 65 74 43 75 6c 74 75 72 65 44 61 74 61 n.GetCultureData
46 6f 72 52 65 67 69 6f 6e 00 41 64 64 41 63 63 ForRegion.AddAcc
65 73 73 45 6e 74 72 79 41 6e 64 55 6e 69 6f 6e essEntryAndUnion
00 5f 74 79 70 65 55 6e 69 6f 6e 00 6d 5f 69 67 ._typeUnion.m_ig
6e 6f 72 65 50 65 72 73 69 73 74 65 64 44 65 63 norePersistedDec
69 73 69 6f 6e 00 55 49 6e 74 33 32 50 72 65 63 ision.UInt32Prec

2014-11-24 19:19:35,956 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C6472, Value:

53 65 6e 64 65 72 00 5f 74 79 70 65 4c 69 6d 69 Sender._typeLimi
74 69 6e 67 42 69 6e 64 65 72 00 73 5f 46 6f 72 tingBinder.s_For
77 61 72 64 43 61 6c 6c 42 69 6e 64 65 72 00 64 wardCallBinder.d
65 66 61 75 6c 74 42 69 6e 64 65 72 00 6d 5f 62 efaultBinder.m_b
69 6e 64 65 72 00 53 65 72 69 61 6c 69 7a 65 44 inder.SerializeD
65 63 6f 64 65 72 00 62 55 73 65 64 45 6e 63 6f ecoder.bUsedEnco
64 65 72 00 53 65 72 69 61 6c 69 7a 65 45 6e 63 der.SerializeEnc
6f 64 65 72 00 47 65 74 59 65 61 72 4d 6f 6e 74 oder.GetYearMont
68 4f 72 64 65 72 00 43 72 65 61 74 65 50 61 72 hOrder.CreatePar
61 6d 4f 72 64 65 72 00 47 65 74 59 65 61 72 4d amOrder.GetYearM
6f 6e 74 68 44 61 79 4f 72 64 65 72 00 41 72 67 onthDayOrder.Arg
5f 41 72 72 61 79 4c 65 6e 67 74 68 73 44 69 66 _ArrayLengthsDif
66 65 72 00 46 6c 75 73 68 4f 53 42 75 66 66 65 fer.FlushOSBuffe
72 00 6d 5f 64 65 70 61 64 42 75 66 66 65 72 00 r.m_depadBuffer.
41 6c 6c 6f 63 61 74 65 42 75 66 66 65 72 00 5f AllocateBuffer._
6c 61 72 67 65 42 79 74 65 42 75 66 66 65 72 00 largeByteBuffer.

2014-11-24 19:19:35,960 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52D00BF, Value:

53 65 6e 64 69 6e 67 52 65 70 6c 79 00 43 4f 52 SendingReply.COR
50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 6e 67 ProfilerRemoting
43 6c 69 65 6e 74 52 65 63 65 69 76 69 6e 67 52 ClientReceivingR
65 70 6c 79 00 43 61 6e 53 6d 75 67 67 6c 65 4f eply.CanSmuggleO
62 6a 65 63 74 44 69 72 65 63 74 6c 79 00 49 73 bjectDirectly.Is
44 75 6d 6d 79 00 53 65 74 44 75 6d 6d 79 00 53 Dummy.SetDummy.S
65 74 44 65 6e 79 00 4d 65 6d 63 70 79 00 43 68 etDeny.Memcpy.Ch
65 63 6b 4d 75 6c 74 69 43 6f 6e 74 69 6e 75 61 eckMultiContinua
74 69 6f 6e 54 61 73 6b 73 41 6e 64 43 6f 70 79 tionTasksAndCopy
00 54 68 72 65 61 64 53 61 66 65 43 6f 70 79 00 .ThreadSafeCopy.
55 6e 73 61 66 65 43 6f 70 79 00 43 72 65 61 74 UnsafeCopy.Creat
65 53 6d 75 67 67 6c 65 61 62 6c 65 43 6f 70 79 eSmuggleableCopy
00 47 65 74 49 6e 64 65 78 50 61 72 61 6d 65 74 .GetIndexParamet
65 72 73 4e 6f 43 6f 70 79 00 47 65 74 50 65 72 ersNoCopy.GetPer
6d 69 73 73 69 6f 6e 53 65 74 4e 6f 43 6f 70 79 missionSetNoCopy
00 53 65 74 50 65 72 6d 69 73 73 69 6f 6e 53 65 .SetPermissionSe

2014-11-24 19:19:35,963 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528D9EC, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree
00 67 65 74 5f 43 6f 6e 73 69 73 74 65 6e 63 79 .get_Consistency
47 75 61 72 61 6e 74 65 65 00 54 72 65 61 74 41 Guarantee.TreatA
73 53 61 66 65 00 53 79 73 74 65 6d 2e 54 68 72 sSafe.System.Thr
65 61 64 69 6e 67 2e 54 61 73 6b 73 2e 49 50 72 eading.Tasks.IPr
6f 64 75 63 65 72 43 6f 6e 73 75 6d 65 72 51 75 oducerConsumerQu
65 75 65 3c 54 3e 2e 47 65 74 43 6f 75 6e 74 53 eue<T>.GetCountS
61 66 65 00 44 65 70 6c 6f 79 6d 65 6e 74 4d 65 afe.DeploymentMe
74 61 64 61 74 61 5f 4d 61 78 69 6d 75 6d 41 67 tadata_MaximumAg
65 00 67 65 74 5f 4d 61 78 69 6d 75 6d 41 67 65 e.get_MaximumAge
00 42 67 65 00 67 65 74 5f 45 42 43 44 49 43 43 .Bge.get_EBCDICC
6f 64 65 50 61 67 65 00 67 65 74 5f 41 4e 53 49 odePage.get_ANSI
43 6f 64 65 50 61 67 65 00 67 65 74 5f 4f 45 4d CodePage.get_OEM
43 6f 64 65 50 61 67 65 00 67 65 74 5f 43 6f 64 CodePage.get_Cod
65 50 61 67 65 00 67 65 74 5f 4d 61 63 43 6f 64 ePage.get_MacCod
65 50 61 67 65 00 67 65 74 5f 57 69 6e 64 6f 77 ePage.get_Window

2014-11-24 19:19:35,964 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF529E130, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 00 49 6e 76 DeleteSubKey.Inv
61 6c 69 64 4f 70 65 72 61 74 69 6f 6e 5f 52 65 alidOperation_Re
67 52 65 6d 6f 76 65 53 75 62 4b 65 79 00 73 65 gRemoveSubKey.se
74 5f 50 75 62 6c 69 63 4b 65 79 00 53 74 72 6f t_PublicKey.Stro
6e 67 4e 61 6d 65 54 6f 6b 65 6e 46 72 6f 6d 50 ngNameTokenFromP
75 62 6c 69 63 4b 65 79 00 53 74 72 6f 6e 67 4e ublicKey.StrongN
61 6d 65 47 65 74 50 75 62 6c 69 63 4b 65 79 00 ameGetPublicKey.
53 65 74 50 75 62 6c 69 63 4b 65 79 00 52 65 61 SetPublicKey.Rea
64 4b 65 79 00 45 6e 68 61 6e 63 65 64 4b 65 79 dKey.EnhancedKey
00 55 73 65 55 73 65 72 50 72 6f 74 65 63 74 65 .UseUserProtecte
64 4b 65 79 00 47 65 6e 65 72 61 74 65 52 65 66 dKey.GenerateRef
65 72 65 6e 63 65 4b 65 79 00 55 73 65 4e 6f 6e erenceKey.UseNon
45 78 70 6f 72 74 61 62 6c 65 4b 65 79 00 55 73 ExportableKey.Us
65 41 72 63 68 69 76 61 62 6c 65 4b 65 79 00 4f eArchivableKey.O
70 65 6e 52 65 6d 6f 74 65 42 61 73 65 4b 65 79 penRemoteBaseKey
00 4f 70 65 6e 42 61 73 65 4b 65 79 00 5f 47 65 .OpenBaseKey._Ge

2014-11-24 19:19:35,967 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C1E0C, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree
49 6e 74 65 72 6e 61 6c 00 47 65 74 45 76 65 6e Internal.GetEven
74 52 65 67 69 73 74 72 61 74 69 6f 6e 54 6f 6b tRegistrationTok
65 6e 54 61 62 6c 65 49 6e 74 65 72 6e 61 6c 00 enTableInternal.
52 65 73 6f 6c 76 65 46 69 65 6c 64 48 61 6e 64 ResolveFieldHand
6c 65 49 6e 74 65 72 6e 61 6c 00 52 65 73 6f 6c leInternal.Resol
76 65 4d 65 74 68 6f 64 48 61 6e 64 6c 65 49 6e veMethodHandleIn
74 65 72 6e 61 6c 00 52 65 73 6f 6c 76 65 54 79 ternal.ResolveTy
70 65 48 61 6e 64 6c 65 49 6e 74 65 72 6e 61 6c peHandleInternal
00 44 65 66 69 6e 65 44 79 6e 61 6d 69 63 4d 6f .DefineDynamicMo
64 75 6c 65 49 6e 74 65 72 6e 61 6c 00 67 65 74 duleInternal.get
5f 4e 61 6d 65 49 6e 74 65 72 6e 61 6c 00 47 65 _NameInternal.Ge
74 54 79 70 65 4c 69 62 4e 61 6d 65 49 6e 74 65 tTypeLibNameInte
72 6e 61 6c 00 4c 6f 61 64 57 69 74 68 50 61 72 rnal.LoadWithPar
74 69 61 6c 4e 61 6d 65 49 6e 74 65 72 6e 61 6c tialNameInternal
00 47 65 74 4d 61 6e 61 67 65 64 54 79 70 65 49 .GetManagedTypeI

2014-11-24 19:19:35,969 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528E950, Value:

67 65 74 5f 4d 61 63 68 69 6e 65 4e 61 6d 65 00 get_MachineName.
67 65 74 5f 53 63 6f 70 65 4e 61 6d 65 00 73 65 get_ScopeName.se
74 5f 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 t_TypeName.get_V
69 73 75 61 6c 69 7a 65 72 4f 62 6a 65 63 74 53 isualizerObjectS
6f 75 72 63 65 54 79 70 65 4e 61 6d 65 00 67 65 ourceTypeName.ge
74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 73 t_FullTypeName.s
65 74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 et_FullTypeName.
67 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 get_XmlTypeName.
73 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 set_XmlTypeName.
43 61 6e 43 61 73 74 54 6f 58 6d 6c 54 79 70 65 CanCastToXmlType
4e 61 6d 65 00 67 65 74 5f 41 63 74 69 76 61 74 Name.get_Activat
69 6f 6e 54 79 70 65 4e 61 6d 65 00 46 69 6c 74 ionTypeName.Filt
65 72 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 erTypeName.get_V
69 73 75 61 6c 69 7a 65 72 54 79 70 65 4e 61 6d isualizerTypeNam
65 00 67 65 74 5f 49 6e 76 61 6c 69 64 43 75 6c e.get_InvalidCul
74 75 72 65 4e 61 6d 65 00 6c 61 73 74 43 75 6c tureName.lastCul

2014-11-24 19:19:35,973 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52706CF, Value:

67 65 74 5f 55 73 65 72 4e 61 6d 65 00 41 64 64 get_UserName.Add
50 65 72 6d 69 73 73 69 6f 6e 00 49 73 53 75 62 Permission.IsSub
63 6c 61 73 73 4f 66 00 47 65 74 50 72 6f 70 65 classOf.GetPrope
72 74 79 49 6d 70 6c 00 47 65 74 49 6e 74 65 72 rtyImpl.GetInter
66 61 63 65 73 00 67 65 74 5f 54 61 72 67 65 74 faces.get_Target
00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e .System.Runtime.
49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e InteropServices.
5f 54 79 70 65 2e 47 65 74 54 79 70 65 49 6e 66 _Type.GetTypeInf
6f 43 6f 75 6e 74 00 49 73 49 6e 73 74 61 6e 63 oCount.IsInstanc
65 4f 66 54 79 70 65 00 73 65 74 5f 46 6f 72 65 eOfType.set_Fore
67 72 6f 75 6e 64 43 6f 6c 6f 72 00 73 65 74 5f groundColor.set_
42 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 00 BackgroundColor.
67 65 74 5f 45 72 72 6f 72 00 73 65 74 5f 4c 65 get_Error.set_Le
61 73 65 54 69 6d 65 00 73 65 74 5f 4c 65 61 73 aseTime.set_Leas
65 4d 61 6e 61 67 65 72 50 6f 6c 6c 54 69 6d 65 eManagerPollTime
00 47 65 74 43 61 6c 6c 69 6e 67 41 73 73 65 6d .GetCallingAssem

2014-11-24 19:19:35,974 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527D84F, Value:

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim
65 00 67 65 74 5f 54 69 6d 65 4f 66 44 61 79 00 e.get_TimeOfDay.
41 64 64 53 65 63 6f 6e 64 73 00 6d 5f 72 65 73 AddSeconds.m_res
6f 75 72 63 65 73 00 43 6f 70 79 45 6e 74 72 69 ources.CopyEntri
65 73 00 67 65 74 5f 49 74 65 6d 32 00 67 65 74 es.get_Item2.get
5f 49 74 65 6d 31 00 6d 5f 49 74 65 6d 32 00 6d _Item1.m_Item2.m
5f 49 74 65 6d 31 00 47 65 74 47 65 74 4d 65 74 _Item1.GetGetMet
68 6f 64 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 hod.InternalGetS
79 73 74 65 6d 44 65 66 61 75 6c 74 55 49 4c 61 ystemDefaultUILa
6e 67 75 61 67 65 00 67 65 74 5f 55 73 65 72 44 nguage.get_UserD
65 66 61 75 6c 74 43 75 6c 74 75 72 65 00 67 65 efaultCulture.ge
74 5f 50 61 72 65 6e 74 00 49 6e 74 65 72 6e 61 t_Parent.Interna
6c 47 65 74 52 65 73 6f 75 72 63 65 53 65 74 00 lGetResourceSet.
53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f System.Collectio
6e 73 2e 49 53 74 72 75 63 74 75 72 61 6c 45 71 ns.IStructuralEq
75 61 74 61 62 6c 65 2e 45 71 75 61 6c 73 00 53 uatable.Equals.S

2014-11-24 19:19:35,976 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52813D2, Value:

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim
65 55 74 63 00 67 65 74 5f 43 72 65 61 74 69 6f eUtc.get_Creatio
6e 54 69 6d 65 55 74 63 00 47 65 74 4f 6e 65 59 nTimeUtc.GetOneY
65 61 72 4c 6f 63 61 6c 46 72 6f 6d 55 74 63 00 earLocalFromUtc.
6d 5f 6f 6e 65 59 65 61 72 4c 6f 63 61 6c 46 72 m_oneYearLocalFr
6f 6d 55 74 63 00 47 65 74 49 73 44 61 79 6c 69 omUtc.GetIsDayli
67 68 74 53 61 76 69 6e 67 73 46 72 6f 6d 55 74 ghtSavingsFromUt
63 00 47 65 74 44 61 74 65 54 69 6d 65 4e 6f 77 c.GetDateTimeNow
55 74 63 4f 66 66 73 65 74 46 72 6f 6d 55 74 63 UtcOffsetFromUtc
00 43 6f 6e 76 65 72 74 54 69 6d 65 54 6f 55 74 .ConvertTimeToUt
63 00 67 65 74 5f 49 64 00 47 65 74 4c 6f 67 6f c.get_Id.GetLogo
6e 41 75 74 68 49 64 00 49 6e 74 65 72 6e 61 6c nAuthId.Internal
47 65 74 49 64 00 6d 5f 64 00 54 72 69 6d 48 65 GetId.m_d.TrimHe
61 64 00 49 6e 74 65 72 6e 61 6c 45 6d 75 6c 61 ad.InternalEmula
74 65 52 65 61 64 00 6d 5f 72 65 61 64 00 49 73 teRead.m_read.Is
46 69 6e 61 6c 69 7a 69 6e 67 46 6f 72 55 6e 6c FinalizingForUnl

2014-11-24 19:19:35,979 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52A8776, Value:

47 65 74 56 6f 6c 75 6d 65 49 6e 66 6f 72 6d 61 GetVolumeInforma
74 69 6f 6e 00 6c 70 44 79 6e 61 6d 69 63 54 69 tion.lpDynamicTi
6d 65 5a 6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f meZoneInformatio
6e 00 6c 70 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f n.lpTimeZoneInfo
72 6d 61 74 69 6f 6e 00 47 65 74 54 69 6d 65 5a rmation.GetTimeZ
6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 64 oneInformation.d
65 66 61 75 6c 74 54 69 6d 65 5a 6f 6e 65 49 6e efaultTimeZoneIn
66 6f 72 6d 61 74 69 6f 6e 00 74 69 6d 65 5a 6f formation.timeZo
6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 74 79 neInformation.ty
70 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6c 70 peInformation.lp
4e 6c 73 56 65 72 73 69 6f 6e 49 6e 66 6f 72 6d NlsVersionInform
61 74 69 6f 6e 00 41 75 74 68 65 6e 74 69 63 61 ation.Authentica
74 69 6f 6e 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 tionInformation.
47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 GetUserObjectInf
6f 72 6d 61 74 69 6f 6e 00 73 65 63 75 72 69 74 ormation.securit
79 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6d 65 74 yInformation.met

2014-11-24 20:39:55,796 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01AEA, Value:

6d 6f 64 41 50 49 24 6d 6f 64 32 00 6d 6f 64 41 modAPI$mod2.modA
75 64 69 6f 24 6d 6f 64 33 00 6d 6f 64 42 74 4b udio$mod3.modBtK
69 6c 6c 65 72 24 6d 6f 64 34 00 6d 6f 64 43 72 iller$mod4.modCr
79 70 74 24 6d 6f 64 35 00 6d 6f 64 46 75 63 74 ypt$mod5.modFuct
69 6f 6e 73 24 6d 6f 64 36 00 6d 6f 64 48 69 6a ions$mod6.modHij
61 63 6b 24 6d 6f 64 37 00 6d 6f 64 49 43 61 6c ack$mod7.modICal
6c 42 61 63 6b 24 6d 6f 64 38 00 6d 6f 64 49 49 lBack$mod8.modII
6e 65 74 24 6d 6f 64 39 00 6d 6f 64 49 6e 66 65 net$mod9.modInfe
63 74 24 6d 6f 64 31 30 00 6d 6f 64 49 6e 6a 50 ct$mod10.modInjP
45 24 6d 6f 64 31 31 00 6d 6f 64 4c 61 75 6e 63 E$mod11.modLaunc
68 57 65 62 24 6d 6f 64 31 32 00 6d 6f 64 4f 53 hWeb$mod12.modOS
24 6d 6f 64 31 33 00 6d 6f 64 50 57 73 24 6d 6f $mod13.modPWs$mo
64 31 34 00 6d 6f 64 52 65 67 69 73 74 72 79 24 d14.modRegistry$
6d 6f 64 31 35 00 6d 6f 64 53 63 72 65 65 6e 63 mod15.modScreenc
61 70 24 6d 6f 64 31 36 00 6d 6f 64 53 6e 69 66 ap$mod16.modSnif
66 24 6d 6f 64 31 37 00 6d 6f 64 53 6f 63 6b 65 f$mod17.modSocke

2014-11-24 20:39:55,798 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01AF6, Value:

6d 6f 64 41 75 64 69 6f 24 6d 6f 64 33 00 6d 6f modAudio$mod3.mo
64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 00 6d dBtKiller$mod4.m
6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f 64 odCrypt$mod5.mod
46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f Fuctions$mod6.mo
64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 dHijack$mod7.mod
49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 6d ICallBack$mod8.m
6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 odIInet$mod9.mod
49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f 64 Infect$mod10.mod
49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 4c InjPE$mod11.modL
61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 6d aunchWeb$mod12.m
6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 57 odOS$mod13.modPW
73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 73 s$mod14.modRegis
74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 72 try$mod15.modScr
65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f 64 eencap$mod16.mod
53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 53 Sniff$mod17.modS
6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 31 ocketMaster$mod1

2014-11-24 20:39:55,799 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B04, Value:

6d 6f 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 modBtKiller$mod4
00 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d .modCrypt$mod5.m
6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 odFuctions$mod6.
6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m
6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8
00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m
6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m
6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo
64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12
00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod
50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg
69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS
63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m
6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo
64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo
64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo

2014-11-24 20:39:55,803 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B15, Value:

6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f modCrypt$mod5.mo
64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d dFuctions$mod6.m
6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f odHijack$mod7.mo
64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 dICallBack$mod8.
6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo
64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod
4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m

2014-11-24 20:39:55,805 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B23, Value:

6d 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 modFuctions$mod6
00 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 .modHijack$mod7.
6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod
38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.
6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

2014-11-24 20:39:55,808 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B34, Value:

6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m
6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8
00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m
6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m
6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo
64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12
00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod
50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg
69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS
63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m
6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo
64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo
64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo
64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 d19.modSqueezer$
6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 mod20.modSS$mod2
31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 1.modTorrentSeed

2014-11-24 20:39:55,809 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B43, Value:

6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod
38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.
6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

2014-11-24 20:39:55,812 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B55, Value:

6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo
64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod
4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21
00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t
6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr

2014-11-24 20:39:55,813 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B63, Value:

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm

2014-11-24 20:39:55,815 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B73, Value:

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm
72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5

2014-11-24 20:39:55,818 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B82, Value:

6d 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 modLaunchWeb$mod
31 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 12.modOS$mod13.m
6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 odPWs$mod14.modR
65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f egistry$mod15.mo
64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 dScreencap$mod16
00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 .modSniff$mod17.
6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$
6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm
73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$
74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr
35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.

2014-11-24 20:39:55,819 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B95, Value:

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21
00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t
6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr
33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 3.tmrAnslut$tmr4
00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 .tmrAudio$tmr5.t
6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 mrBlink$tmr6.tmr
43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f Check$tmr7.tmrCo

2014-11-24 20:39:55,822 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BA1, Value:

6d 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 modPWs$mod14.mod
52 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d Registry$mod15.m
6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 odScreencap$mod1
36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 6.modSniff$mod17
00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 .modSocketMaster
24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 $mod18.modSpread
24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a $mod19.modSqueez
65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d er$mod20.modSS$m
6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 od21.modTorrentS
65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 eed$tmr1.tmrAlar
6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 ms$tmr2.tmrAlive
24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 $tmr3.tmrAnslut$
74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d tmr4.tmrAudio$tm
72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 r5.tmrBlink$tmr6
00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 .tmrCheck$tmr7.t
6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 mrCountdown$tmr8

2014-11-24 20:39:55,823 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BAE, Value:

6d 6f 64 52 65 67 69 73 74 72 79 24 6d 6f 64 31 modRegistry$mod1
35 00 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 5.modScreencap$m
6f 64 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f od16.modSniff$mo
64 31 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 d17.modSocketMas
74 65 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 ter$mod18.modSpr
65 61 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 ead$mod19.modSqu
65 65 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 eezer$mod20.modS
53 24 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 S$mod21.modTorre
6e 74 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 ntSeed$tmr1.tmrA
6c 61 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c larms$tmr2.tmrAl
69 76 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c ive$tmr3.tmrAnsl
75 74 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f ut$tmr4.tmrAudio
24 74 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 $tmr5.tmrBlink$t
6d 72 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 mr6.tmrCheck$tmr
37 00 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 7.tmrCountdown$t
6d 72 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 mr8.tmrCrazy$tmr

2014-11-24 20:39:55,825 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BC0, Value:

6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 modScreencap$mod
31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 16.modSniff$mod1
37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 7.modSocketMaste
72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 r$mod18.modSprea
64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 d$mod19.modSquee
7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 zer$mod20.modSS$
6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 mod21.modTorrent
53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 Seed$tmr1.tmrAla
72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 rms$tmr2.tmrAliv
65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 e$tmr3.tmrAnslut
24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 $tmr4.tmrAudio$t
6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 mr5.tmrBlink$tmr
36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 6.tmrCheck$tmr7.
74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.
74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr

2014-11-24 20:39:55,832 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BD3, Value:

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm
72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5
00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 .tmrBlink$tmr6.t
6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 mrCheck$tmr7.tmr
43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 Countdown$tmr8.t
6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 mrCrazy$tmr9.tmr
44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 DOS$tmr10.tmrDoW
6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 ork$tmr11.tmrFoc

2014-11-24 20:39:55,835 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BE2, Value:

6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$
6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm
73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$
74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr
35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.
74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm
72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra

2014-11-24 20:39:55,836 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BF8, Value:

6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 31 39 00 modSpread$mod19.
6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2
30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo
64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr
31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2
00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t
6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm
72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB
6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe
63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount
64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra
7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t
6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t
6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm
72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t
6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi

2014-11-24 20:39:55,842 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C08, Value:

6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2
30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo
64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr
31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2
00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t
6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm
72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB
6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe
63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount
64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra
7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t
6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t
6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm
72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t
6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi
74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 tet$tmr14.tmrInf

2014-11-24 20:39:55,846 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C1A, Value:

6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 64 54 modSS$mod21.modT
6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 31 00 orrentSeed$tmr1.
74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t
6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA
75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck
24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy
24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr
31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1
32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT
4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter

2014-11-24 20:39:55,848 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C26, Value:

6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 modTorrentSeed$t
6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d mr1.tmrAlarms$tm
72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 r2.tmrAlive$tmr3
00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 .tmrAnslut$tmr4.
74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm
72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou
6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS
24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti
76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI
6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm

2014-11-24 20:39:55,851 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C3A, Value:

74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t
6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA
75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck
24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy
24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr
31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1
32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT
4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter
76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 valUpdate$tmr16.
74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm

2014-11-24 20:39:55,855 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C49, Value:

74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d tmrAlive$tmr3.tm
72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 rAnslut$tmr4.tmr
41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c Audio$tmr5.tmrBl
69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 ink$tmr6.tmrChec
6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 k$tmr7.tmrCountd
6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a own$tmr8.tmrCraz
79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d y$tmr9.tmrDOS$tm
72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d r10.tmrDoWork$tm
72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 r11.tmrFocus$tmr
31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 12.tmrGrabber$tm
72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 r13.tmrInaktivit
65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f et$tmr14.tmrInfo
54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 TO$tmr15.tmrInte
72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 rvalUpdate$tmr16
00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 .tmrLiveLogger$t
6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 mr17.tmrPersista

2014-11-24 20:39:55,857 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C57, Value:

74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 tmrAnslut$tmr4.t
6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 mrAudio$tmr5.tmr
42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 Blink$tmr6.tmrCh
65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e eck$tmr7.tmrCoun
74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 tdown$tmr8.tmrCr
61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 azy$tmr9.tmrDOS$
74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 tmr10.tmrDoWork$
74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 tmr11.tmrFocus$t
6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 mr12.tmrGrabber$
74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 tmr13.tmrInaktiv
69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e itet$tmr14.tmrIn
66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e foTO$tmr15.tmrIn
74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 tervalUpdate$tmr
31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 16.tmrLiveLogger
24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 $tmr17.tmrPersis
74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 63 tant$tmr18.tmrSc

2014-11-24 20:39:55,858 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C66, Value:

74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm
72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou
6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS
24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti
76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI
6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm
72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 r16.tmrLiveLogge
72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 r$tmr17.tmrPersi
73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 stant$tmr18.tmrS
63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 39 00 creenshot$tmr19.

2014-11-24 20:39:55,861 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C74, Value:

74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d tmrBlink$tmr6.tm
72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 rCheck$tmr7.tmrC
6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d ountdown$tmr8.tm
72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 rCrazy$tmr9.tmrD
4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f OS$tmr10.tmrDoWo
72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 rk$tmr11.tmrFocu
73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 s$tmr12.tmrGrabb
65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b er$tmr13.tmrInak
74 69 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d tivitet$tmr14.tm
72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d rInfoTO$tmr15.tm
72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 rIntervalUpdate$
74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 tmr16.tmrLiveLog
67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 ger$tmr17.tmrPer
73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d sistant$tmr18.tm
72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 rScreenshot$tmr1
39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 9.tmrSpara$tmr20

2014-11-24 20:39:55,865 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C82, Value:

74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm
72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn
61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

2014-11-24 20:39:55,867 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C90, Value:

74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.
74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr
46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr
49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1
35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd
61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm
72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$
74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm
72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22

2014-11-24 20:39:55,868 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CA2, Value:

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn
61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW

2014-11-24 20:39:55,871 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CB0, Value:

74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr
46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr
49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1
35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd
61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm
72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$
74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm
72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22
00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d .tmrUDP$tmr23.tm
72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 rWebHideBlackSha

2014-11-24 20:39:55,872 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CBD, Value:

74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 tmrDoWork$tmr11.
74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t
6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection

2014-11-24 20:39:55,875 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CCD, Value:

74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t
6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$

2014-11-24 20:39:55,875 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CDC, Value:

74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 tmrGrabber$tmr13
00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 .tmrInaktivitet$
74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 tmr14.tmrInfoTO$
74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 tmr15.tmrInterva
6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d lUpdate$tmr16.tm
72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 rLiveLogger$tmr1
37 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 7.tmrPersistant$
74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 tmr18.tmrScreens
68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 hot$tmr19.tmrSpa
72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 ra$tmr20.tmrSpri
64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 d$tmr21.tmrTCP$t
6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 mr22.tmrUDP$tmr2
33 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 3.tmrWebHideBlac
6b 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f kShades.detectio
6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 n.DarkComet.RAT.
24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 $bot1.#BOT#OpenU

2014-11-24 20:39:55,878 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CED, Value:

74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$
62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 bot1.#BOT#OpenUr
6c 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 l$bot2.#BOT#Ping

2014-11-24 20:39:55,880 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D02, Value:

74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

2014-11-24 20:39:55,881 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D12, Value:

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni

2014-11-24 20:39:55,884 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D2A, Value:

74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm
72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e r17.tmrPersistan
74 24 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 t$tmr18.tmrScree
6e 73 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 nshot$tmr19.tmrS
70 61 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 para$tmr20.tmrSp
72 69 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 rid$tmr21.tmrTCP
24 74 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d $tmr22.tmrUDP$tm
72 32 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c r23.tmrWebHideBl
61 63 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 ackShades.detect
69 6f 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 ion.DarkComet.RA
54 00 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 T.$bot1.#BOT#Ope
6e 55 72 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 nUrl$bot2.#BOT#P
69 6e 67 24 62 6f 74 33 00 23 42 4f 54 23 52 75 ing$bot3.#BOT#Ru
6e 50 72 6f 6d 70 74 24 62 6f 74 34 00 23 42 4f nPrompt$bot4.#BO
54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c 24 62 T#SvrUninstall$b
6f 74 35 00 23 42 4f 54 23 55 52 4c 44 6f 77 6e ot5.#BOT#URLDown

2014-11-24 20:39:55,888 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D3E, Value:

74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d tmrPersistant$tm
72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f r18.tmrScreensho
74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 t$tmr19.tmrSpara
24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 $tmr20.tmrSprid$
74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 tmr21.tmrTCP$tmr
32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 22.tmrUDP$tmr23.
74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS
68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.
44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b
6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl
24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$
62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro
6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv
72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.
23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp

2014-11-24 20:39:55,890 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D52, Value:

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni
6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot
36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate
24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit

2014-11-24 20:39:55,891 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D66, Value:

74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 00 74 tmrSpara$tmr20.t
6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 6d mrSprid$tmr21.tm
72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 44 rTCP$tmr22.tmrUD
50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 69 P$tmr23.tmrWebHi
64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 65 deBlackShades.de
74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 tection.DarkCome
74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f 54 t.RAT.$bot1.#BOT
23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 42 #OpenUrl$bot2.#B
4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 4f OT#Ping$bot3.#BO
54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 34 T#RunPrompt$bot4
00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 .#BOT#SvrUninsta
6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c ll$bot5.#BOT#URL
44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 Download$bot6.#B
4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 OT#URLUpdate$bot
37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 7.#BOT#VisitUrl$
62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 bot8.#BOT#CloseS

2014-11-24 20:39:55,894 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D75, Value:

74 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 tmrSprid$tmr21.t
6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 mrTCP$tmr22.tmrU
44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 DP$tmr23.tmrWebH
69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 ideBlackShades.d
65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d etection.DarkCom
65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f et.RAT.$bot1.#BO
54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 T#OpenUrl$bot2.#
42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 BOT#Ping$bot3.#B
4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 OT#RunPrompt$bot
34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 4.#BOT#SvrUninst
61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 all$bot5.#BOT#UR
4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 LDownload$bot6.#
42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f BOT#URLUpdate$bo
74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c t7.#BOT#VisitUrl
24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 $bot8.#BOT#Close
53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f Server$ddos1.DDO

2014-11-24 20:39:55,900 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D84, Value:

74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 tmrTCP$tmr22.tmr
55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 UDP$tmr23.tmrWeb
48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 HideBlackShades.
64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f detection.DarkCo
6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 met.RAT.$bot1.#B
4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 OT#OpenUrl$bot2.
23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#
42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U
52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos

2014-11-24 20:39:55,901 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D91, Value:

74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 tmrUDP$tmr23.tmr
57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 WebHideBlackShad
65 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 es.detection.Dar
6b 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 kComet.RAT.$bot1
00 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f .#BOT#OpenUrl$bo
74 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 t2.#BOT#Ping$bot
33 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 3.#BOT#RunPrompt
24 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e $bot4.#BOT#SvrUn
69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f install$bot5.#BO
54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f T#URLDownload$bo
74 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 t6.#BOT#URLUpdat
65 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 e$bot7.#BOT#Visi
74 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 tUrl$bot8.#BOT#C
6c 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 loseServer$ddos1
00 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 .DDOSHTTPFLOOD$d
64 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f dos2.DDOSSYNFLOO

2014-11-24 20:39:55,905 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D9E, Value:

74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS
68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.
44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b
6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl
24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$
62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro
6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv
72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.
23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp
64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO
54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF
4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU

2014-11-24 20:39:55,907 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DD2, Value:

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni
6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot
36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate
24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit
55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c Url$bot8.#BOT#Cl
6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 oseServer$ddos1.
44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd
6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD
24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A
63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo
67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.

2014-11-24 20:39:55,910 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DE4, Value:

23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#
42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U
52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d
64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO
44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un
41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl

2014-11-24 20:39:55,914 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DF3, Value:

23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 #BOT#RunPrompt$b
6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e ot4.#BOT#SvrUnin
73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 stall$bot5.#BOT#
55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 URLDownload$bot6
00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 .#BOT#URLUpdate$
62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 bot7.#BOT#VisitU
72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f rl$bot8.#BOT#Clo
73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 seServer$ddos1.D
44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f DOSHTTPFLOOD$ddo
73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 s2.DDOSSYNFLOOD$
64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f ddos3.DDOSUDPFLO
4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 OD$keylogger1.Ac
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 ger$keylogger2.U
6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 nActiveOnlineKey
6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger

2014-11-24 20:39:55,915 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E07, Value:

23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c #BOT#SvrUninstal
6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 l$bot5.#BOT#URLD
6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 4f ownload$bot6.#BO
54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 37 T#URLUpdate$bot7
00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 .#BOT#VisitUrl$b
6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 ot8.#BOT#CloseSe
72 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 rver$ddos1.DDOSH
54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 TTPFLOOD$ddos2.D
44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 DOSSYNFLOOD$ddos
33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 3.DDOSUDPFLOOD$k
65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 eylogger1.Active
4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 OnlineKeylogger$
6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 keylogger2.UnAct
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 er$keylogger3.Ac
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo

2014-11-24 20:39:55,917 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E1E, Value:

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp
64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO
54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF
4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU
44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 DPFLOOD$keylogge
72 31 00 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b r1.ActiveOnlineK
65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg
65 72 32 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 er2.UnActiveOnli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl
6f 67 67 65 72 33 00 41 63 74 69 76 65 4f 66 66 ogger3.ActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke
79 6c 6f 67 67 65 72 34 00 55 6e 41 63 74 69 76 ylogger4.UnActiv

2014-11-24 20:39:55,918 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E34, Value:

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d
64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO
44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un
41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel

2014-11-24 20:39:55,921 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E48, Value:

23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 6f #BOT#VisitUrl$bo
74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 t8.#BOT#CloseSer
76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 54 ver$ddos1.DDOSHT
54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 TPFLOOD$ddos2.DD
4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 OSSYNFLOOD$ddos3
00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 .DDOSUDPFLOOD$ke
79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f ylogger1.ActiveO
6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k
65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 eylogger2.UnActi
76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 veOnlineKeylogge
72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 r$keylogger3.Act
69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 iveOfflineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 ger$keylogger4.U
6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 nActiveOfflineKe
79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 ylogger$shell1.A
43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c CTIVEREMOTESHELL

2014-11-24 20:39:55,923 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E5B, Value:

23 42 4f 54 23 43 6c 6f 73 65 53 65 72 76 65 72 #BOT#CloseServer
24 64 64 6f 73 31 00 44 44 4f 53 48 54 54 50 46 $ddos1.DDOSHTTPF
4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 4f 53 53 LOOD$ddos2.DDOSS
59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 YNFLOOD$ddos3.DD
4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f OSUDPFLOOD$keylo
67 67 65 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 gger1.ActiveOnli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl
6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 65 4f ogger2.UnActiveO
6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k
65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 76 65 eylogger3.Active
4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 OfflineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e 41 63 $keylogger4.UnAc
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo
67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 54 49 gger$shell1.ACTI
56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 VEREMOTESHELL$sh
65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 45 53 ell2.SUBMREMOTES

2014-11-24 20:39:55,924 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E72, Value:

44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd
6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD
24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A
63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo
67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.
55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog
67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh
65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU
42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh
65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES

2014-11-24 20:39:55,928 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E86, Value:

44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f DDOSSYNFLOOD$ddo
73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 s3.DDOSUDPFLOOD$
6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 keylogger1.Activ
65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 $keylogger2.UnAc
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 ger$keylogger3.A
63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c ctiveOfflineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 ogger$keylogger4
00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 .UnActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 Keylogger$shell1
00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 .ACTIVEREMOTESHE
4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 LL$shell2.SUBMRE
4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 MOTESHELL$shell3
00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c .KILLREMOTESHELL
44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 DarkComet.detect

2014-11-24 20:39:55,930 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E99, Value:

44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 DDOSUDPFLOOD$key
6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e logger1.ActiveOn
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke
79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 ylogger2.UnActiv
65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 $keylogger3.Acti
76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 veOfflineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e er$keylogger4.Un
41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC
54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$
73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI
4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar
6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection
00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str

2014-11-24 20:39:55,933 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01EB1, Value:

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 ogger$keylogger2
00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b .UnActiveOnlineK
65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg
65 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e er3.ActiveOfflin
65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f eKeylogger$keylo
67 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 gger4.UnActiveOf
66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 flineKeylogger$s
68 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f hell1.ACTIVEREMO
54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 TESHELL$shell2.S
55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 UBMREMOTESHELL$s
68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 hell3.KILLREMOTE
53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 SHELLDarkComet.d
65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 etection.Xtreme.
52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 RAT.$string1.Xtr
65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 emeKeylogger$str

2014-11-24 20:39:55,934 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01ED4, Value:

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel
6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 l1.ACTIVEREMOTES
48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d HELL$shell2.SUBM
52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c REMOTESHELL$shel
6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 l3.KILLREMOTESHE
4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 LLDarkComet.dete
63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 ction.Xtreme.RAT
00 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 .$string1.Xtreme
4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 Keylogger$string
32 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 2.XtremeRAT$stri
6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 ng3.XTREMEUPDATE

2014-11-24 20:39:55,940 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01ED2, Value:

55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog
67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh
65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU
42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh
65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES
48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 HELLDarkComet.de
74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 tection.Xtreme.R
41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 AT.$string1.Xtre
6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 meKeylogger$stri
6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 ng2.XtremeRAT$st
72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 ring3.XTREMEUPDA

2014-11-24 20:39:55,943 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01EF5, Value:

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger
34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 4.UnActiveOfflin
65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c eKeylogger$shell
31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 1.ACTIVEREMOTESH
45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 ELL$shell2.SUBMR
45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c EMOTESHELL$shell
33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 3.KILLREMOTESHEL
4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 LDarkComet.detec
74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 tion.Xtreme.RAT.
24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b $string1.XtremeK
65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 eylogger$string2
00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e .XtremeRAT$strin
67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 g3.XTREMEUPDATE$
73 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 string4.STUBXTRE
4d 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 MEINJECTED$unit1

2014-11-24 20:39:55,947 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F19, Value:

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC
54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$
73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI
4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar
6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection
00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str
69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 6c 6f ing1.XtremeKeylo
67 67 65 72 24 73 74 72 69 6e 67 32 00 58 74 72 gger$string2.Xtr
65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 00 58 emeRAT$string3.X
54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 69 TREMEUPDATE$stri
6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 4e ng4.STUBXTREMEIN
4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e 69 JECTED$unit1.Uni
74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 00 b1 tConfig.........
b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 8f .........]......

2014-11-24 20:39:55,948 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F17, Value:

55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b UnActiveOfflineK
65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 eylogger$shell1.
41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL
4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM
4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.
4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......
00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....

2014-11-24 20:39:55,950 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F37, Value:

41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL
4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM
4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.
4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......
00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....
00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 ................
00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 ...........v....

2014-11-24 20:39:55,953 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F50, Value:

53 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 SUBMREMOTESHELL$
73 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 shell3.KILLREMOT
45 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 ESHELLDarkComet.
64 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 detection.Xtreme
20 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 .RAT.$string1.Xt
72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 remeKeylogger$st
72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 ring2.XtremeRAT$
73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 string3.XTREMEUP
44 41 54 45 24 73 74 72 69 6e 67 34 00 53 54 55 DATE$string4.STU
42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 44 24 BXTREMEINJECTED$
75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 69 67 unit1.UnitConfig
00 00 00 00 00 00 80 00 b1 b4 88 07 00 00 00 00 ................
b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 00 01 06 ..].............
00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 ................
d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 be a1 ed ..v........N....
01 00 00 00 88 00 00 00 50 c5 21 07 00 00 00 00 ........P.!.....

2014-11-24 20:39:55,957 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F67, Value:

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......
00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....
00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 ................
00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 ...........v....
00 e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 00 ....N...........
00 50 c5 21 07 00 00 00 00 04 00 00 00 00 00 00 .P.!............
21 00 00 00 00 00 00 80 00 41 17 70 0b 00 00 00 !........A.p....

2014-11-24 20:39:55,963 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01F9E, Value:

58 74 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 XtremeKeylogger$
73 74 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 string2.XtremeRA
54 24 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 T$string3.XTREME
55 50 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 UPDATE$string4.S
54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 TUBXTREMEINJECTE
44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 D$unit1.UnitConf
69 67 00 00 00 00 00 00 80 00 b1 b4 88 07 00 00 ig..............
00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 00 ....]...........
01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 00 ................
00 00 d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 be ....v........N..
a1 ed 01 00 00 00 88 00 00 00 50 c5 21 07 00 00 ..........P.!...
00 00 04 00 00 00 00 00 00 21 00 00 00 00 00 00 .........!......
80 00 41 17 70 0b 00 00 00 00 b0 7f 5d 07 00 00 ..A.p.......]...
00 00 90 ed 8f ed 02 00 03 00 00 00 00 00 00 00 ................
00 00 00 01 00 00 00 00 00 00 c1 7f 5d 07 00 00 ............]...
00 00 83 d1 8e 4c 3a 27 f8 90 01 00 00 00 88 00 .....L:'........

2014-11-24 20:39:55,966 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FB6, Value:

58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 XtremeRAT$string
33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 3.XTREMEUPDATE$s
74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d tring4.STUBXTREM
45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 EINJECTED$unit1.
55 6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 UnitConfig......
80 00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 ............]...
00 00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 ................
00 00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 ............v...
00 00 e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 .....N..........
00 00 50 c5 21 07 00 00 00 00 04 00 00 00 00 00 ..P.!...........
00 21 00 00 00 00 00 00 80 00 41 17 70 0b 00 00 .!........A.p...
00 00 b0 7f 5d 07 00 00 00 00 90 ed 8f ed 02 00 ....]...........
03 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................
00 00 c1 7f 5d 07 00 00 00 00 83 d1 8e 4c 3a 27 ....]........L:'
f8 90 01 00 00 00 88 00 00 00 d0 c3 21 07 00 00 ............!...
00 00 04 00 00 00 00 00 00 01 00 00 00 00 00 00 ................

2014-11-24 20:39:55,967 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FC8, Value:

58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 XTREMEUPDATE$str
69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 ing4.STUBXTREMEI
4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e NJECTED$unit1.Un
69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 00 itConfig........
b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 ..........].....
8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 00 ................
00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 00 ..........v.....
e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 00 00 ...N............
50 c5 21 07 00 00 00 00 04 00 00 00 00 00 00 21 P.!............!
00 00 00 00 00 00 80 00 41 17 70 0b 00 00 00 00 ........A.p.....
b0 7f 5d 07 00 00 00 00 90 ed 8f ed 02 00 03 00 ..].............
00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
c1 7f 5d 07 00 00 00 00 83 d1 8e 4c 3a 27 f8 90 ..]........L:'..
01 00 00 00 88 00 00 00 d0 c3 21 07 00 00 00 00 ..........!.....
04 00 00 00 00 00 00 01 00 00 00 00 00 00 80 00 ................
b1 c1 5d 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 ..].......].....

2014-11-24 20:39:55,970 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FDD, Value:

53 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 STUBXTREMEINJECT
45 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e ED$unit1.UnitCon
66 69 67 00 00 00 00 00 00 80 00 b1 b4 88 07 00 fig.............
00 00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 .....]..........
00 01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 ................
00 00 00 d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 .....v........N.
be a1 ed 01 00 00 00 88 00 00 00 50 c5 21 07 00 ...........P.!..
00 00 00 04 00 00 00 00 00 00 21 00 00 00 00 00 ..........!.....
00 80 00 41 17 70 0b 00 00 00 00 b0 7f 5d 07 00 ...A.p.......]..
00 00 00 90 ed 8f ed 02 00 03 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 00 00 00 c1 7f 5d 07 00 .............]..
00 00 00 83 d1 8e 4c 3a 27 f8 90 01 00 00 00 88 ......L:'.......
00 00 00 d0 c3 21 07 00 00 00 00 04 00 00 00 00 .....!..........
00 00 01 00 00 00 00 00 00 80 00 b1 c1 5d 07 00 .............]..
00 00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 04 .....]..........
00 01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 ................

2014-11-24 21:22:27,375 - detector - INFO - Scanning finished
2014-11-24 21:22:27,375 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-24 21:22:27,387 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-24 21:22:27,388 - detector - INFO - Service stopped
2014-11-24 21:22:27,388 - detector - INFO - Analysis finished
und wie schlimm ist das? Hmm...

Habe selbst logfile durchschauen. Was fällt mir auf, ist nur zwei Prozesse Boxsync.exe und wmpnetwk.exe. Hat man (BKA oder was??) Trojaner in beiden Prozesse injiziert, oder!??
__________________
Alt 26.11.2014, 08:58   #4
schrauber
/// the machine
/// TB-Ausbilder
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Nein, da is gar nix. Das einzige was Detekt kann ist fehlalarme produzieren.


Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 26.11.2014, 10:15   #5
MobyDick
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Guten Tag, Schrauber!

hier zwei Anhänge:


FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01
Ran by superior (administrator) on HOME-PC on 26-11-2014 10:16:54
Running from T:\FRST64
Loaded Profile: superior (Available profiles: superior & muad'dib)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(The Within Network, LLC) C:\Windows\UnsignedThemesSvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CyberLink) C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe
(CyberLink) C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
(O&O Software GmbH) C:\Software\O&O Defrag Professional\oodag.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TuneUp Software) C:\Software\TuneUp Utilities\TuneUpUtilitiesService64.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(TuneUp Software) C:\Software\TuneUp Utilities\TuneUpUtilitiesApp64.exe
() C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(VMware, Inc.) C:\Software\VMware Workstation\vmware-authd.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(O&O Software GmbH) C:\Software\O&O Defrag Professional\oodtray.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(XemiComputers ltd.) C:\Software\Active Desktop Calendar\ADC.exe
(Stardock Corporation) C:\Software\CursorFX\Stardock\CursorFX\CursorFX.exe
(Microsoft Corporation) C:\Users\superior\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
(Dropbox, Inc.) C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe
() C:\Windows\Samsung\PanelMgr\SSMMgr.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe
(Babylon Ltd.) C:\Software\Babylon Pro\Babylon.exe
() C:\Windows\Samsung\PanelMgr\caller64.exe
(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\Dock64.exe
(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDockTray.exe
(EXLADE, Inc.) C:\Software\Cryptic Disk Pro\Exlade Cryptic Disk 3\CrypticDisk3Console.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(SWE Sven Ritter) C:\Software\SpeedCommander\SpeedCommander.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [1609296 2010-06-26] (Logitech, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [Fences] => C:\Software\Stardock\Fences\Fences.exe [3993744 2014-05-22] (Stardock Corporation)
HKLM\...\Run: [OODefragTray] => C:\Software\O&O Defrag Professional\oodtray.exe [4465448 2014-05-12] (O&O Software GmbH)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [519408 2013-07-18] (Acronis)
HKLM\...\Run: [BoxSync] => C:\Program Files\Box\Box Sync\BoxSync.exe [5609176 2014-11-13] (Box, Inc.)
HKLM-x32\...\Run: [Samsung PanelMgr] => C:\Windows\Samsung\PanelMgr\SSMMgr.exe [614400 2009-08-15] ()
HKLM-x32\...\Run: [Babylon Client] => C:\Software\Babylon Pro\Babylon.exe [3551456 2010-10-17] (Babylon Ltd.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [ExladeCrypticDisk3] => C:\Software\Cryptic Disk Pro\Exlade Cryptic Disk 3\CrypticDisk3Console.exe [9779280 2010-10-01] (EXLADE, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101584 2014-04-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7843744 2014-02-04] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1104616 2013-10-10] (Acronis International GmbH)
HKLM-x32\...\Run: [UXTheme Launcher] => C:\Program Files (x86)\UXTheme Multi-Patcher\themeengine.exe [239887 2014-07-29] (Windows X)
HKLM\...\Winlogon: [Shell] C:\Windows\system32\explorer.exe [89088 2010-11-23] ()
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 1
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [Active Desktop Calendar] => C:\Software\Active Desktop Calendar\ADC.exe [9143296 2011-11-23] (XemiComputers ltd.)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [CursorFX] => C:\Software\CursorFX\Stardock\CursorFX\CursorFX.exe [416768 2008-07-07] (Stardock Corporation)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [SkyDrive] => C:\Users\superior\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [277672 2014-10-09] (Microsoft Corporation)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [PeerBlock] => C:\Software\PeerBlock\peerblock.exe [2513992 2014-01-14] (PeerBlock, LLC)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566984 2014-04-25] (Safer-Networking Ltd.)
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6006.0718\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6006.0718\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512_1\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512_1\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64"
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\MountPoints2: {b420fb11-de78-11df-9cc9-005056c00008} - D:\LaunchU3.exe -a
AppInit_DLLs: acaptuser64.dll => C:\windows\system32\acaptuser64.dll [119160 2008-06-11] (Adobe Systems, Inc.)
IFEO\Acrobat.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\acrodist.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\chrome.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\excel.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\formdesigner.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\hd-apkhandler.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\hd-runapp.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\hd-startlauncher.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\infopath.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\misc.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\msaccess.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\msoxmled.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\mspub.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\mstore.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\ois.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\onenote.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\onenotem.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\powerpnt.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\snagit32.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\snagiteditor.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\Winword.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
IFEO\wmdc.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\O&O Defrag Tray.lnk
ShortcutTarget: O&O Defrag Tray.lnk -> C:\Windows\Installer\{A5168EBB-F8E1-4B62-8805-C25684DB9E86}\app_icon.ico ()
Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\superior\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
ShortcutTarget: Stardock ObjectDock.lnk -> C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe (Stardock)
Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fences.lnk
ShortcutTarget: Fences.lnk -> C:\Software\Stardock\Fences\Fences.exe (Stardock Corporation)
Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
ShortcutTarget: Stardock ObjectDock.lnk -> C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe (Stardock)
SSODL-x32: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} -  No File
ShellIconOverlayIdentifiers: [    BoxSyncFileLocked] -> {9a216f5d-3530-3b1a-8006-9a1233402fba} => C:\windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncNotSynced] -> {4c3d7a5e-7476-3c21-9717-0614ce209c44} => C:\windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncProblem] -> {aa0bacc8-a5df-34b0-acd8-e6739d92010e} => C:\windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncSynced] -> {0f20db5b-365d-3cc6-82eb-41207f77bb71} => C:\windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {69925D1B-6A0F-4413-861A-81AB98039DB9} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x34640E279963CB01
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-306363081-4155975274-668329838-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Software\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-306363081-4155975274-668329838-1001: @acestream.net/acestreamplugin,version=2.2.0-next -> C:\Users\superior\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6 [2014-11-26]

Chrome: 
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.2.464\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (Mixesoft Click&Clean Plug-In) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\8.3_0\plugin/npccch32.dll (Vlad & Serge Strukoff © 2013)
CHR Plugin: (Bitdefender QuickScan) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\8.3_0\plugin/npqscan.dll (Bitdefender LLC)
CHR Plugin: (DjVu Plugin Viewer) - C:\Software\Firefox\plugins\npdjvu.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Software\Firefox\plugins\nppdf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin3.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin4.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin5.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.550.14) - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Java(TM) Platform SE 7 U55) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Software\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Ace Stream P2P Multimedia Plug-in) - C:\Users\superior\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll No File
CHR Profile: C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google*Übersetzer) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2014-05-26]
CHR Extension: (ChromeAccess) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeoigbhkilbllfomkmmilbfochhlgdmh [2014-05-25]
CHR Extension: (TV) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh [2014-05-24]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-20]
CHR Extension: (Tampermonkey) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2014-05-23]
CHR Extension: (Black Menu for Google™) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\eignhdfgaldabilaaegmdfbajngjmoke [2014-05-23]
CHR Extension: (Video Downloader professional) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2014-05-24]
CHR Extension: (ZenMate) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2014-05-26]
CHR Extension: (Deaktivierungs-Add-on von Google Analytics) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fllaojicojecljbmefodhfapmkghcbnh [2014-05-24]
CHR Extension: (AdBlock Premium) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fndlhnanhedoklpdaacidomdnplcjcpj [2014-05-23]
CHR Extension: (Click&Clean) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod [2014-05-24]
CHR Extension: (Vanilla Cookie Manager) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\gieohaicffldbmiilohhggbidhephnjj [2014-05-25]
CHR Extension: (avast! Online Security) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-05-23]
CHR Extension: (Nimbus Notes) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\haafigbapbpbpnmgcknnmilaaaimggpk [2014-05-23]
CHR Extension: (SearchPreview) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcjdanpjacpeeppdjkppebobilhaglfo [2014-05-23]
CHR Extension: (EverSync - Sync bookmarks, backup favorites) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\iohcojnlgnfbmjfjfkbhahhmppcggdog [2014-05-25]
CHR Extension: (GData Centers 1 Council Bluffs, Iowa) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeonacmfdmkgfmmdejlinolgjomhcbmh [2014-05-23]
CHR Extension: (IP Whois & Flags Chrome & Websites Rating) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmdfbacgombndnllogoijhnggalgmkon [2014-05-23]
CHR Extension: (Magic Player) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpckgflgdapkpabemgkielbefdildaio [2014-03-05]
CHR Extension: (Währung Konverter) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbhghjdcfghfhlogkgdklfgmpodeglno [2014-05-24]
CHR Extension: (IP Address and Domain Information) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhgkegeccnckoiliokondpaaalbhafoa [2014-05-24]
CHR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2014-05-23]
CHR Extension: (AS Magic Player) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfhnkgpdlogbknkhlgdjlejeljbhflim [2014-09-30]
CHR Extension: (Ghostery) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2014-05-23]
CHR Extension: (Google Wallet) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (YouTube Unblocker) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\npnkeeiehehhefofiekoflfedgehcdhl [2014-05-25]
CHR Extension: (New Tab Bookmark Speed Dial | Papaly) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdcohkhhjbifkmpakaiopnllnddofbbn [2014-05-23]
CHR Extension: (Context Menus) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\phlfmkfpmphogkomddckmggcfpmfchpn [2014-05-23]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-09-24] (Box, Inc.)
S4 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [402192 2014-05-21] (BlueStack Systems, Inc.)
S4 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [385808 2014-05-21] (BlueStack Systems, Inc.)
S4 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [774928 2014-05-21] (BlueStack Systems, Inc.)
R2 CyberLink PowerDVD 13 Media Server Monitor Service; C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe [77576 2013-07-05] (CyberLink)
R2 CyberLink PowerDVD 13 Media Server Service; C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe [327432 2013-07-05] (CyberLink)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [126400 2011-08-04] (Symantec Corporation)
R2 OODefragAgent; C:\Software\O&O Defrag Professional\oodag.exe [1657640 2014-05-12] (O&O Software GmbH)
R2 OS Selector; C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [2155848 2011-11-15] ()
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-25] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S4 SkypeUpdate; C:\Software\Skype\Updater\Updater.exe [172192 2013-10-23] (Skype Technologies)
R2 TuneUp.UtilitiesSvc; C:\Software\TuneUp Utilities\TuneUpUtilitiesService64.exe [2140984 2014-04-15] (TuneUp Software)
R2 UnsignedThemes; C:\Windows\UnsignedThemesSvc.exe [24168 2009-07-13] (The Within Network, LLC)
R2 VMAuthdService; C:\Software\VMware Workstation\vmware-authd.exe [86744 2014-04-14] (VMware, Inc.)
S2 VMwareHostd; C:\Software\VMware Workstation\vmware-hostd.exe [14407384 2014-04-14] ()
S3 vncserver; C:\Program Files\RealVNC\VNC Server\vncservice.exe [638272 2014-08-18] (RealVNC Ltd)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20141118.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [123152 2014-05-21] (BlueStack Systems)
R3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [352448 2013-02-11] (EldoS Corporation)
R1 ccHP; C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-04] (Symantec Corporation)
R2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [53816 2009-06-09] (Samsung Electronics Co., Ltd.)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)
R1 ExCrDisk3Drv; C:\Windows\SysWOW64\drivers\CrDisk3.sys [182352 2010-09-23] (EXLADE, Inc.)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20141121.001\IDSvia64.sys [637656 2014-11-14] (Symantec Corporation)
S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20141123.021\ENG64.SYS [129752 2014-11-03] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20141123.021\EX64.SYS [2137304 2014-11-03] (Symantec Corporation)
S3 OXSDIDRV_x64; C:\Windows\System32\DRIVERS\OXSDIDRV_x64.sys [51760 2009-09-28] ()
S3 phaudlwr; C:\Windows\System32\DRIVERS\phaudlwr.sys [114608 2009-10-20] (Philips Applied Technologies)
S3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [27136 2014-04-24] (The OpenVPN Project)
S3 SPC1300; C:\Windows\System32\DRIVERS\spc1300.sys [3251968 2010-01-26] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-10-06] () [File not signed]
R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-22] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-22] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-08-30] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-22] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2010-10-03] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [53808 2010-05-06] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-29] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-22] (Symantec Corporation)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2014-05-23] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [198432 2014-05-23] (Acronis International GmbH)
R3 TuneUpUtilitiesDrv; C:\Software\TuneUp Utilities\TuneUpUtilitiesDriver64.sys [14112 2013-08-21] (TuneUp Software)
R2 uxpatch; C:\Windows\system32\drivers\uxpatch.sys [30568 2009-07-13] ()
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2014-05-23] (Acronis International GmbH)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [32472 2014-04-14] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)
R2 {09F57980-3432-4AFC-957D-27AC45FAE1F5}; C:\Software\PowerDVD Ultra\PowerDVD13\Common\NavFilter\000.fcl [130320 2013-07-05] (CyberLink Corp.)
U3 arcec16i; C:\Windows\System32\Drivers\arcec16i.sys [0 ] (Microsoft Corporation)
U4 Messenger; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-26 10:16 - 2014-11-26 10:16 - 00000000 ____D () C:\FRST
2014-11-26 10:03 - 2014-11-26 10:03 - 00000416 _____ () C:\Windows\PFRO.log
2014-11-26 10:03 - 2014-11-26 10:03 - 00000056 _____ () C:\Windows\setupact.log
2014-11-26 10:03 - 2014-11-26 10:03 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-20 09:10 - 2014-11-11 04:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-20 09:10 - 2014-11-11 04:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-20 09:10 - 2014-11-11 03:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-20 09:10 - 2014-11-11 03:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-12 10:20 - 2014-11-07 20:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-12 10:20 - 2014-11-06 05:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-12 10:20 - 2014-11-06 04:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-12 10:20 - 2014-11-06 04:35 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-12 10:20 - 2014-11-06 04:30 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-12 10:20 - 2014-11-06 04:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-12 10:20 - 2014-11-06 04:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-12 10:20 - 2014-11-06 04:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-12 10:20 - 2014-11-06 04:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-12 10:20 - 2014-11-06 04:07 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 10:20 - 2014-11-06 04:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-12 10:20 - 2014-11-06 03:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-12 10:20 - 2014-11-06 03:41 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-12 10:20 - 2014-11-06 03:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-12 10:20 - 2014-11-06 03:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-12 10:20 - 2014-11-06 03:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-12 10:20 - 2014-11-06 02:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-12 10:20 - 2014-11-05 18:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-12 10:20 - 2014-11-05 18:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-12 10:20 - 2014-11-05 18:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-12 10:20 - 2014-10-14 03:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-12 10:20 - 2014-10-14 03:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 10:20 - 2014-10-14 03:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 10:20 - 2014-10-14 03:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 10:20 - 2014-10-14 03:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 10:20 - 2014-10-14 02:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-12 10:20 - 2014-10-14 02:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-12 10:20 - 2014-10-14 02:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-12 10:20 - 2014-10-14 02:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-12 10:19 - 2014-11-07 20:49 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-12 10:19 - 2014-11-06 05:03 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-12 10:19 - 2014-11-06 05:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-12 10:19 - 2014-11-06 04:47 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-12 10:19 - 2014-11-06 04:46 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-12 10:19 - 2014-11-06 04:44 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-12 10:19 - 2014-11-06 04:43 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-12 10:19 - 2014-11-06 04:36 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-12 10:19 - 2014-11-06 04:31 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-12 10:19 - 2014-11-06 04:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-12 10:19 - 2014-11-06 04:29 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-12 10:19 - 2014-11-06 04:23 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-12 10:19 - 2014-11-06 04:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-12 10:19 - 2014-11-06 04:16 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-12 10:19 - 2014-11-06 04:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-12 10:19 - 2014-11-06 04:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-12 10:19 - 2014-11-06 04:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-12 10:19 - 2014-11-06 04:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-12 10:19 - 2014-11-06 04:02 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-12 10:19 - 2014-11-06 04:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-12 10:19 - 2014-11-06 04:00 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-12 10:19 - 2014-11-06 03:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-12 10:19 - 2014-11-06 03:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-11-12 10:19 - 2014-11-06 03:57 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-12 10:19 - 2014-11-06 03:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-12 10:19 - 2014-11-06 03:41 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-12 10:19 - 2014-11-06 03:39 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-12 10:19 - 2014-11-06 03:38 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-12 10:19 - 2014-11-06 03:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-12 10:19 - 2014-11-06 03:30 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-12 10:19 - 2014-11-06 03:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-12 10:19 - 2014-11-06 03:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-12 10:19 - 2014-11-06 03:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-12 10:19 - 2014-11-06 03:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-12 10:19 - 2014-11-06 03:04 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-12 10:19 - 2014-11-06 03:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-12 10:19 - 2014-11-06 02:53 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-12 10:19 - 2014-11-06 02:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-12 10:19 - 2014-11-06 02:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-11-12 10:18 - 2014-10-25 02:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 10:18 - 2014-10-25 02:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-12 10:18 - 2014-10-14 03:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-12 10:18 - 2014-10-14 02:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-12 10:18 - 2014-10-10 01:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-12 10:18 - 2014-10-03 03:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 10:18 - 2014-10-03 03:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 10:18 - 2014-10-03 03:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 10:18 - 2014-10-03 03:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-12 10:18 - 2014-10-03 03:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 10:18 - 2014-10-03 02:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-12 10:18 - 2014-10-03 02:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-12 10:18 - 2014-10-03 02:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-12 10:18 - 2014-09-19 10:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-12 10:18 - 2014-09-19 10:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-12 10:18 - 2014-08-21 07:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 10:18 - 2014-08-21 07:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-12 10:18 - 2014-08-21 07:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-12 10:18 - 2014-08-21 07:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-12 10:18 - 2014-08-12 03:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-12 10:18 - 2014-08-12 02:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-12 10:17 - 2014-10-18 03:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 10:17 - 2014-10-18 02:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-08 21:28 - 2014-11-08 21:28 - 06057862 _____ (Tim Kosse) C:\Users\superior\Downloads\FileZilla_3.9.0.5_win32-setup.exe
2014-11-08 21:28 - 2014-11-08 21:28 - 06004615 _____ (Tim Kosse) C:\Users\superior\Downloads\FileZilla_3.9.0.2_win32-setup.exe
2014-11-07 08:53 - 2014-11-18 03:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync
2014-11-03 15:02 - 2014-11-03 15:02 - 00000000 ____D () C:\Users\superior\AppData\Local\VS Revo Group
2014-11-03 15:02 - 2014-11-03 15:02 - 00000000 ____D () C:\ProgramData\VS Revo Group
2014-11-03 15:02 - 2009-12-30 11:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2014-11-03 14:45 - 2014-11-03 14:45 - 00000000 ____D () C:\Users\superior\AppData\Roaming\ProductData
2014-11-03 14:44 - 2014-11-03 14:45 - 00000000 ____D () C:\ProgramData\ProductData
2014-11-03 14:44 - 2014-11-03 14:45 - 00000000 ____D () C:\ProgramData\IObit
2014-11-03 14:44 - 2014-11-03 14:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\IObit
2014-10-30 12:00 - 2014-10-30 12:00 - 00000000 ____D () C:\Users\superior\AppData\Local\Aegisub
2014-10-30 10:50 - 2014-11-16 11:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Subtitle Edit
2014-10-30 09:53 - 2014-10-30 09:53 - 00000590 _____ () C:\Users\superior\Documents\SnagItDebug.log
2014-10-30 09:53 - 2014-10-30 09:53 - 00000000 ____D () C:\Users\superior\AppData\Roaming\TechSmith

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-26 10:13 - 2009-07-14 05:45 - 00025232 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-26 10:13 - 2009-07-14 05:45 - 00025232 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-26 10:10 - 2012-03-01 16:21 - 01765026 _____ () C:\Windows\WindowsUpdate.log
2014-11-26 10:08 - 2010-12-13 13:45 - 00000000 ____D () C:\ProgramData\Babylon
2014-11-26 10:03 - 2010-11-07 20:54 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
2014-11-26 10:03 - 2010-10-05 09:50 - 00000000 ____D () C:\ProgramData\VMware
2014-11-26 10:03 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-25 20:28 - 2012-04-12 15:36 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-25 18:21 - 2009-07-14 18:58 - 00702154 _____ () C:\Windows\system32\perfh007.dat
2014-11-25 18:21 - 2009-07-14 18:58 - 00150820 _____ () C:\Windows\system32\perfc007.dat
2014-11-25 18:21 - 2009-07-14 06:13 - 01628962 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-25 12:51 - 2010-10-05 08:34 - 00000000 ____D () C:\ProgramData\TuneUp Software
2014-11-24 16:23 - 2010-10-04 16:46 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Canon
2014-11-24 12:03 - 2014-07-27 13:47 - 00000000 ____D () C:\Users\superior\AppData\Local\Box Sync
2014-11-24 12:02 - 2010-11-16 13:04 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Dropbox
2014-11-23 10:48 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-11-21 09:48 - 2011-05-25 10:04 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-21 09:48 - 2011-05-25 10:04 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-20 20:21 - 2011-05-25 10:04 - 00004118 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-20 20:21 - 2011-05-25 10:04 - 00003866 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-20 20:15 - 2012-08-01 15:37 - 00000000 ____D () C:\Users\superior\AppData\Roaming\iFunbox_UserCache
2014-11-20 14:03 - 2013-09-02 08:17 - 00000000 ____D () C:\Users\superior\AppData\Roaming\uTorrent
2014-11-19 14:09 - 2010-10-06 18:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\DAEMON Tools Lite
2014-11-19 14:08 - 2010-10-05 18:23 - 00000000 ____D () C:\Users\superior\AppData\Local\CrashDumps
2014-11-18 14:05 - 2010-10-29 20:38 - 00003794 _____ () C:\Windows\System32\Tasks\Adobe-Online-Aktualisierungsprogramm
2014-11-18 11:51 - 2014-06-05 17:38 - 00003828 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1379079645
2014-11-14 14:46 - 2010-10-06 18:26 - 00000000 ____D () C:\Users\superior\AppData\Roaming\FileZilla
2014-11-14 09:37 - 2010-11-22 12:37 - 00001373 _____ () C:\Users\superior\Desktop\Dropbox.lnk
2014-11-13 11:54 - 2013-09-11 15:15 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-11-12 19:20 - 2009-07-14 05:45 - 00403992 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 19:16 - 2014-05-13 12:33 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-12 17:19 - 2010-10-03 16:55 - 00108936 _____ () C:\Users\superior\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-12 16:24 - 2010-10-05 17:39 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-12 16:08 - 2013-07-23 08:13 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 15:53 - 2010-10-04 09:51 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-12 14:52 - 2012-07-02 13:56 - 00000000 ____D () C:\Users\superior\AppData\Roaming\vlc
2014-11-12 14:28 - 2012-04-12 15:36 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-12 14:28 - 2012-04-12 15:36 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-12 14:28 - 2011-05-16 08:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-10 10:35 - 2013-09-13 16:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Computing
2014-11-06 11:16 - 2010-10-26 13:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-04 08:15 - 2011-05-10 12:01 - 00003704 _____ () C:\Windows\System32\Tasks\Java Update Scheduler
2014-11-03 15:00 - 2010-10-03 16:07 - 00000000 ____D () C:\Software
2014-10-30 13:47 - 2012-11-05 18:16 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Media Player
2014-10-30 13:47 - 2010-10-26 13:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Player
2014-10-30 13:38 - 2014-07-25 13:56 - 00003810 _____ () C:\Windows\System32\Tasks\TechSmith Updater
2014-10-29 14:54 - 2011-08-11 13:25 - 00000000 ____D () C:\Users\superior\AppData\Roaming\XBMC
2014-10-28 15:05 - 2014-06-19 16:42 - 00000000 ____D () C:\Users\superior\AppData\Local\Adobe

Some content of TEMP:
====================
C:\Users\superior\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpx2_j3u.dll
C:\Users\superior\AppData\Local\Temp\proxy_vole3541240850102408752.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-25 14:50

==================== End Of Log ============================
--- --- ---

--- --- ---

--- --- ---


Hier Addition.txt

Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-11-2014 01
Ran by superior at 2014-11-26 10:18:52
Running from T:\FRST64
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: Norton Internet Security (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Enabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\uTorrent) (Version: 3.4.2.32239 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ACDSee Pro 7 (64-bit) (HKLM\...\{D2A6EC54-CB46-49E4-A6FC-A9179F9D9D12}) (Version: 7.1.164 - ACD Systems International Inc.)
Ace Stream Media 2.2.0-next (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\AceStream) (Version: 2.2.0-next - Ace Stream Media)
Acronis True Image 2014 (HKLM-x32\...\{3ECDD663-5AF8-489B-9E3C-561F33A271BD}Visible) (Version: 17.0.6673 - Acronis)
Acronis True Image 2014 (x32 Version: 17.0.6673 - Acronis) Hidden
Acronis True Image 2014 Media Add-on (HKLM-x32\...\{F38F5AD2-39A7-414A-A4D4-5EC7E42D266F}) (Version: 17.0.6673 - Acronis)
Active Desktop Calendar 7.96 (HKLM\...\Active Desktop Calendar_is1) (Version:  - XemiComputers)
Adobe Acrobat 9 Pro Extended 64-bit Add-On (HKLM\...\{AC76BA86-1033-0000-0064-0003D0000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.0.0 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
AIDA64 Extreme v4.50 (HKLM-x32\...\AIDA64 Extreme_is1) (Version: 4.50 - FinalWire Ltd.)
Anti-reCAPTCHA v4.01 JD (HKLM-x32\...\{74252365-7BB1-437A-8D61-5B0BD1D9AFAA}) (Version: 4.01 - SONY-TEAM)
Apple Application Support (HKLM-x32\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Babylon (HKLM-x32\...\Babylon) (Version:  - )
BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.8.10.3096 - BlueStack Systems, Inc.)
BlueStacks Notification Center (HKLM-x32\...\{0BED0B96-70B8-4893-884B-DC485DC8C1B7}) (Version: 0.8.10.3096 - BlueStack Systems, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Box Sync (HKLM\...\{09C53B19-C578-4803-95EF-DDEDF89D080C}) (Version: 4.0.5693.0 - Box, Inc.)
Box Sync (x32 Version: 4.0.5116.0 - Box Inc.) Hidden
BS.Player FREE (HKLM-x32\...\BSPlayerf) (Version: 2.67.1076 - AB Team, d.o.o.)
BS.Player PRO (HKLM-x32\...\BSPlayerp) (Version: 2.67.1076 - AB Team, d.o.o.)
CameraHelperMsi (x32 Version: 13.25.1010.0 - Logitech) Hidden
Canon MP Navigator 2.2 (HKLM-x32\...\MP Navigator 2.2) (Version:  - )
Canon MP530 (HKLM\...\{3215EBED-1D06-42fb-A05C-A752A46FB24C}) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
CloneDVD2 (HKLM-x32\...\CloneDVD2) (Version: 2.9.3.0 - Elaborate Bytes)
Cryptic Disk Professional 3.0.29.569 (HKLM-x32\...\Exlade.CrypticDisk.3_is1) (Version: 3.0.29.569 - Exlade)
CursorFX (x32 Version: 2.00 - Stardock Corporation) Hidden
CyberLink PowerDVD 13 (HKLM-x32\...\InstallShield_{3CFDF154-7E60-4E98-A8DF-C693A4F8E6B6}) (Version: 13.0.3105.58 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Document Express DjVu Plug-in (HKLM-x32\...\{EF4A5105-384A-4EEA-AD4A-857054586FFA}) (Version: 6.1.26155 - Caminova, Inc.)
DomDomSoft Manga Downloader (remove only) (HKLM-x32\...\DomDomSoft Manga Downloader) (Version:  - )
Dropbox (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Dropbox) (Version: 2.10.52 - Dropbox, Inc.)
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
Fences 2 (HKLM-x32\...\Fences 22.01) (Version: 2.01 - Stardock Corporation)
FireArc Arcade (HKLM-x32\...\{00BF5357-F404-4FE9-981D-119E4F5CF9FC}) (Version: 0.6.1 - FireArc.com)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Translator (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Google Translator) (Version:  - Dimox)
Google Update Helper (x32 Version: 1.3.25.5 - Google Inc.) Hidden
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
iExplorer 3.2.5.6 (HKLM-x32\...\{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1) (Version:  - Macroplant LLC)
iFunbox (v1.99.958.697), iFunbox DevTeam (HKLM-x32\...\iFunbox_is1) (Version: v1.99.958.697 - )
infonoteSMSManager (HKLM-x32\...\{3E904B8A-71C2-4777-ADED-8FC07E5AAEF0}) (Version: 2.0.1 - infonote)
iPhone-Konfigurationsprogramm (HKLM-x32\...\{B90FCEB7-2B0C-4D27-95B5-54238DF059ED}) (Version: 3.6.2.300 - Apple Inc.)
iTunes (HKLM\...\{1CF5754A-545B-4360-BFDE-2847BC728DFC}) (Version: 11.2.0.115 - Apple Inc.)
iTwin 3.5 Final (HKLM-x32\...\iTwin_is1) (Version: 3.5 Final - Stefan Moka)
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Java(TM) 6 Update 21 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416021FF}) (Version: 6.0.210 - Oracle)
JDownloader 2.0 (HKLM-x32\...\jdownloader2) (Version: 2.0 - AppWork GmbH)
jv16 PowerTools 2014 (HKLM-x32\...\jv16 PowerTools 2014) (Version:  - Macecraft Software)
K-Lite Codec Pack 10.0.0 Standard (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.0.0 - )
Logitech SetPoint 6.15 (HKLM\...\SP6) (Version: 6.15.25 - Logitech)
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)
LWS VideoEffects (Version: 13.25.1005.0 - Logitech) Hidden
Microsoft .NET Compact Framework 3.5 (HKLM-x32\...\{72CCBEA1-8D57-4981-A337-81019F28C5BA}) (Version: 3.5.7283 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM\...\{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Thunderbird (3.1.20) (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Mozilla Thunderbird (3.1.20)) (Version: 3.1.20 (de) - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
multiWeather (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\multiWeather) (Version:  - Isidoro Russo)
Norton Internet Security (HKLM-x32\...\NIS) (Version: 17.9.0.12 - Symantec Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.4.5 - Notepad++ Team)
NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.12.5896 - NVIDIA Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
O&O Defrag Professional (HKLM\...\{A5168EBB-F8E1-4B62-8805-C25684DB9E86}) (Version: 17.5.559 - O&O Software GmbH)
O&O DiskRecovery (HKLM\...\{34FE244C-868A-49C3-B378-05FA23244076}) (Version: 9.0.248 - O&O Software GmbH)
ooVoo (HKLM-x32\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 3.6.5001 - ooVoo LLC.)
Opera 12.17 (HKLM-x32\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
Opera Stable 25.0.1614.71 (HKLM-x32\...\Opera 25.0.1614.71) (Version: 25.0.1614.71 - Opera Software ASA)
Origin (HKLM-x32\...\Origin) (Version: 9.4.22.2815 - Electronic Arts, Inc.)
PDF Password Remover v3.1 (HKLM-x32\...\PDF Password Remover v3.1_is1) (Version:  - VeryPDF.com Inc)
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
PhoneClean 3.3.2 (HKLM-x32\...\{2FAFFE02-4D6B-4C0A-906B-1B33DAF0DD14}}_is1) (Version: 3.3.2 - iMobie Inc.)
Photo Transfer App (HKLM-x32\...\com.erclab.air.phototransferapp) (Version: 2.1.0 - UNKNOWN)
Photo Transfer App (x32 Version: 2.1.0 - UNKNOWN) Hidden
PhotoSync (HKLM\...\{3F96040E-35BB-4EE2-89F6-8948F3B4514A}) (Version: 2.2.1 - touchbyte GmbH)
PocketSMS (HKLM-x32\...\{FAF45451-474A-4DC6-A6BB-7866BCBE0C55}) (Version: 1.1.2 - thbi)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
RemoteComms driver (HKLM-x32\...\{43BEEE26-01A8-4EEE-8632-2353261E3B55}) (Version: 1.25.0000 - Oxford Semiconductor)
Revo Uninstaller Pro 3.1.1 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.1 - VS Revo Group, Ltd.)
Samsung ML-1640 Series (HKLM-x32\...\Samsung ML-1640 Series) (Version:  - Samsung Electronics CO.,LTD)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 6.18 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.105 - Skype Technologies S.A.)
Snagit 11 (HKLM-x32\...\{A7E2223E-4AE4-45C8-9B6C-1C893EDF11BD}) (Version: 11.4.0 - TechSmith Corporation)
Snagit 11 (HKLM-x32\...\{D0CC22F6-A67A-4083-A043-E0640CB7A4DF}) (Version: 11.2.1 - TechSmith Corporation)
SopCast 3.8.3 (HKLM-x32\...\SopCast) (Version: 3.8.3 - www.sopcast.com)
SpeedCommander 15 (x64) (HKLM\...\SpeedCommander 15 (x64)) (Version: 15.30.7600 - SWE Sven Ritter)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)
Stardock Fences 2 (HKLM-x32\...\Stardock Fences 2) (Version: 2.13 - Stardock Software, Inc.)
Stardock ObjectDock (HKLM-x32\...\Stardock ObjectDock) (Version: 2.10 - Stardock Software, Inc.)
Stardock Software (x32 Version: 1.00 - Stardock Corporation) Hidden
Subtitle Edit 3.4.3 (HKLM-x32\...\SubtitleEdit_is1) (Version: 3.4.3.0 - Nikse)
Subtitle Workshop 2.51 (HKLM-x32\...\SubtitleWorkshop) (Version:  - )
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System.Data.SQLite v1.0.81.0 (HKLM-x32\...\{02E43EC2-6B1C-45B5-9E48-941C3E1B204A}_is1) (Version: 1.0.81.0 - System.Data.SQLite Team)
Trillian (HKLM-x32\...\Trillian) (Version:  - Cerulean Studios, LLC)
TuneUp Utilities 2014 (de-DE) (x32 Version: 14.0.1000.296 - TuneUp Software) Hidden
TuneUp Utilities 2014 (HKLM-x32\...\TuneUp Utilities) (Version: 14.0.1000.296 - TuneUp Software)
TuneUp Utilities 2014 (x32 Version: 14.0.1000.296 - TuneUp Software) Hidden
TuneUp Utilities Language Pack (de-DE) (x32 Version: 10.0.4410.1 - TuneUp Software) Hidden
TuneUp Utilities Language Pack (de-DE) (x32 Version: 9.0.2000.15 - TuneUp Software) Hidden
TweakMe! (HKLM-x32\...\{709D0207-B1F8-4ADC-BB2F-CDBE2367A475}_is1) (Version: 1.3.0.0 - pXc-coding.com)
Tweaks for Skype (HKLM-x32\...\{2FB1052B-2F3D-48CE-A65D-006240516ECE}_is1) (Version: 1.0.0.2 - pXc-coding.com)
TWIN PS TO PC CONVERTER (HKLM-x32\...\TWIN PS TO PC CONVERTER) (Version:  - )
UxStyle Core Beta (HKLM\...\{8E363055-15E5-4D8A-9C69-A0A9DE9A3337}) (Version: 0.2.1.1 - The Within Network, LLC)
VMware Workstation (HKLM-x32\...\VMware_Workstation) (Version: 10.0.2 - VMware, Inc)
VMware Workstation (Version: 10.0.2 - VMware, Inc.) Hidden
VNC Server 5.2.1 (HKLM\...\{D6443B72-BA51-4465-86DB-4AD2392CBC8E}) (Version: 5.2.1 - RealVNC Ltd)
VNC Viewer 5.2.1 (HKLM\...\{9AF9B020-3266-42E1-9CE9-89C8CD98FB9C}) (Version: 5.2.1 - RealVNC Ltd)
Windows Mobile-Gerätecenter (HKLM\...\{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{92DBCA36-9B41-4DD1-941A-AED149DD37F0}) (Version: 6.1.6965.0 - Microsoft Corporation)
WinMend Folder Hidden 1.5.0 (HKLM-x32\...\WinMend Folder Hidden_is1) (Version:  - WinMend.com)
WinRAR 5.00 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Wondershare Dr.Fone für iOS(Build 4.5.1.6) (HKLM-x32\...\{A26F8BBD-EC10-4bdc-8AD8-F146825A8A63}_is1) (Version: 4.5.1.6 - Wondershare Software Co.,Ltd.)
XBMC (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\XBMC) (Version:  - Team XBMC)
Zona (HKLM-x32\...\Zona) (Version:  - Zona Team)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{4ED64402-CABA-4CD3-943E-B43E0F006016}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreMeter 1.5.0.gadget\cm64.dll (-)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{6538FE62-139F-4136-AEA4-621D4883EB02}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreMeter 1.5.0.gadget\CM64.dll (-)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\FileSyncApi64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2014-11-20 10:16 - 2014-10-22 12:05 - 00455068 ___RA C:\Windows\system32\Drivers\etc\hosts
127.0.0.1	activation.acronis.com
127.0.0.1	ds.serving-sys.com
127.0.0.1	googlesyndication.com
127.0.0.1	img-cdn.mediaplex.com
127.0.0.1	live.rads.msn.com
127.0.0.1	ads1.msn.com
127.0.0.1	static.2mdn.net
127.0.0.1	g.msn.com
127.0.0.1	a.ads2.msads.net
127.0.0.1	b.ads2.msads.net
127.0.0.1	ad.doubleclick.net
127.0.0.1	ac3.msn.com
127.0.0.1	rad.msn.com
127.0.0.1	msntest.serving-sys.com
127.0.0.1	bs.serving-sys.com
127.0.0.1	flex.msn.com
127.0.0.1	ec.atdmt.com
127.0.0.1	cdn.atdmt.com
127.0.0.1	db3aqu.atdmt.com
127.0.0.1	cds26.ams9.msecn.net
127.0.0.1	sO.2mdn.net
127.0.0.1	aka-cdn-ns.adtech.de
127.0.0.1	secure.flashtalking.com
127.0.0.1	adnexus.net
127.0.0.1	adnxs.com
127.0.0.1	*.rad.msn.com
127.0.0.1	*.msads.net
127.0.0.1	*.msecn.net
127.0.0.1	secure.tune-up.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {05523ABB-7B2B-4575-940B-1F456EC3C844} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)
Task: {0C0C61F3-0B83-4E2C-BF7B-34B3C62AEA2C} - System32\Tasks\{8EC7710C-AA27-481F-AA29-958F3DAFAA91} => c:\software\opera\opera.exe [2014-04-24] (Opera Software)
Task: {1AA5C656-54EE-4A64-93DF-480DBA5CBD38} - System32\Tasks\Divx-Online-Aktualisierungsprogramm => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
Task: {1FE4DCF9-529D-4850-947C-81EA35AFE33E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-08] (Google Inc.)
Task: {27137393-D7F0-4A38-8F3E-E65D86A2D4FA} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Software\TuneUp Utilities\OneClick.exe [2014-04-15] (TuneUp Software)
Task: {37C24CA7-5132-4FE6-8227-CA560B7FBED0} - System32\Tasks\CCleanerSkipUAC => C:\Software\CCleaner\CCleaner.exe [2014-07-23] (Piriform Ltd)
Task: {4934B5DA-7CCF-487A-A432-C250B85F7BD0} - System32\Tasks\{5654C332-57E8-47A3-B5AD-49DF4DE31DE1} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe
Task: {4BA86D6E-2A20-4AF1-905C-CC163746F163} - System32\Tasks\Java Update Scheduler => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2014-09-26] (Oracle Corporation)
Task: {4D0ACD21-3228-434D-81A6-81DDC93FEAC6} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {4D96E9E0-8649-4ABD-A962-F0D06C99E33E} - System32\Tasks\Norton Internet Security - superior - Work C => C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\navw32.exe [2011-09-19] (Symantec Corporation)
Task: {5034040A-EBB5-4671-9E4B-65137B192949} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-12] (Adobe Systems Incorporated)
Task: {6DA2E70F-2E36-46CC-B71E-77470476A3C7} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {8A136EC4-A6DC-4140-8312-241B5E263BB9} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDUpdate.exe
Task: {8AC19292-820C-4BA9-9B40-CC57C05BF44B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDImmunize.exe
Task: {90F67DD7-2401-4ABB-8327-8136AFBE7E4A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-08] (Google Inc.)
Task: {9B0EF232-94AE-4C13-BFC6-6037F5849BD2} - System32\Tasks\Opera scheduled Autoupdate 1379079645 => C:\Software\Opera\launcher.exe [2014-11-14] (Opera Software)
Task: {AE938D1E-7FD5-4905-B4F4-76C3CBC496A8} - System32\Tasks\{842F8698-D47D-461B-9C45-9D52B1233EAF} => c:\software\opera\opera.exe [2014-04-24] (Opera Software)
Task: {AFB01180-B87A-441A-8A49-F9347D2CD802} - System32\Tasks\Adobe-Online-Aktualisierungsprogramm => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-10-25] (Adobe Systems Incorporated)
Task: {B7A79FA1-F812-4F30-9681-8A22133D1DC1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDScan.exe
Task: {D6BF3786-A84F-4952-B263-21EE5555B292} - System32\Tasks\{C00879C7-9663-43C3-97C6-1660731F899F} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe
Task: {D8A31332-4D33-4010-B5EE-3D33AAFBFAAA} - System32\Tasks\{D5A604F5-3011-45C4-86AC-76DED61DF203} => C:\Software\Skype\Phone\Skype.exe [2014-07-02] (Skype Technologies S.A.)
Task: {EEE0B1A6-5DD1-44D6-994B-C7DA64385E10} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2011 => C:\Software\TuneUp Utilities\OneClick.exe [2014-04-15] (TuneUp Software)
Task: {FB203881-70B9-4601-B79B-F469C1DEF1A0} - System32\Tasks\{EF228AEF-23C0-4A72-BC2E-022725514757} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Norton Internet Security - superior - Work C.job => C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\navw32.exe

==================== Loaded Modules (whitelisted) =============

2010-10-04 16:26 - 2008-01-11 05:19 - 00022016 _____ () C:\Windows\System32\ssp2ml6.dll
2010-10-05 16:23 - 2010-06-14 13:34 - 00043008 _____ () C:\Software\Active Desktop Calendar\MouseHook.dll
2013-10-01 09:32 - 2013-10-01 09:32 - 02818216 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll
2014-04-15 14:59 - 2014-04-15 14:59 - 00675640 _____ () C:\Software\TuneUp Utilities\avgrepliba.dll
2011-11-15 17:44 - 2011-11-15 17:44 - 02155848 _____ () C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe
2010-10-04 16:26 - 2009-08-15 05:38 - 00614400 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe
2010-10-04 16:26 - 2008-01-11 06:39 - 00327168 _____ () C:\Windows\Samsung\PanelMgr\caller64.exe
2012-06-18 16:24 - 2012-06-18 16:24 - 00222720 _____ () C:\Software\Notepad++\NppShell_05.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-05-21 07:00 - 2014-04-25 13:11 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-05-21 07:00 - 2014-04-25 13:11 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-05-21 07:00 - 2014-04-25 13:11 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-05-21 07:00 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-05-21 07:00 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-04-14 15:41 - 2014-04-14 15:41 - 01261272 _____ () C:\Software\VMware Workstation\libxml2.dll
2008-03-12 21:00 - 2008-03-12 21:00 - 00059904 _____ () C:\Software\CursorFX\Stardock\CursorFX\zlib1.dll
2014-10-09 09:08 - 2014-10-09 09:08 - 00081056 _____ () C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.dll
2014-11-26 10:05 - 2014-11-26 10:05 - 00043008 _____ () c:\users\superior\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpx2_j3u.dll
2013-08-23 20:01 - 2013-08-23 20:01 - 25100288 _____ () C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\libcef.dll
2014-10-09 09:08 - 2014-10-09 09:08 - 00081056 _____ () C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.DLL
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-02-04 17:25 - 2014-02-04 17:25 - 00036672 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\qt_icontray_ex.dll
2014-02-04 17:25 - 2014-02-04 17:25 - 00028992 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\thread_pool.dll
2013-10-10 11:02 - 2013-10-10 11:02 - 00013120 _____ () C:\Program Files (x86)\Common Files\Acronis\TibMounter\icudt38.dll
2014-02-04 17:28 - 2014-02-04 17:28 - 00420160 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\CLDShowX.ini:Update.CL

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UnsignedThemes => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UnsignedThemes => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-306363081-4155975274-668329838-500 - Administrator - Disabled)
Gast (S-1-5-21-306363081-4155975274-668329838-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-306363081-4155975274-668329838-1002 - Limited - Enabled)
muad'dib (S-1-5-21-306363081-4155975274-668329838-1003 - Limited - Enabled) => C:\Users\muad'dib
superior (S-1-5-21-306363081-4155975274-668329838-1001 - Administrator - Enabled) => C:\Users\superior

==================== Faulty Device Manager Devices =============

Name: NVIDIA nForce-Netzwerkcontroller
Description: NVIDIA nForce-Netzwerkcontroller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: NVENETFD
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: StorLib bus (virtual storages support)
Description: StorLib bus (virtual storages support)
Class Guid: {1378e71b-ab4d-4348-af26-cba56b12969e}
Manufacturer: SugarSync
Service: SSCBFS3
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/25/2014 02:57:56 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).

Error: (11/24/2014 04:25:48 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/24/2014 04:24:40 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/24/2014 04:23:45 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/23/2014 10:47:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).

Error: (11/20/2014 02:07:07 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\servicing\TrustedInstaller.exe; Beschreibung = Windows Modules Installer; Fehler = 0x80070422).

Error: (11/20/2014 02:07:05 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\svchost.exe -k netsvcs; Beschreibung = Windows Update; Fehler = 0x80070422).

Error: (11/17/2014 05:12:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: bsplayer.exe, Version: 2.6.7.1076, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: bsrendv2.dll, Version: 2.0.0.0, Zeitstempel: 0x52132b86
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000956cc
ID des fehlerhaften Prozesses: 0x66c
Startzeit der fehlerhaften Anwendung: 0xbsplayer.exe0
Pfad der fehlerhaften Anwendung: bsplayer.exe1
Pfad des fehlerhaften Moduls: bsplayer.exe2
Berichtskennung: bsplayer.exe3

Error: (11/16/2014 00:34:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: bsplayer.exe, Version: 2.6.7.1076, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: bsrendv2.dll, Version: 2.0.0.0, Zeitstempel: 0x52132b86
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00096266
ID des fehlerhaften Prozesses: 0x1640
Startzeit der fehlerhaften Anwendung: 0xbsplayer.exe0
Pfad der fehlerhaften Anwendung: bsplayer.exe1
Pfad des fehlerhaften Moduls: bsplayer.exe2
Berichtskennung: bsplayer.exe3

Error: (11/12/2014 03:37:24 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\servicing\TrustedInstaller.exe; Beschreibung = Windows Modules Installer; Fehler = 0x80070422).


System errors:
=============
Error: (11/26/2014 10:15:15 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT-AUTORITÄT)
Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden.

Error: (11/26/2014 10:15:14 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR3 gefunden.

Error: (11/26/2014 10:05:48 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: Der Dienst "VMware Workstation Server" wurde mit folgendem dienstspezifischem Fehler beendet: %%-1.

Error: (11/25/2014 07:01:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.

Error: (11/25/2014 07:01:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.

Error: (11/25/2014 07:01:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.

Error: (11/25/2014 07:01:51 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.

Error: (11/25/2014 07:01:50 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.

Error: (11/25/2014 07:01:47 PM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT-AUTORITÄT)
Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden.

Error: (11/25/2014 07:01:47 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.


Microsoft Office Sessions:
=========================
Error: (11/25/2014 02:57:56 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422

Error: (11/24/2014 04:25:48 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI62962\detekt.exe.manifest

Error: (11/24/2014 04:24:40 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI38962\detekt.exe.manifest

Error: (11/24/2014 04:23:45 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI58202\detekt.exe.manifest

Error: (11/23/2014 10:47:15 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422

Error: (11/20/2014 02:07:07 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x80070422

Error: (11/20/2014 02:07:05 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x80070422

Error: (11/17/2014 05:12:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: bsplayer.exe2.6.7.10762a425e19bsrendv2.dll2.0.0.052132b86c0000005000956cc66c01d002813d38ec93C:\Software\BSPlayer Pro\BSplayerPro\bsplayer.exeC:\Software\BSPlayer Pro\BSplayerPro\bsrendv2.dll865ae9ba-6e74-11e4-99ee-005056c00008

Error: (11/16/2014 00:34:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: bsplayer.exe2.6.7.10762a425e19bsrendv2.dll2.0.0.052132b86c000000500096266164001d001913a427ea6C:\Software\BSPlayer Pro\BSplayerPro\bsplayer.exeC:\Software\BSPlayer Pro\BSplayerPro\bsrendv2.dll959433d1-6d84-11e4-82e1-005056c00008

Error: (11/12/2014 03:37:24 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x80070422


CodeIntegrity Errors:
===================================
  Date: 2013-01-12 14:14:22.908
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:14:22.640
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:14:16.486
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:14:16.199
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:13:52.003
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:13:51.697
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:13:28.455
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:13:28.132
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:12:09.055
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2013-01-12 14:12:08.784
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.


==================== Memory info =========================== 

Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Percentage of memory in use: 43%
Total physical RAM: 4095.55 MB
Available physical RAM: 2312.93 MB
Total Pagefile: 8189.29 MB
Available Pagefile: 6286.14 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (Host) (Fixed) (Total:150 GB) (Free:78.06 GB) NTFS
Drive d: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive e: (CRUZER) (Removable) (Total:7.48 GB) (Free:7.41 GB) NTFS
Drive t: (Daten) (Fixed) (Total:71.41 GB) (Free:33.17 GB) NTFS
Drive y: (Backup) (Fixed) (Total:360 GB) (Free:232.58 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 372.6 GB) (Disk ID: 93937C56)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=150 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=70 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=152.5 GB) - (Type=05)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: ADE50C3E)
Partition 1: (Active) - (Size=500.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=71.4 GB) - (Type=OF Extended)
Partition 3: (Not Active) - (Size=360 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 931.5 GB) (Disk ID: 0AA42E08)
Partition 2: (Active) - (Size=931.5 GB) - (Type=05)

========================================================
Disk: 3 (Size: 7.5 GB) (Disk ID: CA75C652)
Partition 1: (Not Active) - (Size=7.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================


Alt 27.11.2014, 08:07   #6
schrauber
/// the machine
/// TB-Ausbilder
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


alles sauber
__________________
--> Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!

Alt 27.11.2014, 09:23   #7
MobyDick
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Also DETEKT ist wohl sehr unseriöses Programme, oder!?

Vielen Dank, Schrauber!!

PS: Bitte Thread geschlossen und löschen, Schrauber! Danke!

löschen

Alt 28.11.2014, 08:28   #8
schrauber
/// the machine
/// TB-Ausbilder
 
Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Standard

Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


Threads werden keine gelöscht, Forenregeln haste ja gelesen

Detekt ist von dem Grundgedanken vielleicht i.O., aber saumäßig schlecht umgesetzt.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!
compu, computer, fehlercode 0xc0000005, fehlercode 19, fehlercode 22, gestern, hoffe, löschen, löschen?, neuling, staatstrojaner, this device is disabled. (code 22), trojaner löschen


« Windows 7: MBAM findet pup.opional.opencandy | Avast gibt Alarm URL: hxxps://securityguard1.net/public/AddOn2/static/gc.js »


Ähnliche Themen: Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!


  1. Check-your-computer-now.com entfernen
    Anleitungen, FAQs & Links - 11.09.2015 (2)
  2. Schrauber hat meinen Computer gerettet
    Lob, Kritik und Wünsche - 24.02.2015 (0)
  3. Gleiches Problem anderer User - Detekt findet nach Suchlauf Xtreme RAT; Farbar Scan vorhanden
    Log-Analyse und Auswertung - 25.11.2014 (10)
  4. Detekt findet nach Suchlauf Xtreme RAT; Farbar Scan vorhanden
    Log-Analyse und Auswertung - 24.11.2014 (7)
  5. Detekt gibt keine Screenmeldung aber detekt.log erwähnt Njrat
    Plagegeister aller Art und deren Bekämpfung - 22.11.2014 (1)
  6. Xtreme Rat nach Scan mit Detekt gefunden
    Log-Analyse und Auswertung - 21.11.2014 (4)
  7. Allgemeiner Check - Wie kann ich meinen PC optimieren?
    Alles rund um Windows - 03.08.2013 (5)
  8. BKA-Variante "Der computer ist für die Verletzung..." hat meinen Computer befallen!
    Log-Analyse und Auswertung - 15.08.2012 (15)
  9. Benötige einen Check meiner Dienste, evtl. habe ich einen Virus, der meinen PC überwacht!
    Log-Analyse und Auswertung - 19.12.2011 (10)
  10. Kann man Trojaner und Rootkits erst nach Wochen entdecken
    Alles rund um Windows - 05.07.2011 (4)
  11. Check für meinen Pc
    Plagegeister aller Art und deren Bekämpfung - 08.06.2011 (19)
  12. Check von meinen Lanparty-PC
    Log-Analyse und Auswertung - 06.11.2010 (3)
  13. Logfile - nach Versuch von "twgg.org" meinen Computer zu "reinigen"
    Log-Analyse und Auswertung - 28.05.2010 (5)
  14. Hilfe - Wer stört meinen Computer ?
    Plagegeister aller Art und deren Bekämpfung - 25.02.2009 (5)
  15. Wer kontrolliert meinen Computer?
    Mülltonne - 20.12.2008 (0)
  16. Check mal meinen log
    Mülltonne - 01.12.2007 (1)
  17. Ich brauch einen Check um zusehen was mit meinem Computer los ist
    Log-Analyse und Auswertung - 17.10.2007 (4)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! - Hallo! Ich bin hier Neuling und habe gestern DETEKT-Check ausgeführt. Ich war erstaunt, dass mein Computer 4 Staatstrojaner injiziert wurde. Wie kann ich alle Trojaner löschen? Ich hoffe dass jemand - Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!...
Archiv
Du betrachtest: Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken! auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131