|
Log-Analyse und Auswertung: Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\LocalWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
26.12.2014, 13:48 | #1 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Hallo und frohe Weihnachten! Habe mir offenbar leider einen/mehrere Trojaner eingefangen, die ich nun selbst nicht mehr wegbekomme. Hinweise: - Ich sehe immer wieder Prozesse im Task Manager, die offenbar Trojaner sind (z.B. pibaad.exe oder immer wieder exe-Dateien, die mit tmp... beginnen). Diese Dateien liegen im Verzeichnis C:\ProgramData\Microsoft\Secure\Icons\temp - Aktuell zum Beispiel das File tmpFF90.exe - Löschen bringt nichts, irgendwie kommen diese Files dort immer wieder rein - Im Verzeichnis C:\Users\Admin\AppData\Local liegen Ordner mit Dateien, die sich nicht löschen lassen, ich denke dass diese auch damit zu tun haben - aktuell zum Beispiel der Ordner "IDSoft" - Aufgefallen ist mir das Problem zuerst durch den Task Manager, dort waren immer wieder verschiedene Internet Explorer (iexplore.exe) geöffnet, obwohl ich keinen Internet Explorer verwende. Scheinen sich selbst geöffnet zu haben, die Prozesse wurden auch immer mehr. Dieses Verhalten tritt momentan aber nicht mehr auf. Bitte um Hilfe. Besten Dank im Voraus! Logfiles als Anhang, waren leider zu groß. |
26.12.2014, 14:38 | #2 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke. So funktioniert es: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
26.12.2014, 15:14 | #3 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local achso, okay, kann ich gern machen:
__________________defogger_disable.log: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1) Log created at 11:59 on 26/12/2014 (Admin) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-12-2014 Ran by Admin (administrator) on ADMIN-PC on 26-12-2014 12:00:28 Running from C:\Users\Admin\Desktop Loaded Profile: Admin (Available profiles: Admin) Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AMD) C:\Windows\System32\atiesrxx.exe (Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (AMD) C:\Windows\System32\atieclxx.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe (Greenshot) C:\Program Files\Greenshot\Greenshot.exe (Azureus Software, Inc) C:\Program Files\Vuze\Azureus.exe (Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe (Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe (Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Microsoft Corporation) C:\Windows\System32\taskmgr.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe (SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.) HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot) HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe" HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation) HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG) HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmpFF90.exe HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software Robert Beer) ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll () ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation) Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 10.0.0.138 FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364 FF SelectedSearchEngine: Google FF Homepage: about:home FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll () FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll () FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online) FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] Chrome: ======= CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.) R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG) R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software Robert Beer) S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH) R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH) R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH) R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG) R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH) R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.) S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed] S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH) S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH) R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH) R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH) S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed] R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.) R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.) S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-26 12:00 - 2014-12-26 12:00 - 00016986 _____ () C:\Users\Admin\Desktop\FRST.txt 2014-12-26 11:59 - 2014-12-26 11:59 - 00000472 _____ () C:\Users\Admin\Desktop\defogger_disable.log 2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable 2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe 2014-12-26 11:50 - 2014-12-26 11:50 - 00000004 ____H () C:\ProgramData\cm-lock 2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log 2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe 2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe 2014-12-26 00:36 - 2014-12-26 12:00 - 00000000 ____D () C:\FRST 2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt 2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt 2014-12-26 00:34 - 2014-12-26 00:34 - 00000621 _____ () C:\Users\Admin\Desktop\JRT.txt 2014-12-26 00:20 - 2014-12-26 00:20 - 02122240 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe 2014-12-26 00:07 - 2014-12-26 00:07 - 00023592 _____ () C:\ComboFix.txt 2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe 2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe 2014-12-25 23:26 - 2014-12-26 00:07 - 00000000 ____D () C:\Qoobox 2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt 2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe 2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe 2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe 2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe 2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk 2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware 2014-12-25 17:04 - 2014-12-26 11:51 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware 2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe 2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe 2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader 2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro 2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe 2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat 2014-12-25 11:44 - 2014-12-26 11:41 - 00002764 _____ () C:\Users\Admin\Desktop\Rkill.txt 2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe 2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk 2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe 2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT 2014-12-24 16:04 - 2014-12-26 11:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk 2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group 2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe 2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe 2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe 2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe 2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk 2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk 2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk 2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero 2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout 2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk 2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6 2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter 2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss 2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems 2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe 2014-12-16 18:28 - 2014-12-26 00:10 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe 2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser 2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll 2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp 2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate 2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜 2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll 2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe 2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys 2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe 2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe 2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe 2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe 2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll 2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle 2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE 2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope 2014-12-08 19:12 - 2014-12-26 11:52 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft 2014-12-08 19:12 - 2014-12-26 10:53 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion 2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe 2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid 2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid 2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4 2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825 2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook 2014-11-28 20:44 - 2014-11-28 12:13 - 00000000 ____D () C:\Users\Admin\Desktop\Haftbefehl-Russisch_Roulette-2CD-Deluxe_Edition-DE-2014-NOiR 2014-11-28 15:09 - 2014-11-28 16:09 - 184667365 _____ () C:\Users\Admin\Downloads\Haf-RuRo2CDeEdDE20NO.zip ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-26 12:00 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-12-26 12:00 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-12-26 11:59 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus 2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin 2014-12-26 11:57 - 2013-03-31 00:28 - 01683050 _____ () C:\Windows\WindowsUpdate.log 2014-12-26 11:55 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat 2014-12-26 11:55 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat 2014-12-26 11:55 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-12-26 11:51 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox 2014-12-26 11:51 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox 2014-12-26 11:50 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro 2014-12-26 11:49 - 2013-05-01 22:29 - 00268308 _____ () C:\Windows\setupact.log 2014-12-26 11:49 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-12-26 11:48 - 2013-05-01 22:28 - 00230156 _____ () C:\Windows\PFRO.log 2014-12-26 02:00 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe 2014-12-26 01:22 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc 2014-12-26 00:26 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner 2014-12-26 00:06 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini 2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default 2014-12-25 23:16 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7} 2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot 2014-12-25 13:47 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0 2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI 2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk 2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze 2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help 2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache 2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information 2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3 2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java 2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe 2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe 2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix 2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors 2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas 2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther 2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas 2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify 2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify 2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero 2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp 2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8 2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT 2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software 2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports 2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software 2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead 2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin 2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express 2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe 2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android 2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox 2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache 2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat 2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT 2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle 2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope 2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db Some content of TEMP: ==================== C:\Users\Admin\AppData\Local\Temp\avgnt.exe C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll C:\Users\Admin\AppData\Local\Temp\Quarantine.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-12-25 07:54 ==================== End Of Log ============================ --- --- --- Addition.txt Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-12-2014 Ran by Admin at 2014-12-26 12:00:54 Running from C:\Users\Admin\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Avira Desktop (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859} AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated) Adobe CSI CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden Adobe Drive CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden Adobe Flash CS4 Professional (HKLM-x32\...\Adobe_a68eec966ce913ddaa63251dc82ed31) (Version: 10.0 - Adobe Systems Incorporated) Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated) Adobe Flash Professional CS6 (HKLM-x32\...\{BD5669B5-49FF-4490-B956-E9D7CB9B0ADC}) (Version: 12.0 - Adobe Systems Incorporated) Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated) Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated) Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated) AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.) Antares Auto-Tune v4.39 (HKLM-x32\...\Antares Auto-Tune v4.39) (Version: - ) Arturia Arp2600 V v1.0 (HKLM-x32\...\Arturia Arp2600 V v1.0) (Version: - ) Arturia CS-80V v1.5 (HKLM-x32\...\Arturia CS-80V v1.5) (Version: - ) Arturia Moog Modular V2 v1.0 (HKLM-x32\...\Arturia Moog Modular V2 v1.0) (Version: - ) ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.11 Beta1 - Michael Tippach) Audio Bro LA Scoring Strings (HKLM-x32\...\Audio Bro LA Scoring Strings) (Version: - Audio Bro) Audio Bro LA Scoring Strings (Version: 1.0.0.001 - Audio Bro) Hidden Authorizer 2.7.0 (HKLM\...\{F6762963-9AE5-4bc6-A70F-2D749F6AC02F}_is1) (Version: 2.7.0 - Propellerhead Software AB) Authorizer Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG) Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira) Bass Station 1.6 (HKLM-x32\...\{ABAF1232-6213-4062-9D52-04E04A730CEA}_is1) (Version: 1.6 - Novation Digital Music Systems Ltd.) CCleaner (HKLM\...\CCleaner) (Version: 4.01 - Piriform) Celemony Melodyne Plugin VST RTAS v1.0 (HKLM-x32\...\Celemony Melodyne Plugin_is1) (Version: - ) Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix) Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.4.0.25 - Citrix Systems, Inc.) Connect (x32 Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation) discoDSP Phantom VSTi v1.2 (HKLM-x32\...\discoDSP Phantom_is1) (Version: - ) Dropbox (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.) Edirol HQ Orchestral v1.01 (HKLM-x32\...\Edirol HQ Orchestral v1.01) (Version: - ) Edirol Hyper Canvas VSTi DXi 1.6.0 (HKLM-x32\...\Edirol Hyper Canvas VSTi DXi_is1) (Version: - ) Edirol Super Quartet v1.52 TALiO (HKLM-x32\...\Edirol Super Quartet v1.52 TALiO) (Version: - ) EF Duplicate Files Manager (HKLM-x32\...\EF Duplicate Files Manager) (Version: - EFSoftware) eLicenser Control (HKLM-x32\...\eLicenser Control) (Version: - Steinberg Media Technologies GmbH) Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd) Engineering Client Viewer 7.0 (HKLM-x32\...\SAP_Engineering Client Viewer 7.0) (Version: - SAP AG) ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - ) etope 8 (HKLM-x32\...\etope_is1) (Version: - Freshworx GmbH & Co. KG) EZdrummer (HKLM-x32\...\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}) (Version: 1.0 - Toontrack) EZXClaustrophobic (HKLM-x32\...\{8094F7AE-CA21-4AF2-A256-BC918CE0E796}) (Version: 1.0 - Toontrack) EZXCocktail (HKLM-x32\...\{147567F0-8575-4BE0-B5B3-62706C67FA5A}) (Version: 1.0 - Toontrack) EZXDfh (HKLM-x32\...\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}) (Version: 1.0 - Toontrack) EZXNashville (HKLM-x32\...\{82DF9225-13EC-41BD-BE31-AAB121B38166}) (Version: 1.0 - Toontrack) EZXPercussion (HKLM-x32\...\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}) (Version: 1.0 - Toontrack) EZXTwisted (HKLM-x32\...\{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}) (Version: 1.0 - Toontrack) FabFilter Pro-Q VST RTAS v1.00 (HKLM-x32\...\FabFilter Pro-Q VST RTAS_is1) (Version: - TEAM AiR) FabFilter Timeless VST RTAS v1.01 (HKLM-x32\...\FabFilter Timeless_is1) (Version: - ) FileZilla Client 3.9.0.3 (HKLM-x32\...\FileZilla Client) (Version: 3.9.0.3 - Tim Kosse) Free MP4 Video Converter version 5.0.48.923 (HKLM-x32\...\Free MP4 Video Converter_is1) (Version: 5.0.48.923 - DVDVideoSoft Ltd.) Free YouTube to MP3 Converter version 3.12.44.908 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.44.908 - DVDVideoSoft Ltd.) Futureaudioworkshop Circle VSTi RTAS v1.03 (HKLM-x32\...\Futureaudioworkshop Circle VSTi RTAS_is1) (Version: - ) Greenshot 1.1.9.13 (HKLM\...\Greenshot_is1) (Version: 1.1.9.13 - Greenshot) High-Definition Video Playback 10 (x32 Version: 7.0.11400.29.0 - Nero AG) Hidden HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.) Image Line ToxicIII v1.41 VSTi (HKLM-x32\...\Image Line ToxicIII v1.41 VSTi) (Version: - ) Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation) Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation) JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH) KORG M1 Le (HKLM-x32\...\{9624502C-3D39-41A0-8917-858EC16769CE}) (Version: 1.0.4 - KORG Inc.) kuler (x32 Version: 2.0 - Adobe Systems Incorporated) Hidden Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation) ManyGuitar 1.0 (HKLM-x32\...\ManyGuitar_is1) (Version: - ManyTone) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation) Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation) Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation) Microsoft Project Professional 2013 (HKLM-x32\...\Office15.PRJPROR) (Version: 15.0.4569.1506 - Microsoft Corporation) Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP) Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG) Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) MixMeister BPM Analyzer 1.0 (HKLM-x32\...\MixMeister BPM Analyzer_is1) (Version: - MixMeister Technology LLC) MKVToolNix 6.4.1 (HKLM-x32\...\MKVToolNix) (Version: 6.4.1 - Moritz Bunkus) MOBackup - Datensicherung für Outlook (Vollversion) (HKLM-x32\...\MOBackup-DatensicherungfürOutlook) (Version: 7.0 - Heiko Schröder) Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla) MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Native Instruments Absynth 5 (HKLM-x32\...\Native Instruments Absynth 5) (Version: - Native Instruments) Native Instruments Battery 3 (HKLM-x32\...\Native Instruments Battery 3) (Version: - ) Native Instruments Controller Editor (HKLM-x32\...\Native Instruments Controller Editor) (Version: 1.6.2.1863 - Native Instruments) Native Instruments FM8 (HKLM-x32\...\Native Instruments FM8) (Version: - ) Native Instruments George Duke Soul Treasures (HKLM-x32\...\Native Instruments George Duke Soul Treasures) (Version: - Native Instruments) Native Instruments Hardware Controller Support (HKLM-x32\...\Native Instruments Hardware Controller Support) (Version: - Native Instruments) Native Instruments Komplete 6 (HKLM-x32\...\Native Instruments Komplete 6) (Version: - Native Instruments) Native Instruments Komplete Audio 6 Driver (HKLM-x32\...\Native Instruments Komplete Audio 6 Driver) (Version: - Native Instruments) Native Instruments Kontakt 4 (HKLM-x32\...\Native Instruments Kontakt 4) (Version: - Native Instruments) Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version: - Native Instruments) Native Instruments Maschine (HKLM-x32\...\Native Instruments Maschine) (Version: - Native Instruments) Native Instruments Maschine Driver (HKLM-x32\...\Native Instruments Maschine Driver) (Version: - Native Instruments) Native Instruments Massive v1.0.1.008 VSTi DXi RTAS (HKLM-x32\...\Native Instruments Massive v1.0.1.008 VSTi DXi RTAS) (Version: - ) Native Instruments New York Concert Grand (HKLM-x32\...\Native Instruments New York Concert Grand) (Version: - Native Instruments) Native Instruments Pro-53 (HKLM-x32\...\Native Instruments Pro-53) (Version: - ) Native Instruments Retro Machines Mk2 (HKLM-x32\...\Native Instruments Retro Machines Mk2) (Version: - Native Instruments) Native Instruments Service Center (HKLM-x32\...\Native Instruments Service Center) (Version: 2.5.2.1549 - Native Instruments) Native Instruments Traktor 2 (HKLM-x32\...\Native Instruments Traktor 2) (Version: 2.6.8.382 - Native Instruments) Native Instruments Upright Piano (HKLM-x32\...\Native Instruments Upright Piano) (Version: - Native Instruments) Native Instruments Vienna Concert Grand (HKLM-x32\...\Native Instruments Vienna Concert Grand) (Version: - Native Instruments) Nepheton 1.5.1 (32bit) (HKLM-x32\...\{B2F62BBB-C527-4CE7-90D1-5717110677B6}) (Version: 1.5.1.0 - D16 Group Audio Software) Nepheton 1.5.1 (64bit) (HKLM\...\{02483A2B-9FDD-47BF-81AA-F47D6379EFA5}) (Version: 1.5.1.0 - D16 Group Audio Software) Nero 7 Premium (HKLM-x32\...\{70AB1576-7883-2313-C650-7A71270B1031}) (Version: 7.01.0735 - Nero AG) Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.4.11600.19.100 - Nero AG) Nero Burning ROM 10 (HKLM-x32\...\{7A5D731D-B4B3-490E-B339-75685712BAAB}) (Version: 10.0.11100.10.100 - Nero AG) Nero BurnRights 10 (HKLM-x32\...\{943CFD7D-5336-47AF-9418-E02473A5A517}) (Version: 4.0.11000.12.100 - Nero AG) Nero CoverDesigner 10 (HKLM-x32\...\{FCF00A6E-FB58-477A-ABE9-232907105521}) (Version: 5.0.10900.11.100 - Nero AG) Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-B48BECF0537C}) (Version: 6.0.10800.7.100 - Nero AG) Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.0.11000.10.100 - Nero AG) Nero InfoTool 10 (HKLM-x32\...\{F412B4AF-388C-4FF5-9B2F-33DB1C536953}) (Version: 7.0.10800.8.100 - Nero AG) Nero MediaHub 10 (HKLM-x32\...\{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}) (Version: 1.0.13400.11.100 - Nero AG) Nero Multimedia Suite 10 (HKLM-x32\...\{277C1559-4CF7-44FF-8D07-98AA9C13AABD}) (Version: 10.0.13100 - Nero AG) Nero Recode 10 (HKLM-x32\...\{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}) (Version: 4.6.10900.4.100 - Nero AG) Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.0.10900.9.100 - Nero AG) Nero SoundTrax 10 (HKLM-x32\...\{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}) (Version: 4.6.10600.2.100 - Nero AG) Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.0.11200.12.100 - Nero AG) Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.0017 - Nero AG) Nero Vision 10 (HKLM-x32\...\{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}) (Version: 7.0.11100.8.100 - Nero AG) Nero WaveEditor 10 (HKLM-x32\...\{EDCDFAD5-DF80-4600-A493-E9DAD6810230}) (Version: 5.6.10600.2.100 - Nero AG) Ohmforce Hematohm PRO VST v1.22 (HKLM-x32\...\Ohmforce Hematohm PRO VST v1.22) (Version: - ) Ohmforce Mobilohm PRO VST v1.12 (HKLM-x32\...\Ohmforce Mobilohm PRO VST v1.12) (Version: - ) Ohmforce Ohmboyz PRO VST v1.42 (HKLM-x32\...\Ohmforce Ohmboyz PRO VST v1.42) (Version: - ) Ohmforce Predatohm PRO VST v1.32 (HKLM-x32\...\Ohmforce Predatohm PRO VST v1.32) (Version: - ) Ohmforce Quad Frohmage Pro VST v1.10 (HKLM-x32\...\Ohmforce Quad Frohmage Pro VST v1.10) (Version: - ) Online Plug-in (x32 Version: 13.4.0.25 - Citrix Systems, Inc.) Hidden Outils de vérification linguistique 2013 de Microsoft Office*- Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden PDF Settings CS4 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden Photoshop Camera Raw (x32 Version: 5.0 - Adobe Systems Incorporated) Hidden Pixel Bender Toolkit (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden Platform (x32 Version: 1.38 - VIA Technologies, Inc.) Hidden PowerISO (HKLM-x32\...\PowerISO) (Version: 5.5 - Power Software Ltd) Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek) Reason 3.0 (HKLM-x32\...\Reason_is1) (Version: 3.0 - Propellerhead Software AB) Reason Essentials 8.0.0 (HKLM\...\ReasonEssentials8.0_64_is1) (Version: 8.0.0 - Propellerhead Software AB) Reason Essentials Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden reFX Nexus VSTi RTAS v2.2.0 (HKLM-x32\...\reFX Nexus_is1) (Version: - ) reFX Vanguard VSTi v1.6.3 (HKLM-x32\...\reFX Vanguard VSTi_is1) (Version: - ) Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group) Rob Papen Blue VSTi v1.01 (HKLM-x32\...\Rob Papen Blue VSTi v1.01 ) (Version: - ) Rob Papen Predator V1.5.8 32 Bits Single Core (HKLM-x32\...\Predator_is1) (Version: - RPCX) SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.30 - SAP AG) SAP GUI for Windows 7.30 (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 1 - SAP) SAP JNet (HKLM-x32\...\SAP_JNet) (Version: - SAP AG) SAPSetup Automatic Workstation Update Service (HKLM-x32\...\SAP_WUS) (Version: - SAP AG) SchnapperPro 2.0.94 (HKLM-x32\...\SchnapperPro) (Version: 2.0.94 - Schnapper-Software Robert Beer) Secure Download Manager (HKLM-x32\...\{AA57D6F1-6360-4397-B2D9-B21C69863D97}) (Version: 3.1.0 - Kivuto Solutions Inc.) Self-Service Plug-in (x32 Version: 3.4.0.33684 - Citrix Systems, Inc.) Hidden Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{91150000-003B-0000-0000-0000000FF1CE}_Office15.PRJPROR_{115B7592-B71D-4C27-AB34-34268FB199CA}) (Version: - Microsoft) Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version: - Microsoft) SideKick4.3.2 (HKLM-x32\...\SideKick432 ID_mp1) (Version: - Twisted Lemon) Spotify (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB) Steinberg Cubase 5 (HKLM-x32\...\{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}) (Version: 5.1.0 - Steinberg Media Technologies GmbH) Steinberg Drum Loop Expansion 01 (HKLM-x32\...\{490BF87E-1F75-4453-BF55-9F540543A3CA}) (Version: 1.0.0.1 - Steinberg Media Technologies GmbH) Steinberg Groove Agent ONE Content (HKLM-x32\...\{BD86F1AC-B594-46E4-85DC-1258AC9E2232}) (Version: 1.0.0.003 - Steinberg Media Technologies GmbH) Steinberg HALionOne (HKLM-x32\...\{E70E7159-93B1-470D-9FBD-D8E9EF34B538}) (Version: 1.1.0.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Additional Content Set 01 (HKLM-x32\...\{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}) (Version: 1.0.0.001 - Steinberg Media Technologies GmbH) Steinberg HALionOne Expression Set (HKLM-x32\...\{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}) (Version: 1.0.1.0 - Steinberg Media Technologies GmbH) Steinberg HALionOne GM Drum Set (HKLM-x32\...\{AC997F93-0757-4ED4-A701-F40C2D654D09}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne GM Set (HKLM-x32\...\{F057965A-D974-4C64-ADB1-4381CD4B8956}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Pro Set (HKLM-x32\...\{D82CDA0D-C182-42C8-8FF2-5649C98D6003}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Studio Drum Set (HKLM-x32\...\{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Studio Set (HKLM-x32\...\{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg LoopMash Content (HKLM-x32\...\{4D454CF8-12FD-464D-B57B-B46FE27B78BB}) (Version: 1.0.0.005 - Steinberg Media Technologies GmbH) Steinberg REVerence Content 01 (HKLM-x32\...\{532B917B-8235-4FA5-BE36-643A8BB053A5}) (Version: 1.0.0.006 - Steinberg Media Technologies GmbH) Steinberg The Grand VSTi DXi v2.1.0 (HKLM-x32\...\Steinberg The Grand VSTi DXi_is1) (Version: - ) Suite Shared Configuration CS4 (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.) Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version: - Microsoft) Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version: - Microsoft) Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version: - Microsoft) Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version: - Microsoft) Vegas Pro 12.0 (64-bit) (HKLM\...\{7A0D09B0-6575-11E2-89D5-F04DA23A5C58}) (Version: 12.0.486 - Sony) VIA Plattform-Geräte-Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.38 - VIA Technologies, Inc.) VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN) Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.5.0.0 - Azureus Software, Inc.) Waves Complete V9r10 (HKLM-x32\...\{91000001-C561-4E32-99EB-3C5AD3683A70}) (Version: 9.1.10 - Waves) Waves Diamond Bundle v5.2 (HKLM-x32\...\Waves Diamond Bundle v5.2) (Version: - ) Waves GTR Guitar Tool Rack v1.0 (HKLM-x32\...\Waves GTR Guitar Tool Rack v1.0) (Version: - ) Waves IRx v5.2 (HKLM-x32\...\Waves IRx v5.2) (Version: - ) Waves L3 v5.2 (HKLM-x32\...\Waves L3 v5.2) (Version: - ) Waves Musicians Bundle v5.0 (HKLM-x32\...\Waves Musicians Bundle v5.0) (Version: - ) WinRAR 4.20 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) ==================== Restore Points ========================= 24-12-2014 13:55:31 Removed Adobe Reader XI (11.0.10) - Deutsch. 24-12-2014 14:12:45 Revo Uninstaller's restore point - GoToMeeting 7.0.5.2130 24-12-2014 14:15:02 Revo Uninstaller's restore point - Line 6 Uninstaller 24-12-2014 14:17:44 Revo Uninstaller's restore point - Adobe Reader XI (11.0.10) - Deutsch 24-12-2014 14:19:52 Revo Uninstaller's restore point - Java 7 Update 71 24-12-2014 14:20:00 Removed Java 7 Update 71 24-12-2014 14:22:03 Revo Uninstaller's restore point - iZotope Ozone 6 Advanced 24-12-2014 14:23:26 Revo Uninstaller's restore point - PACE License Support Win64 24-12-2014 14:23:56 Removed PACE License Support Win64 24-12-2014 14:25:15 Revo Uninstaller's restore point - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 24-12-2014 14:25:37 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 24-12-2014 14:26:56 Revo Uninstaller's restore point - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 24-12-2014 14:27:11 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 25-12-2014 12:20:16 Windows Update 25-12-2014 13:47:19 Prüfpunkt von HitmanPro 25-12-2014 13:48:17 Prüfpunkt von HitmanPro 25-12-2014 16:57:19 Prüfpunkt von HitmanPro ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-14 03:34 - 2014-05-11 10:54 - 00000894 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 lmlicenses.wip4.adobe.com 127.0.0.1 lm.licenses.adobe.com ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {088AEE40-F12C-46E4-8B37-48501D277C2C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-04-23] (Piriform Ltd) Task: {091A6FF8-99A4-49AB-B0C1-63C5A0FB6B49} - System32\Tasks\Abelssoft\Updater scan => C:\Program Files (x86)\CHIP Updater\CHIPUpdater.exe Task: {1891C158-600A-465F-806F-20EC07AEEA3D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation) Task: {301FC003-77CD-43DB-9226-3BE3A2952428} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24] (Adobe Systems Incorporated) Task: {77D876AF-4E96-4FD1-959A-F377674994E1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation) Task: {8F751E68-DB27-40CD-A6A5-3D26B5307D53} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe Task: {95B909CC-8EBA-4FBF-B56B-2FB75D7FFD4E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc Task: {D3D0748D-ADF6-4A4C-AE63-44F56829CBED} - System32\Tasks\AdobeAAMUpdater-1.0-Admin-PC-Admin => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe ==================== Loaded Modules (whitelisted) ============= 2014-12-08 18:53 - 2014-12-08 18:53 - 02736640 _____ () C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll 2014-05-01 20:29 - 2014-05-01 20:29 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll 2014-12-08 18:53 - 2014-12-08 18:53 - 02246144 _____ () C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll 2013-03-31 16:13 - 2014-04-15 09:26 - 00097592 _____ () C:\Program Files\Vuze\aereg64.dll 2014-08-30 10:31 - 2014-06-24 14:12 - 00217600 _____ () C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\jacob-1.17-M2-x64.dll 2014-08-30 10:31 - 2014-06-24 14:12 - 00015840 _____ () C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\libProcessAccess64.dll 2014-12-26 10:53 - 2014-12-26 10:53 - 01301504 _____ () C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll 2014-12-26 11:50 - 2014-12-26 11:50 - 00043008 _____ () c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll 2014-12-09 09:14 - 2014-12-09 09:14 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll 2014-10-15 02:39 - 2014-10-15 02:39 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\1eeea3ab8d69ec722bdcb28b8eb8dd75\IsdiInterop.ni.dll 2013-03-30 20:31 - 2012-02-01 16:25 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^JDownloader.lnk => C:\Windows\pss\JDownloader.lnk.CommonStartup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup MSCONFIG\startupreg: GoToMeeting => "C:\Users\Admin\AppData\Local\Citrix\GoToMeeting\1468\g2mstart.exe" "/Trigger RunAtLogon" MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files (x86)\Common Files\Ahead\Lib\NeroCheck.exe MSCONFIG\startupreg: PWRISOVM.EXE => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime MSCONFIG\startupreg: Spotify => "C:\Users\Admin\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun MSCONFIG\startupreg: WSHelperSetup.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe ========================= Accounts: ========================== Admin (S-1-5-21-3347311179-4269016646-269938500-1000 - Administrator - Enabled) => C:\Users\Admin Administrator (S-1-5-21-3347311179-4269016646-269938500-500 - Administrator - Disabled) Gast (S-1-5-21-3347311179-4269016646-269938500-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-3347311179-4269016646-269938500-1002 - Limited - Enabled) ==================== Faulty Device Manager Devices ============= Name: AMD High Definition Audio Device Description: AMD High Definition Audio Device Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318} Manufacturer: Advanced Micro Devices Service: AtiHDAudioService Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: High Definition Audio-Gerät Description: High Definition Audio-Gerät Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: HdAudAddService Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (12/26/2014 10:53:27 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Name der fehlerhaften Anwendung: plugin-container.exe, Version: 34.0.5.5443, Zeitstempel: 0x5475dd5d Name des fehlerhaften Moduls: mozalloc.dll, Version: 34.0.5.5443, Zeitstempel: 0x5475d664 Ausnahmecode: 0x80000003 Fehleroffset: 0x00001425 ID des fehlerhaften Prozesses: 0xc24 Startzeit der fehlerhaften Anwendung: 0xplugin-container.exe0 Pfad der fehlerhaften Anwendung: plugin-container.exe1 Pfad des fehlerhaften Moduls: plugin-container.exe2 Berichtskennung: plugin-container.exe3 Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/26/2014 08:05:19 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/26/2014 00:38:54 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. System errors: ============= Error: (12/26/2014 11:51:00 AM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Microsoft Office Sessions: ========================= Error: (01/01/2014 10:08:39 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 423328 seconds with 3360 seconds of active time. This session ended with a crash. CodeIntegrity Errors: =================================== Date: 2014-12-25 23:38:11.689 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-25 23:38:11.656 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz Percentage of memory in use: 26% Total physical RAM: 16317.59 MB Available physical RAM: 11962.38 MB Total Pagefile: 32633.35 MB Available Pagefile: 28053.43 MB Total Virtual: 8192 MB Available Virtual: 8191.82 MB ==================== Drives ================================ Drive a: (Primäre Festplatte) (Fixed) (Total:1004.98 GB) (Free:300.73 GB) NTFS Drive b: (Sekundäre Festplatte) (Fixed) (Total:232.88 GB) (Free:13.73 GB) NTFS Drive c: (Windows) (Fixed) (Total:1042.92 GB) (Free:393.27 GB) NTFS Drive p: (Producing) (Fixed) (Total:931.51 GB) (Free:259.22 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 232.9 GB) (Disk ID: 1D631D62) Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: B819B29C) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=1042.9 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=1005 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 9B322B2C) Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS) ======================================================== Disk: 3 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 46830F60) Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS) ======================================================== Disk: 4 (Size: 931.5 GB) (Disk ID: E8900690) Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS) ==================== End Of Log ============================ |
26.12.2014, 15:17 | #4 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Gmer Teil 1: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net Rootkit scan 2014-12-26 13:21:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 ST3000DM rev.CC24 2794,52GB Running: Gmer-19357.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awlorpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]} .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd189055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd189055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fef8ac5c70 6 bytes {JMP QWORD [RIP+0x5ba3c0]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fef8b42ad4 2 bytes [FF, 25] .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductA + 3 000007fef8b42ad7 3 bytes [D5, 4F, 00] .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fef8b5167c 6 bytes {JMP QWORD [RIP+0x50e9b4]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 0000000002b03030 6 bytes {JMP QWORD [RIP+0x47d000]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!connect + 1 0000000002b045c1 5 bytes {JMP QWORD [RIP+0x6ba70]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!listen 0000000002b08290 6 bytes JMP fe084fc0 .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!WSAConnect 0000000002b2e0f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef3757b34 6 bytes {JMP QWORD [RIP+0xc84fc]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef37603c0 6 bytes {JMP QWORD [RIP+0x7fc70]} .text C:\Windows\Explorer.EXE[1668] C:\Windows\system32\RASAPI32.dll!RasDialW + 1 000007feef4296f5 5 bytes {JMP QWORD [RIP+0x8693c]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]} .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd189055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd3555c8 6 bytes JMP 7be1 .text C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd36b85c 6 bytes {JMP QWORD [RIP+0xe47d4]} .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 7184000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 7184000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 717b000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 717b000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 717e000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 717e000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7181000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7181000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 718a000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 718a000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7187000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7187000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7178000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7178000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 7175000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 7175000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 718d000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7190000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7199000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7193000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7196000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 719c000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 719f000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 719f000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71a5000a .text C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a2000a .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd189055 3 bytes CALL 9000027 .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd3555c8 6 bytes {JMP QWORD [RIP+0x11aa68]} .text C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd36b85c 6 bytes {JMP QWORD [RIP+0xe47d4]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770d1800 6 bytes JMP 8a73c50 .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000770d18b0 6 bytes JMP 504 .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000770d1e40 6 bytes JMP 0 .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f7db80 6 bytes JMP 3924 .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd189055 3 bytes [B5, 6F, 06] .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 0000000006113030 6 bytes {JMP QWORD [RIP+0x1a9d000]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!connect + 1 00000000061145c1 5 bytes {JMP QWORD [RIP+0x6ba70]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!listen 0000000006118290 6 bytes {JMP QWORD [RIP+0x1a67da0]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!WSAConnect 000000000613e0f0 6 bytes {JMP QWORD [RIP+0x1a21f40]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fef3757b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fef37603c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 717e000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 717e000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7175000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7175000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7178000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7178000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 717b000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 717b000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7184000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7184000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7181000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7181000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7172000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7172000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 716f000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 716f000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7193000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 718d000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7190000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 7196000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 7199000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 7199000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 719f000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 719c000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7187000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 718a000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 71a2000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 71ab000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 71a5000a .text C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007727000c 1 byte [C3] .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 718a000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 718a000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7181000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7181000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7184000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7184000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7187000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7187000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7190000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7190000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718d000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718d000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717e000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717e000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000772ff8ea 5 bytes JMP 00000001772ad5c1 .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 717b000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 717b000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a2000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a5000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a5000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71ab000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 7175000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7175000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7175000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7172000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7172000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 716f000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 716f000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7193000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 718d000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7190000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 7196000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 7199000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 7199000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 719f000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 719c000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 718a000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 71a2000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 71a5000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 71a8000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 713c000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 713c000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7133000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7136000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7136000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7139000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7139000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes [41, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes [3E, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes [2F, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes [2C, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes [56, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes [89, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes [80, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes [83, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes [86, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes [8F, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes [8C, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes [7D, 71] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes [7A, 71] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 7188000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 7188000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 717f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 717f000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7182000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7182000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7185000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7185000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 718e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 718e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718b000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717c000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 7179000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 7179000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71ad0000 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719d000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7197000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a0000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a3000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71a9000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7191000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7194000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... |
26.12.2014, 15:17 | #5 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Gmer Teil 2: Code:
ATTFilter * 9 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 715e000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 7170000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 716a000a .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 716d000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 718a000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 718a000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7181000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7181000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7184000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7184000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7187000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7187000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7190000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7190000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718d000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718d000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717e000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717e000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 717b000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 717b000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719f000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7199000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719c000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a2000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a5000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a5000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71ab000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a8000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7193000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7196000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 716f000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 7178000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 7172000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 7175000a .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 719f000a .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000074d4575a 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!connect 0000000074d46bdd 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!listen 0000000074d4b001 6 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000074d4cc3f 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007727fc20 3 bytes JMP 718a000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007727fc24 2 bytes JMP 718a000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007727fc38 3 bytes JMP 7181000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007727fc3c 2 bytes JMP 7181000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007727fd64 3 bytes JMP 7184000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007727fd68 2 bytes JMP 7184000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772800b4 3 bytes JMP 7187000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772800b8 2 bytes JMP 7187000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772801c4 3 bytes JMP 7190000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000772801c8 2 bytes JMP 7190000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077280a44 3 bytes JMP 718d000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077280a48 2 bytes JMP 718d000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077281920 3 bytes JMP 717e000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077281924 2 bytes JMP 717e000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076153bbb 3 bytes JMP 717b000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076153bbf 2 bytes JMP 717b000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c9e 4 bytes CALL 71af0000 .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b99679 6 bytes JMP 719f000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ba12a5 6 bytes JMP 7199000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ba3baa 6 bytes JMP 719c000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ba612e 6 bytes JMP 71a2000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendInput 0000000076bbff4a 3 bytes JMP 71a5000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076bbff4e 2 bytes JMP 71a5000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076bf027b 6 bytes JMP 71ab000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076bf02bf 6 bytes JMP 71a8000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075d870c4 6 bytes JMP 7193000a .text C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075da3264 6 bytes JMP 7196000a ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\regsvr32.exe [2196:2648] 00000000701f9ee9 Thread C:\Windows\System32\svchost.exe [2916:5444] 000007fee7e79688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4488:4816] 000007fefb232bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4488:6016] 000007fef3725124 ---- Processes - GMER 2.1 ---- Library C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\jacob-1.17-M2-x64.dll (*** suspicious ***) @ C:\Program Files\Vuze\Azureus.exe [1872](2014-08-30 09:31:46) 0000000180000000 Library C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll (*** suspicious ***) @ C:\Windows\SysWOW64\regsvr32.exe [2196](2014-12-26 09:53:55) 0000000010000000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 000000006a210000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000068610000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:50) 0000000068440000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000067980000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50) 000000004a900000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50) 0000000004710000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50) 000000004ad00000 Library c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-12-26 10:50:22) 0000000004a30000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000066130000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000065060000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000064e40000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000064be0000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40) 0000000067ee0000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:50) 0000000067ed0000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46) 0000000062910000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 00000000628d0000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38) 0000000062880000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:48) 00000000621f0000 Library C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:46) 000000005fe90000 ---- EOF - GMER 2.1 ---- |
27.12.2014, 06:47 | #6 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local hi, Scan mit Combofix
__________________ --> Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local |
28.12.2014, 12:21 | #7 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local hi! combofix sagt folgendes: Code:
ATTFilter ComboFix 14-12-25.01 - Admin 28.12.2014 11:20:59.4.8 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1031.18.16318.13491 [GMT 1:00] ausgeführt von:: c:\users\Admin\Desktop\ComboFix.exe AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859} SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Admin\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll . ---- Vorheriger Suchlauf ------- . c:\users\Admin\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll . . ((((((((((((((((((((((( Dateien erstellt von 2014-11-28 bis 2014-12-28 )))))))))))))))))))))))))))))) . . 2014-12-28 10:43 . 2014-12-28 10:43 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-12-26 12:43 . 2014-12-26 12:43 -------- d-----w- c:\program files (x86)\7-Zip 2014-12-25 23:39 . 2014-12-25 23:39 -------- d-----w- c:\program files (x86)\ESET 2014-12-25 23:36 . 2014-12-26 11:01 -------- d-----w- C:\FRST 2014-12-25 22:21 . 2014-12-25 22:21 54525952 ----a-w- c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\00b739032b3cf0d50401ed1f8df76f9e\ABCpdf.exe 2014-12-25 16:04 . 2014-12-28 10:46 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware 2014-12-25 15:57 . 2014-12-25 15:57 12872 ----a-w- c:\windows\system32\bootdelete.exe 2014-12-25 12:38 . 2014-12-25 12:38 -------- d-----w- c:\program files\HitmanPro 2014-12-25 12:38 . 2014-12-25 12:49 -------- d-----w- c:\programdata\HitmanPro 2014-12-24 15:34 . 2014-12-24 15:34 -------- d-----w- c:\windows\ERUNT 2014-12-24 15:04 . 2014-12-24 15:04 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2014-12-24 15:04 . 2014-12-24 15:04 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2014-12-24 13:11 . 2014-12-24 13:11 -------- d-----w- c:\program files (x86)\VS Revo Group 2014-12-18 07:52 . 2014-12-13 05:09 144384 ----a-w- c:\windows\system32\ieUnatt.exe 2014-12-18 07:52 . 2014-12-13 03:33 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2014-12-17 21:14 . 2014-12-17 21:16 -------- d-----w- c:\program files (x86)\Common Files\Nero 2014-12-16 21:06 . 2014-12-24 13:17 -------- d-----w- c:\users\Admin\AppData\Roaming\Line 6 2014-12-16 21:05 . 2014-12-16 21:06 -------- d-----w- c:\program files (x86)\CodeMeter 2014-12-16 21:05 . 2014-12-16 21:05 -------- d-----w- c:\programdata\CodeMeter 2014-12-16 21:05 . 2014-12-16 21:05 -------- d-----w- c:\program files\CodeMeter 2014-12-16 21:05 . 2014-12-16 21:05 -------- d-----w- c:\program files\Propellerhead 2014-12-16 18:13 . 2014-12-16 18:13 -------- d-----w- c:\programdata\Adobe Systems 2014-12-16 17:28 . 2014-12-25 23:10 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-12-16 17:28 . 2014-12-16 17:28 -------- d-----w- c:\program files (x86)\ Malwarebytes Anti-Malware 2014-12-16 17:28 . 2014-12-16 17:28 -------- d-----w- c:\programdata\Malwarebytes 2014-12-16 17:28 . 2014-11-21 05:14 63704 ----a-w- c:\windows\system32\drivers\mwac.sys 2014-12-16 17:28 . 2014-11-21 05:14 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-12-16 17:28 . 2014-11-21 05:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-12-11 02:24 . 2014-12-11 02:24 -------- d-----w- c:\windows\system32\appraiser 2014-12-11 02:02 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll 2014-12-11 02:02 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll 2014-12-10 18:36 . 2014-12-16 19:30 -------- d-----w- c:\users\Admin\AppData\Roaming\FrameworkUpdate 2014-12-10 07:43 . 2014-12-01 23:28 1232040 ----a-w- c:\windows\system32\aitstatic.exe 2014-12-10 07:43 . 2014-12-04 02:50 413184 ----a-w- c:\windows\system32\generaltel.dll 2014-12-10 07:43 . 2014-12-04 02:50 741376 ----a-w- c:\windows\system32\invagent.dll 2014-12-10 07:43 . 2014-12-04 02:50 396800 ----a-w- c:\windows\system32\devinv.dll 2014-12-10 07:43 . 2014-12-04 02:50 192000 ----a-w- c:\windows\system32\aepic.dll 2014-12-10 07:43 . 2014-12-04 02:44 1083392 ----a-w- c:\windows\system32\aeinv.dll 2014-12-10 07:43 . 2014-12-04 02:50 227328 ----a-w- c:\windows\system32\aepdu.dll 2014-12-10 07:41 . 2014-11-08 03:16 2048 ----a-w- c:\windows\system32\tzres.dll 2014-12-10 07:41 . 2014-11-08 02:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2014-12-09 20:04 . 2014-12-09 20:04 -------- d-----w- c:\users\Admin\AppData\Roaming\Oracle 2014-12-08 18:34 . 2014-12-08 18:34 -------- d-----w- c:\programdata\PACE 2014-12-08 18:12 . 2014-12-26 09:53 -------- d-----w- c:\users\Admin\AppData\Local\Ejmtion 2014-12-08 18:12 . 2014-12-26 13:49 -------- d-----w- c:\users\Admin\AppData\Local\Idsoft 2014-12-08 17:53 . 2014-12-08 17:53 2246144 ----a-w- c:\programdata\Microsoft\Secure\Icons\IconsCacheHelper.dll . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-12-25 22:21 . 2014-12-25 22:21 54525952 ----a-w- c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\18474902db40b9986a3eb37c55dd8702\Recover My Files.exe 2014-12-25 22:21 . 2014-12-25 22:21 12582912 ----a-w- c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\0dc1d55309138da7b2207859c327f623\Visual Paradigm for UML Standard Edition.exe 2014-12-11 02:04 . 2013-03-30 19:21 112710672 ----a-w- c:\windows\system32\MRT.exe 2014-11-24 13:04 . 2013-03-30 17:16 275080 ------w- c:\windows\system32\MpSigStub.exe 2014-11-18 19:47 . 2014-11-18 19:47 1247904 ----a-w- c:\windows\SysWow64\FM20.DLL 2014-11-11 03:08 . 2014-11-18 19:45 241152 ----a-w- c:\windows\system32\pku2u.dll 2014-11-11 03:08 . 2014-11-18 19:45 728064 ----a-w- c:\windows\system32\kerberos.dll 2014-11-11 02:44 . 2014-11-18 19:45 186880 ----a-w- c:\windows\SysWow64\pku2u.dll 2014-11-11 02:44 . 2014-11-18 19:45 550912 ----a-w- c:\windows\SysWow64\kerberos.dll 2014-10-25 01:57 . 2014-11-12 06:06 77824 ----a-w- c:\windows\system32\packager.dll 2014-10-25 01:32 . 2014-11-12 06:06 67584 ----a-w- c:\windows\SysWow64\packager.dll 2014-10-18 02:05 . 2014-11-12 06:06 861696 ----a-w- c:\windows\system32\oleaut32.dll 2014-10-18 01:33 . 2014-11-12 06:06 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll 2014-10-14 02:16 . 2014-11-12 06:08 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2014-10-14 02:13 . 2014-11-12 06:08 683520 ----a-w- c:\windows\system32\termsrv.dll 2014-10-14 02:13 . 2014-11-12 06:06 3241984 ----a-w- c:\windows\system32\msi.dll 2014-10-14 02:12 . 2014-11-12 06:08 1460736 ----a-w- c:\windows\system32\lsasrv.dll 2014-10-14 02:09 . 2014-11-12 06:08 146432 ----a-w- c:\windows\system32\msaudite.dll 2014-10-14 02:07 . 2014-11-12 06:08 681984 ----a-w- c:\windows\system32\adtschema.dll 2014-10-14 01:50 . 2014-11-12 06:08 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2014-10-14 01:50 . 2014-11-12 06:06 2363904 ----a-w- c:\windows\SysWow64\msi.dll 2014-10-14 01:49 . 2014-11-12 06:08 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2014-10-14 01:47 . 2014-11-12 06:08 146432 ----a-w- c:\windows\SysWow64\msaudite.dll 2014-10-14 01:46 . 2014-11-12 06:08 681984 ----a-w- c:\windows\SysWow64\adtschema.dll 2014-10-10 00:57 . 2014-11-12 06:06 3198976 ----a-w- c:\windows\system32\win32k.sys 2014-10-03 02:12 . 2014-11-12 06:07 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll 2014-10-03 02:11 . 2014-11-12 06:07 284672 ----a-w- c:\windows\system32\EncDump.dll 2014-10-03 02:11 . 2014-11-12 06:07 680960 ----a-w- c:\windows\system32\audiosrv.dll 2014-10-03 02:11 . 2014-11-12 06:07 440832 ----a-w- c:\windows\system32\AudioEng.dll 2014-10-03 02:11 . 2014-11-12 06:07 296448 ----a-w- c:\windows\system32\AudioSes.dll 2014-10-03 01:44 . 2014-11-12 06:07 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll 2014-10-03 01:44 . 2014-11-12 06:07 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll 2014-10-03 01:44 . 2014-11-12 06:07 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll 2014-10-01 11:43 . 2013-05-07 13:12 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys 2014-10-01 11:43 . 2013-03-31 12:43 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys 2014-10-01 11:43 . 2013-03-31 12:43 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2013-03-18 15:00 . 2013-03-18 15:00 1971200 ----a-w- c:\program files\WaveShell-VST 9.2_x64.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 131480 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Azureus"="c:\program files\Vuze\Azureus.exe" [2014-08-12 346424] "Spotify Web Helper"="c:\users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-10-24 1514040] "UVMmedia"="c:\users\Admin\AppData\Local\Idsoft\ep0lvra9.dll" [BU] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088] "USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-21 291648] "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-12-09 702768] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-11-20 126200] "NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-12-14 383544] . c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-12-9 39207112] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ CodeMeter Control Center.lnk - c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe [2014-7-23 10361720] SchnapperPro.lnk - c:\program files (x86)\SchnapperPro\SchnapperPro.exe [2014-12-20 962824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="userinit.exe" . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x] R3 gbxavs;Maschine Midi;c:\windows\system32\Drivers\gbxavs.sys;c:\windows\SYSNATIVE\Drivers\gbxavs.sys [x] R3 gbxavs_x64;gbxavs_x64;c:\windows\system32\Drivers\gbxavs_x64.sys;c:\windows\SYSNATIVE\Drivers\gbxavs_x64.sys [x] R3 gbxusb_x64;gbxusb_x64;c:\windows\system32\Drivers\gbxusb_x64.sys;c:\windows\SYSNATIVE\Drivers\gbxusb_x64.sys [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 rspLLL;rspLLL;c:\windows\system32\DRIVERS\rspLLL64.sys;c:\windows\SYSNATIVE\DRIVERS\rspLLL64.sys [x] R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 iusb3hcs;Intel(R) USB 3.0 Hostcontroller-Switchtreiber;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x] S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [x] S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2dix64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [x] S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2util64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2util64.sys [x] S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x] S2 a2AntiMalware;Emsisoft Protection Service;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x] S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x] S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x] S2 ei2c;ei2c;c:\windows\system32\drivers\ei2c.sys;c:\windows\SYSNATIVE\drivers\ei2c.sys [x] S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x] S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x] S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x] S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x] S2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe;c:\program files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [x] S2 SchnapperPro-TimeSync;SchnapperPro-TimeSync;c:\program files (x86)\SchnapperPro\TimeSync.exe;c:\program files (x86)\SchnapperPro\TimeSync.exe [x] S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x] S3 cleanhlp;cleanhlp;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [x] S3 iusb3hub;Intel(R) USB 3.0-Hubtreiber;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x] S3 iusb3xhc;Intel(R) USB 3.0 eXtensible-Hostcontrollertreiber;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x] S3 ka6avs;Komplete Audio 6 WDM Audio;c:\windows\system32\Drivers\ka6avs.sys;c:\windows\SYSNATIVE\Drivers\ka6avs.sys [x] S3 ka6usb_svc;Komplete Audio 6;c:\windows\system32\Drivers\ka6usb.sys;c:\windows\SYSNATIVE\Drivers\ka6usb.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\DRIVERS\ViaHub3.sys;c:\windows\SYSNATIVE\DRIVERS\ViaHub3.sys [x] S3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\DRIVERS\xhcdrv.sys;c:\windows\SYSNATIVE\DRIVERS\xhcdrv.sys [x] . . Inhalt des "geplante Tasks" Ordners . 2014-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24 15:04] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)] @="{8BA85C75-763B-4103-94EB-9470F12FE0F7}" [HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}] 2014-11-12 16:19 2334928 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)] @="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}" [HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}] 2014-11-12 16:19 2334928 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)] @="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}" [HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}] 2014-11-12 16:19 2334928 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1SecureIconsProvider] @="{FC9D8189-520A-4417-AED7-9EAC810C6FBA}" [HKEY_CLASSES_ROOT\CLSID\{FC9D8189-520A-4417-AED7-9EAC810C6FBA}] 2014-12-08 17:53 2736640 ----a-w- c:\programdata\Microsoft\Secure\Icons\SecureIconsProvider.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 164760 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 164760 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 164760 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2014-06-24 22:04 164760 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VIAxHCUtl"="c:\via_xhci\usb3Monitor.exe" [2012-03-26 331776] "Greenshot"="c:\program files\Greenshot\Greenshot.exe" [2014-05-12 495616] "Icakupsie"="c:\users\Admin\AppData\Roaming\Urudne\pibaad.exe" [BU] . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = www.google.com mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <-loopback> uSearchAssistant = www.google.com IE: An SchnapperPro senden - https://ssl.schnapper.de/SchnapperPro/IE-MenuExt.php IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: fabasoft.com\folio Trusted Zone: uibk.ac.at Trusted Zone: uibk.ac.at\semiramisas99 TCP: DhcpNameServer = 10.0.0.138 Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:home . - - - - Entfernte verwaiste Registrierungseinträge - - - - . Wow6432Node-HKCU-Run-Idsoft - c:\users\Admin\AppData\Local\Idsoft\tmpFF90.exe Wow6432Node-HKCU-Run-taskkill - c:\users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\taskkill.exe c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskkill.lnk - c:\users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\taskkill.exe SafeBoot-CleanHlp SafeBoot-CleanHlp.sys AddRemove-Antares Auto-Tune v4.39 - c:\progra~2\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\UNWISE.EXE AddRemove-FabFilter Pro-Q VST RTAS_is1 - c:\program files (x86)\FabFilter\Pro-Q\Uninstall\unins000.exe AddRemove-FabFilter Timeless_is1 - c:\program files (x86)\FabFilter\Timeless\Uninstall\unins000.exe AddRemove-Image Line ToxicIII v1.41 VSTi - c:\progra~1\STEINB~1\VSTPLU~1\ToxicIII\UNWISE.EXE AddRemove-Native Instruments Hardware Controller Support - c:\programdata\{09B301EE-C58B-408E-8D5D-E17495536D3E}\Hardware Controller Support Setup.exe AddRemove-Ohmforce Hematohm PRO VST v1.22 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\HEMATO~1\UNINST~1\UNWISE.EXE AddRemove-Ohmforce Mobilohm PRO VST v1.12 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\MOBILO~1\UNINST~1\UNWISE.EXE AddRemove-Ohmforce Ohmboyz PRO VST v1.42 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\OHMBOY~1\UNINST~1\UNWISE.EXE AddRemove-Ohmforce Predatohm PRO VST v1.32 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\PREDAT~1\UNINST~1\UNWISE.EXE AddRemove-reFX Vanguard VSTi_is1 - c:\program files (x86)\Steinberg\VstPlugins\VstPlugins\Vanguard\Uninstall\unins000.exe AddRemove-Steinberg The Grand VSTi DXi_is1 - c:\program files (x86)\Steinberg\The Grand 2\Uninstall\unins000.exe AddRemove-{491DF203-7B61-4F0E-BDCB-A1218C4DAFE9} - c:\programdata\{261FD3E7-AC6C-4785-8405-DCF2100A3A46}\Massive Setup PC.exe AddRemove-{B2552FA6-86E3-410D-84AD-265C2242D410} - c:\programdata\{3EE98DDF-8EFF-4760-88EB-D666A839217F}\FM8 Setup PC.exe AddRemove-{C7FAFC98-5ECC-40FC-B440-A5D5FE3A6A6E} - c:\programdata\{D69A48BF-7653-4AA8-94BC-5847522A4573}\Guitar Rig 4 Setup PC.exe AddRemove-{E9EA5F38-6299-45A1-9D23-F21729A19357} - c:\programdata\{A6CBE6A2-B738-440D-B19A-60D7C36810C7}\Reaktor 5 Setup PC.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Weitere laufende Prozesse ------------------------ . c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe . ************************************************************************** . Zeit der Fertigstellung: 2014-12-28 12:14:26 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2014-12-28 11:14 ComboFix2.txt 2014-12-25 23:07 ComboFix3.txt 2014-12-25 22:49 . Vor Suchlauf: 17 Verzeichnis(se), 435.444.973.568 Bytes frei Nach Suchlauf: 19 Verzeichnis(se), 434.928.824.320 Bytes frei . - - End Of File - - E162806CC1406B28E27A0CC075AB1650 |
28.12.2014, 19:30 | #8 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Downloade Dir bitte Malwarebytes Anti-Malware
Downloade Dir bitte AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
29.12.2014, 06:50 | #9 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local hi schrauber. hier die logs. komisch ist aber, dass mbam im log offenbar keine funde anmerkt, obwohl im suchlauf 3 objekte gefunden und in die quarantäne verschoben wurden. vielen dank! mbam: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 29.12.2014 Suchlauf-Zeit: 06:05:27 Logdatei: mbam.txt Administrator: Ja Version: 2.00.4.1028 Malware Datenbank: v2014.12.29.01 Rootkit Datenbank: v2014.12.23.02 Lizenz: Kostenlos Malware Schutz: Deaktiviert Bösartiger Webseiten Schutz: Deaktiviert Selbstschutz: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x64 Dateisystem: NTFS Benutzer: Admin Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 428888 Verstrichene Zeit: 16 Min, 42 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristik: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (Keine schädliche Elemente erkannt) Module: 0 (Keine schädliche Elemente erkannt) Registrierungsschlüssel: 0 (Keine schädliche Elemente erkannt) Registrierungswerte: 0 (Keine schädliche Elemente erkannt) Registrierungsdaten: 0 (Keine schädliche Elemente erkannt) Ordner: 0 (Keine schädliche Elemente erkannt) Dateien: 0 (Keine schädliche Elemente erkannt) Physische Sektoren: 0 (Keine schädliche Elemente erkannt) (end) Code:
ATTFilter # AdwCleaner v4.106 - Bericht erstellt am 29/12/2014 um 04:49:30 # Aktualisiert 21/12/2014 von Xplode # Database : 2014-12-28.1 [Live] # Betriebssystem : Windows 7 Ultimate Service Pack 1 (64 bits) # Benutzername : Admin - ADMIN-PC # Gestartet von : C:\Users\Admin\Desktop\AdwCleaner_4.106.exe # Option : Löschen ***** [ Dienste ] ***** ***** [ Dateien / Ordner ] ***** ***** [ Tasks ] ***** ***** [ Verknüpfungen ] ***** ***** [ Registrierungsdatenbank ] ***** ***** [ Browser ] ***** -\\ Internet Explorer v11.0.9600.17496 -\\ Mozilla Firefox v34.0.5 (x86 de) ************************* AdwCleaner[R0].txt - [36954 octets] - [30/08/2014 17:51:04] AdwCleaner[R1].txt - [1848 octets] - [24/12/2014 15:01:39] AdwCleaner[R2].txt - [1019 octets] - [25/12/2014 12:01:36] AdwCleaner[R3].txt - [1080 octets] - [25/12/2014 12:05:48] AdwCleaner[R4].txt - [1140 octets] - [25/12/2014 12:45:14] AdwCleaner[R5].txt - [1198 octets] - [26/12/2014 00:24:46] AdwCleaner[R6].txt - [1318 octets] - [28/12/2014 22:30:02] AdwCleaner[S0].txt - [36219 octets] - [30/08/2014 18:46:29] AdwCleaner[S1].txt - [1762 octets] - [24/12/2014 16:27:16] AdwCleaner[S2].txt - [1260 octets] - [26/12/2014 00:26:36] AdwCleaner[S3].txt - [1240 octets] - [29/12/2014 04:49:30] ########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1300 octets] ########## Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.4.1 (12.28.2014:1) OS: Windows 7 Ultimate x64 Ran by Admin on 29.12.2014 at 6:41:40,42 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ FireFox Emptied folder: C:\Users\Admin\AppData\Roaming\mozilla\firefox\profiles\k61t38wy.default-1409423412364\minidumps [3 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 29.12.2014 at 6:45:58,34 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014 Ran by Admin (administrator) on ADMIN-PC on 29-12-2014 06:46:32 Running from C:\Users\Admin\Desktop Loaded Profile: Admin (Available profiles: Admin) Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AMD) C:\Windows\System32\atiesrxx.exe (Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (AMD) C:\Windows\System32\atieclxx.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe (Greenshot) C:\Program Files\Greenshot\Greenshot.exe (Azureus Software, Inc) C:\Program Files\Vuze\Azureus.exe (Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe () C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe (Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe (SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.) HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot) HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe" HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation) HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG) HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\ATSCore.dll HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] () AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software Robert Beer) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation) Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Tcpip\Parameters: [DhcpNameServer] 10.0.0.138 FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364 FF SelectedSearchEngine: Google FF Homepage: about:home FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll () FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll () FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online) FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] Chrome: ======= CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.) R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG) R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software Robert Beer) S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH) R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH) R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH) R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG) R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH) R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.) S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed] S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH) S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH) R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH) R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH) S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed] R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.) R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.) S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-29 06:46 - 2014-12-29 06:46 - 00000000 ____D () C:\Users\Admin\Desktop\FRST-OlderVersion 2014-12-29 06:45 - 2014-12-29 06:45 - 00000766 _____ () C:\Users\Admin\Desktop\JRT.txt 2014-12-29 06:41 - 2014-12-28 09:01 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT_NEW.exe 2014-12-29 06:39 - 2014-12-29 06:39 - 00001500 _____ () C:\Users\Admin\Desktop\AdwCleaner[S4].txt 2014-12-29 06:35 - 2014-12-29 06:35 - 00000004 ____H () C:\ProgramData\cm-lock 2014-12-29 06:04 - 2014-12-29 06:04 - 00001380 _____ () C:\Users\Admin\Desktop\AdwCleaner[S3].txt 2014-12-28 22:28 - 2014-12-28 22:29 - 00000000 ____D () C:\Users\Admin\Desktop\mal 2014-12-28 22:26 - 2014-12-28 22:26 - 00000270 _____ () C:\Users\Admin\Desktop\text.txt 2014-12-28 12:17 - 2014-12-28 12:17 - 00025716 _____ () C:\Users\Admin\Desktop\combofix.txt 2014-12-28 12:14 - 2014-12-28 12:14 - 00025716 _____ () C:\ComboFix.txt 2014-12-26 14:47 - 2014-12-26 14:47 - 00715952 _____ () C:\Windows\Minidump\122614-37533-01.dmp 2014-12-26 13:44 - 2014-12-26 13:44 - 00027910 _____ () C:\Users\Admin\Desktop\LogFiles.rar 2014-12-26 13:43 - 2014-12-26 13:43 - 01180834 _____ () C:\Users\Admin\Downloads\7z935.exe 2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip 2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\Program Files (x86)\7-Zip 2014-12-26 13:21 - 2014-12-26 13:21 - 00208082 _____ () C:\Users\Admin\Desktop\Gmer.txt 2014-12-26 12:04 - 2014-12-26 12:04 - 00380416 _____ () C:\Users\Admin\Downloads\Gmer-19357.exe 2014-12-26 12:00 - 2014-12-29 06:46 - 00017241 _____ () C:\Users\Admin\Desktop\FRST.txt 2014-12-26 12:00 - 2014-12-26 13:25 - 00043445 _____ () C:\Users\Admin\Desktop\Addition.txt 2014-12-26 11:59 - 2014-12-26 11:59 - 00000472 _____ () C:\Users\Admin\Desktop\defogger_disable.log 2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable 2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe 2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log 2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe 2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe 2014-12-26 00:36 - 2014-12-29 06:46 - 00000000 ____D () C:\FRST 2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt 2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt 2014-12-26 00:20 - 2014-12-29 06:46 - 02123264 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe 2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe 2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe 2014-12-25 23:26 - 2014-12-28 12:15 - 00000000 ____D () C:\Qoobox 2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt 2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe 2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe 2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe 2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe 2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk 2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware 2014-12-25 17:04 - 2014-12-29 06:42 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware 2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe 2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe 2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader 2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro 2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe 2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat 2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe 2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk 2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe 2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT 2014-12-24 16:04 - 2014-12-29 05:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk 2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group 2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe 2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe 2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe 2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe 2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk 2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk 2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk 2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero 2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout 2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk 2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6 2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter 2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss 2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems 2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe 2014-12-16 18:28 - 2014-12-29 06:31 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe 2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser 2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll 2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp 2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate 2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜 2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll 2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe 2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys 2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe 2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe 2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe 2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe 2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll 2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle 2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE 2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope 2014-12-08 19:12 - 2014-12-29 06:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft 2014-12-08 19:12 - 2014-12-28 22:03 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion 2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe 2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid 2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid 2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4 2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825 2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-29 06:46 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus 2014-12-29 06:43 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-12-29 06:43 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-12-29 06:40 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat 2014-12-29 06:40 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat 2014-12-29 06:40 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-12-29 06:37 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox 2014-12-29 06:37 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox 2014-12-29 06:36 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro 2014-12-29 06:34 - 2013-05-01 22:29 - 00268812 _____ () C:\Windows\setupact.log 2014-12-29 06:34 - 2013-05-01 22:28 - 00232144 _____ () C:\Windows\PFRO.log 2014-12-29 06:34 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-12-29 06:33 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner 2014-12-29 06:33 - 2013-03-31 00:28 - 01849776 _____ () C:\Windows\WindowsUpdate.log 2014-12-29 02:04 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7} 2014-12-29 02:00 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe 2014-12-28 22:15 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc 2014-12-28 11:47 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini 2014-12-27 11:36 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0 2014-12-26 14:47 - 2013-10-18 05:16 - 1811278370 _____ () C:\Windows\MEMORY.DMP 2014-12-26 14:47 - 2013-04-05 16:37 - 00000000 ____D () C:\Windows\Minidump 2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin 2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default 2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot 2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI 2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk 2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze 2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help 2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache 2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information 2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3 2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java 2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe 2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe 2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix 2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors 2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas 2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther 2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas 2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify 2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify 2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero 2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp 2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8 2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT 2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software 2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports 2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software 2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead 2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin 2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express 2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe 2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android 2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox 2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache 2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat 2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT 2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle 2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope 2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db Some content of TEMP: ==================== C:\Users\Admin\AppData\Local\Temp\avgnt.exe C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpsjyxol.dll C:\Users\Admin\AppData\Local\Temp\Quarantine.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-12-25 07:54 ==================== End Of Log ============================ --- --- --- |
29.12.2014, 20:04 | #10 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\LocalESET Online Scanner
Downloade Dir bitte SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
30.12.2014, 18:47 | #11 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Leider noch nicht behoben, Avira bzw. HitmanPro melden weiterhin Funde, siehe Screenshot. Hier die Logs: ESET: Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # product=EOS # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.7623 # api_version=3.0.2 # EOSSerial=a83ff6f5fe8cb3478e5633b4712a912b # engine=21707 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2014-12-26 06:41:45 # local_time=2014-12-26 07:41:45 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1031 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode_1='Avira Desktop' # compatibility_mode=1810 16777213 100 100 47108 54842535 0 0 # compatibility_mode_1='' # compatibility_mode=5893 16776573 100 94 28077 171205955 0 0 # scanned=1652005 # found=58 # cleaned=0 # scan_time=25206 sh=A2C0484EF77721E03B445B032132E12F37FCBB14 ft=1 fh=c71c00119898bc5a vn="Variante von MSIL/TrojanDropper.Agent.DT Trojaner" ac=I fn="A:\software\LinPlug VSTi (MorphoX, Organ, RMV Drum Addiction)\RMV Drum Addiction VSTi v5.0.5 UPDATE\RMV Instrument Installer 505.exe" sh=FD4DD9605A03F619D09B650452E8C81618578B3A ft=1 fh=4c256b24a244bc05 vn="Win32/Toolbar.AskSBar evtl. unerwünschte Anwendung" ac=I fn="A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe" sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll" sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe" sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" sh=42C00555296E943150E177B3961FF2ED8196C506 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js" sh=71C5BE3D9817B46CC684650AB201210449A75895 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js" sh=5F87146C0AA00792B01FA4ABBB5BE7CDD69352E3 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Backup\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\prefs_30_08_2014_19_46_33.js" sh=78291A99C56B070EA0908A09C9ED4823F72C6A31 ft=1 fh=303c525d22b897e4 vn="Variante von Win32/DownloadSponsor.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\ocs_v7a.exe.vir" sh=EAB3A867FD239AD7D1D5416E8139D3D71F4140FA ft=1 fh=38338eb635a00b8a vn="Variante von Win32/Toolbar.Babylon.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\Downloads\d340164aef134ca45f5d3a3a8b8d1b79\831fc6f9901af1fd98115b5a10864eef\DeltaTB.exe.vir" sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\user.js.vir" sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\user.js.vir" sh=843DF0FD9F9C356D5336452FCC2B3374A2BD06DC ft=1 fh=137ef7008edb618f vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\OpenCandy\2FB876A736304B218EE063D76C34F633\SSStub_SearchProtect_p1v0.exe.vir" sh=2AE12E87FC63FD6A16DF5C7EFE08ED882578B34C ft=1 fh=2407a90c81eb5dd5 vn="Variante von Win32/TrojanDropper.MsiDrop.A Trojaner" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\RHEng\6B9C2555E04B47079517D7F99B9288CD\Installer.exe.vir" sh=827CDB291F6D8EEBF770451054D910D07B07D1E3 ft=1 fh=42bdf1b6ac1a732c vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe" sh=DD890976442C9515101EDDFCF8B7E10F6774ECF8 ft=1 fh=e3c7b31c0d928ab2 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll" sh=5A3DB504BB73DC8E79BF78530EDB17D8F1C94DF9 ft=1 fh=fa56f3a4ea361a51 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe" sh=11F69B3BA4100A4C45B366C1F79BB52AC45476E8 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G" sh=080F6B138931704FEC71EACD956E080229FCF952 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]" sh=F1715CFD27DC6BFDE10442102D08554C1C893A67 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]" sh=78BF31062051EB4CD0DDD6B8E372B19C267C9B98 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]" sh=45BA456433D613144A368AC17FB827216A4F28AB ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z" sh=098C820D0A30963C886D605C187E6E0DEB9075D3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2" sh=A9A657C153EFF53D9D37F6A26E54608988FE8C46 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F" sh=1E281AEB127FBCC9605EC5E34AF2E9B1194D5035 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00" sh=BB492BAAFB8FB8BAD644F9DA0D0C7065F461A368 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]" sh=F465BDC7CDB6D902274B1B2DE4D03F466D7FBFD3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]" sh=3233C8892659072CADA04EC6ABFE1615CE66FDF1 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]" sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php" sh=4E8BC33C6DFBDD9727988EB0AA95AF115C08FA8F ft=1 fh=efa4d311e75fd867 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll" sh=096B736DCB93B86E094839B73D724E8B4172BB16 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX" sh=96ECE4FD50478122EAA7B4C411CE4B1AA7103583 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH" sh=76A0F71110E63B70CE321128A325BEF5728FFB30 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]" sh=9A43AEA05056A4631B5E852EAB52E9F89B9B4EE4 ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html" sh=AC85DB00B2E2594170D9B607E34919C45CF8BE72 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G" sh=6CA38C287E7E3638A1AC5F5FF3BDF74822D5D344 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]" sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php" sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll" sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe" sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" sh=153D61D882922BA440ED0EDB0BE44F58CB47DC5B ft=0 fh=0000000000000000 vn="Variante von Win32/PriceGong.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi" sh=19344467CB8A39A10E57BDAAA450DDD1F47BE033 ft=0 fh=0000000000000000 vn="JS/Kryptik.AP Trojaner" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm" sh=6EF4B349F23F2B83D07BAAFF09F65ED63482818C ft=1 fh=c71c001182c4fa88 vn="Variante von Win32/Toolbar.SearchSuite.Z evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll" sh=475FDFC60EA7EDAC01D81109C5432D56BE204EE0 ft=1 fh=e3d778651a32038a vn="Variante von Win32/KeyLogger.Refog.D Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe" sh=14B1915594E3111C8B5BEEC0915CE0D5620191C3 ft=1 fh=8b9abe168a66d4b2 vn="Variante von Win32/Toolbar.Visicom.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe" sh=4C5834A9F0D646B35A7719A4E352093C0240BA5F ft=1 fh=f68058267a38e609 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll" sh=027DF2D2944EA506A71D61928674C2CC42A8FE69 ft=1 fh=4c97c45eed1dce37 vn="Win32/Toolbar.Babylon evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe" sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll" sh=74F9F4BF038FEA2E33D37906C375A454A9456B35 ft=1 fh=b9ea14dac9f8ad1c vn="Variante von Win32/Complitly.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe" sh=457335C7D7CF3B76BDA5156BDFC9D2E55F5EB26E ft=1 fh=733834ea60493ef0 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe" sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" sh=3BAD2CF7AE22FE1CD6D934E09C2DDEB78FB8DC45 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar" sh=B8D140F32E455F0B90C04CD93EA852E8D22AECEF ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar" ESETSmartInstaller@High as downloader log: all ok # product=EOS # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.7623 # api_version=3.0.2 # EOSSerial=a83ff6f5fe8cb3478e5633b4712a912b # engine=21746 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2014-12-30 04:53:52 # local_time=2014-12-30 05:53:52 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1031 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode_1='Avira Desktop' # compatibility_mode=1810 16777213 100 100 130643 55181662 0 0 # compatibility_mode_1='' # compatibility_mode=5893 16776573 100 94 30900 171545082 0 0 # compatibility_mode_1='Emsisoft Anti-Malware' # compatibility_mode=16642 16777213 100 100 30591 221157520 0 0 # scanned=1657218 # found=67 # cleaned=0 # scan_time=26819 sh=A2C0484EF77721E03B445B032132E12F37FCBB14 ft=1 fh=c71c00119898bc5a vn="Variante von MSIL/TrojanDropper.Agent.DT Trojaner" ac=I fn="A:\software\LinPlug VSTi (MorphoX, Organ, RMV Drum Addiction)\RMV Drum Addiction VSTi v5.0.5 UPDATE\RMV Instrument Installer 505.exe" sh=FD4DD9605A03F619D09B650452E8C81618578B3A ft=1 fh=4c256b24a244bc05 vn="Win32/Toolbar.AskSBar evtl. unerwünschte Anwendung" ac=I fn="A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe" sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll" sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe" sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" sh=42C00555296E943150E177B3961FF2ED8196C506 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js" sh=71C5BE3D9817B46CC684650AB201210449A75895 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js" sh=5F87146C0AA00792B01FA4ABBB5BE7CDD69352E3 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Backup\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\prefs_30_08_2014_19_46_33.js" sh=78291A99C56B070EA0908A09C9ED4823F72C6A31 ft=1 fh=303c525d22b897e4 vn="Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\ocs_v7a.exe.vir" sh=EAB3A867FD239AD7D1D5416E8139D3D71F4140FA ft=1 fh=38338eb635a00b8a vn="Variante von Win32/Toolbar.Babylon.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\Downloads\d340164aef134ca45f5d3a3a8b8d1b79\831fc6f9901af1fd98115b5a10864eef\DeltaTB.exe.vir" sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\user.js.vir" sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\user.js.vir" sh=843DF0FD9F9C356D5336452FCC2B3374A2BD06DC ft=1 fh=137ef7008edb618f vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\OpenCandy\2FB876A736304B218EE063D76C34F633\SSStub_SearchProtect_p1v0.exe.vir" sh=2AE12E87FC63FD6A16DF5C7EFE08ED882578B34C ft=1 fh=2407a90c81eb5dd5 vn="Variante von Win32/TrojanDropper.MsiDrop.A Trojaner" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\RHEng\6B9C2555E04B47079517D7F99B9288CD\Installer.exe.vir" sh=827CDB291F6D8EEBF770451054D910D07B07D1E3 ft=1 fh=42bdf1b6ac1a732c vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe" sh=DD890976442C9515101EDDFCF8B7E10F6774ECF8 ft=1 fh=e3c7b31c0d928ab2 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll" sh=5A3DB504BB73DC8E79BF78530EDB17D8F1C94DF9 ft=1 fh=fa56f3a4ea361a51 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe" sh=11F69B3BA4100A4C45B366C1F79BB52AC45476E8 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G" sh=080F6B138931704FEC71EACD956E080229FCF952 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]" sh=F1715CFD27DC6BFDE10442102D08554C1C893A67 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]" sh=78BF31062051EB4CD0DDD6B8E372B19C267C9B98 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]" sh=45BA456433D613144A368AC17FB827216A4F28AB ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z" sh=098C820D0A30963C886D605C187E6E0DEB9075D3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2" sh=A9A657C153EFF53D9D37F6A26E54608988FE8C46 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F" sh=1E281AEB127FBCC9605EC5E34AF2E9B1194D5035 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00" sh=BB492BAAFB8FB8BAD644F9DA0D0C7065F461A368 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]" sh=F465BDC7CDB6D902274B1B2DE4D03F466D7FBFD3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]" sh=3233C8892659072CADA04EC6ABFE1615CE66FDF1 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]" sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php" sh=4E8BC33C6DFBDD9727988EB0AA95AF115C08FA8F ft=1 fh=efa4d311e75fd867 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll" sh=096B736DCB93B86E094839B73D724E8B4172BB16 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX" sh=96ECE4FD50478122EAA7B4C411CE4B1AA7103583 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH" sh=76A0F71110E63B70CE321128A325BEF5728FFB30 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]" sh=9A43AEA05056A4631B5E852EAB52E9F89B9B4EE4 ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html" sh=AC85DB00B2E2594170D9B607E34919C45CF8BE72 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G" sh=6CA38C287E7E3638A1AC5F5FF3BDF74822D5D344 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]" sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php" sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll" sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe" sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" sh=153D61D882922BA440ED0EDB0BE44F58CB47DC5B ft=0 fh=0000000000000000 vn="Variante von Win32/PriceGong.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi" sh=19344467CB8A39A10E57BDAAA450DDD1F47BE033 ft=0 fh=0000000000000000 vn="JS/Kryptik.AP Trojaner" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm" sh=6EF4B349F23F2B83D07BAAFF09F65ED63482818C ft=1 fh=c71c001182c4fa88 vn="Variante von Win32/Toolbar.SearchSuite.Z evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll" sh=475FDFC60EA7EDAC01D81109C5432D56BE204EE0 ft=1 fh=e3d778651a32038a vn="Variante von Win32/KeyLogger.Refog.D Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe" sh=14B1915594E3111C8B5BEEC0915CE0D5620191C3 ft=1 fh=8b9abe168a66d4b2 vn="Variante von Win32/Toolbar.Visicom.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe" sh=4C5834A9F0D646B35A7719A4E352093C0240BA5F ft=1 fh=f68058267a38e609 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll" sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll" sh=027DF2D2944EA506A71D61928674C2CC42A8FE69 ft=1 fh=4c97c45eed1dce37 vn="Win32/Toolbar.Babylon evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe" sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll" sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe" sh=F73A84AC385A3B05D0EA425BCE157381C6B4ACBC ft=1 fh=008645d93ec93ad6 vn="Win32/Boaxxe.BR Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe" sh=91CF851FC60AB6D4FFF4DBE4A98C37ECD6A841A8 ft=1 fh=06bd9319462efad2 vn="Variante von Win32/Packed.Themida evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL" sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe" sh=7FAEDDFE7AA391AFCEC7BC4E36E95348F8F270DA ft=0 fh=0000000000000000 vn="Win32/Boaxxe.BU Trojaner" ac=I fn="C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js" sh=7FAEDDFE7AA391AFCEC7BC4E36E95348F8F270DA ft=0 fh=0000000000000000 vn="Win32/Boaxxe.BU Trojaner" ac=I fn="C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js" sh=74F9F4BF038FEA2E33D37906C375A454A9456B35 ft=1 fh=b9ea14dac9f8ad1c vn="Variante von Win32/Complitly.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe" sh=457335C7D7CF3B76BDA5156BDFC9D2E55F5EB26E ft=1 fh=733834ea60493ef0 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe" sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe" sh=F73A84AC385A3B05D0EA425BCE157381C6B4ACBC ft=1 fh=008645d93ec93ad6 vn="Win32/Boaxxe.BR Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe" sh=3BAD2CF7AE22FE1CD6D934E09C2DDEB78FB8DC45 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar" sh=B8D140F32E455F0B90C04CD93EA852E8D22AECEF ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar" sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="Mehrere Bedrohungen" ac=I fn="${Memory}" Code:
ATTFilter Results of screen317's Security Check version 0.99.93 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Adobe Flash Player 16.0.0.235 Mozilla Firefox (34.0.5) ````````Process Check: objlist.exe by Laurent```````` Avira Antivir avgnt.exe Avira Antivir avguard.exe EMSISOFT Anti-Malware a2service.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014 Ran by Admin (administrator) on ADMIN-PC on 30-12-2014 06:50:43 Running from C:\Users\Admin\Desktop Loaded Profile: Admin (Available profiles: Admin) Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AMD) C:\Windows\System32\atiesrxx.exe (Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (AMD) C:\Windows\System32\atieclxx.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe (Greenshot) C:\Program Files\Greenshot\Greenshot.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe () C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Schnapper-Software Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe (Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe (WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe (Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe (Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe (SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe (Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.) HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot) HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe" HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation) HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation) HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG) HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] () AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software Robert Beer) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation) Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf) Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) Tcpip\Parameters: [DhcpNameServer] 10.0.0.138 FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364 FF SelectedSearchEngine: Google FF Homepage: about:home FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll () FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll () FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online) FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26] Chrome: ======= CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH) R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG) R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.) R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG) R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software Robert Beer) S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH) R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH) R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH) R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG) R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH) R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.) S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed] S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH) S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH) R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH) R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH) S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.) S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed] R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.) R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.) S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X] S3 tsusbhub; system32\drivers\tsusbhub.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-30 06:50 - 2014-12-30 06:50 - 00017338 _____ () C:\Users\Admin\Desktop\FRST.txt 2014-12-30 06:50 - 2014-12-30 06:50 - 00000760 _____ () C:\Users\Admin\Desktop\securitycheck.txt 2014-12-30 06:23 - 2014-12-30 06:23 - 00852505 _____ () C:\Users\Admin\Desktop\SecurityCheck(1).exe 2014-12-29 22:25 - 2014-12-29 22:25 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu(1).exe 2014-12-29 22:21 - 2014-12-29 22:22 - 00000004 ____H () C:\ProgramData\cm-lock 2014-12-29 06:46 - 2014-12-29 06:46 - 00000000 ____D () C:\Users\Admin\Desktop\FRST-OlderVersion 2014-12-29 06:41 - 2014-12-28 09:01 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT_NEW.exe 2014-12-29 06:39 - 2014-12-29 06:39 - 00001500 _____ () C:\Users\Admin\Desktop\AdwCleaner[S4].txt 2014-12-28 22:28 - 2014-12-28 22:29 - 00000000 ____D () C:\Users\Admin\Desktop\mal 2014-12-28 22:26 - 2014-12-28 22:26 - 00000270 _____ () C:\Users\Admin\Desktop\text.txt 2014-12-28 12:14 - 2014-12-28 12:14 - 00025716 _____ () C:\ComboFix.txt 2014-12-26 14:47 - 2014-12-26 14:47 - 00715952 _____ () C:\Windows\Minidump\122614-37533-01.dmp 2014-12-26 13:43 - 2014-12-26 13:43 - 01180834 _____ () C:\Users\Admin\Downloads\7z935.exe 2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip 2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\Program Files (x86)\7-Zip 2014-12-26 12:04 - 2014-12-26 12:04 - 00380416 _____ () C:\Users\Admin\Downloads\Gmer-19357.exe 2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable 2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe 2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log 2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe 2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe 2014-12-26 00:36 - 2014-12-30 06:50 - 00000000 ____D () C:\FRST 2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt 2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt 2014-12-26 00:20 - 2014-12-29 06:46 - 02123264 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe 2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe 2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe 2014-12-25 23:26 - 2014-12-28 12:15 - 00000000 ____D () C:\Qoobox 2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt 2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe 2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe 2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe 2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe 2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe 2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk 2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware 2014-12-25 17:04 - 2014-12-30 00:31 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware 2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe 2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe 2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader 2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro 2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro 2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe 2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat 2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe 2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk 2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe 2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT 2014-12-24 16:04 - 2014-12-30 06:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk 2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group 2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe 2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe 2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe 2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe 2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk 2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk 2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk 2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero 2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout 2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk 2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6 2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead 2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter 2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss 2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems 2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe 2014-12-16 18:28 - 2014-12-29 06:31 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe 2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser 2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll 2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp 2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate 2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜 2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll 2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe 2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys 2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe 2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe 2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe 2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll 2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll 2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe 2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll 2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle 2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE 2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope 2014-12-08 19:12 - 2014-12-29 22:23 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft 2014-12-08 19:12 - 2014-12-28 22:03 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion 2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe 2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid 2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid 2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4 2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825 2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-12-30 06:11 - 2013-03-31 00:28 - 01897689 _____ () C:\Windows\WindowsUpdate.log 2014-12-30 04:04 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7} 2014-12-30 02:02 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe 2014-12-30 00:02 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc 2014-12-29 22:33 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-12-29 22:33 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-12-29 22:27 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat 2014-12-29 22:27 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat 2014-12-29 22:27 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-12-29 22:24 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus 2014-12-29 22:22 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro 2014-12-29 22:22 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox 2014-12-29 22:22 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox 2014-12-29 22:21 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-12-29 22:20 - 2013-05-01 22:29 - 00268924 _____ () C:\Windows\setupact.log 2014-12-29 16:31 - 2013-05-01 22:28 - 00232502 _____ () C:\Windows\PFRO.log 2014-12-29 06:33 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner 2014-12-28 11:47 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini 2014-12-27 11:36 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0 2014-12-26 14:47 - 2013-10-18 05:16 - 1811278370 _____ () C:\Windows\MEMORY.DMP 2014-12-26 14:47 - 2013-04-05 16:37 - 00000000 ____D () C:\Windows\Minidump 2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin 2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default 2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot 2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI 2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk 2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze 2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help 2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache 2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information 2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3 2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java 2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe 2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe 2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix 2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors 2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas 2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther 2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas 2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify 2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify 2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero 2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp 2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8 2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT 2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software 2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports 2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software 2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead 2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin 2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express 2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe 2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android 2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox 2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache 2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions 2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat 2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT 2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle 2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira 2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira 2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope 2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db Some content of TEMP: ==================== C:\Users\Admin\AppData\Local\Temp\avgnt.exe C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp6ihpta.dll C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe C:\Users\Admin\AppData\Local\Temp\Quarantine.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-12-25 07:54 ==================== End Of Log ============================ --- --- --- |
30.12.2014, 18:48 | #12 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Addition: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014 Ran by Admin at 2014-12-30 06:51:04 Running from C:\Users\Admin\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Avira Desktop (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859} AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 9.35 beta (HKLM-x32\...\7-Zip) (Version: - ) Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated) Adobe CSI CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden Adobe Drive CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden Adobe Flash CS4 Professional (HKLM-x32\...\Adobe_a68eec966ce913ddaa63251dc82ed31) (Version: 10.0 - Adobe Systems Incorporated) Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated) Adobe Flash Professional CS6 (HKLM-x32\...\{BD5669B5-49FF-4490-B956-E9D7CB9B0ADC}) (Version: 12.0 - Adobe Systems Incorporated) Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated) Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated) Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated) AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.) Antares Auto-Tune v4.39 (HKLM-x32\...\Antares Auto-Tune v4.39) (Version: - ) Arturia Arp2600 V v1.0 (HKLM-x32\...\Arturia Arp2600 V v1.0) (Version: - ) Arturia CS-80V v1.5 (HKLM-x32\...\Arturia CS-80V v1.5) (Version: - ) Arturia Moog Modular V2 v1.0 (HKLM-x32\...\Arturia Moog Modular V2 v1.0) (Version: - ) ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.11 Beta1 - Michael Tippach) Audio Bro LA Scoring Strings (HKLM-x32\...\Audio Bro LA Scoring Strings) (Version: - Audio Bro) Audio Bro LA Scoring Strings (Version: 1.0.0.001 - Audio Bro) Hidden Authorizer 2.7.0 (HKLM\...\{F6762963-9AE5-4bc6-A70F-2D749F6AC02F}_is1) (Version: 2.7.0 - Propellerhead Software AB) Authorizer Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG) Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira) Bass Station 1.6 (HKLM-x32\...\{ABAF1232-6213-4062-9D52-04E04A730CEA}_is1) (Version: 1.6 - Novation Digital Music Systems Ltd.) CCleaner (HKLM\...\CCleaner) (Version: 4.01 - Piriform) Celemony Melodyne Plugin VST RTAS v1.0 (HKLM-x32\...\Celemony Melodyne Plugin_is1) (Version: - ) Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix) Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.4.0.25 - Citrix Systems, Inc.) Connect (x32 Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation) discoDSP Phantom VSTi v1.2 (HKLM-x32\...\discoDSP Phantom_is1) (Version: - ) Dropbox (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.) Edirol HQ Orchestral v1.01 (HKLM-x32\...\Edirol HQ Orchestral v1.01) (Version: - ) Edirol Hyper Canvas VSTi DXi 1.6.0 (HKLM-x32\...\Edirol Hyper Canvas VSTi DXi_is1) (Version: - ) Edirol Super Quartet v1.52 TALiO (HKLM-x32\...\Edirol Super Quartet v1.52 TALiO) (Version: - ) EF Duplicate Files Manager (HKLM-x32\...\EF Duplicate Files Manager) (Version: - EFSoftware) eLicenser Control (HKLM-x32\...\eLicenser Control) (Version: - Steinberg Media Technologies GmbH) Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd) Engineering Client Viewer 7.0 (HKLM-x32\...\SAP_Engineering Client Viewer 7.0) (Version: - SAP AG) ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - ) etope 8 (HKLM-x32\...\etope_is1) (Version: - Freshworx GmbH & Co. KG) EZdrummer (HKLM-x32\...\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}) (Version: 1.0 - Toontrack) EZXClaustrophobic (HKLM-x32\...\{8094F7AE-CA21-4AF2-A256-BC918CE0E796}) (Version: 1.0 - Toontrack) EZXCocktail (HKLM-x32\...\{147567F0-8575-4BE0-B5B3-62706C67FA5A}) (Version: 1.0 - Toontrack) EZXDfh (HKLM-x32\...\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}) (Version: 1.0 - Toontrack) EZXNashville (HKLM-x32\...\{82DF9225-13EC-41BD-BE31-AAB121B38166}) (Version: 1.0 - Toontrack) EZXPercussion (HKLM-x32\...\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}) (Version: 1.0 - Toontrack) EZXTwisted (HKLM-x32\...\{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}) (Version: 1.0 - Toontrack) FabFilter Pro-Q VST RTAS v1.00 (HKLM-x32\...\FabFilter Pro-Q VST RTAS_is1) (Version: - TEAM AiR) FabFilter Timeless VST RTAS v1.01 (HKLM-x32\...\FabFilter Timeless_is1) (Version: - ) FileZilla Client 3.9.0.3 (HKLM-x32\...\FileZilla Client) (Version: 3.9.0.3 - Tim Kosse) Free MP4 Video Converter version 5.0.48.923 (HKLM-x32\...\Free MP4 Video Converter_is1) (Version: 5.0.48.923 - DVDVideoSoft Ltd.) Free YouTube to MP3 Converter version 3.12.44.908 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.44.908 - DVDVideoSoft Ltd.) Futureaudioworkshop Circle VSTi RTAS v1.03 (HKLM-x32\...\Futureaudioworkshop Circle VSTi RTAS_is1) (Version: - ) Greenshot 1.1.9.13 (HKLM\...\Greenshot_is1) (Version: 1.1.9.13 - Greenshot) High-Definition Video Playback 10 (x32 Version: 7.0.11400.29.0 - Nero AG) Hidden HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.) Image Line ToxicIII v1.41 VSTi (HKLM-x32\...\Image Line ToxicIII v1.41 VSTi) (Version: - ) Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation) Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation) JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH) KORG M1 Le (HKLM-x32\...\{9624502C-3D39-41A0-8917-858EC16769CE}) (Version: 1.0.4 - KORG Inc.) kuler (x32 Version: 2.0 - Adobe Systems Incorporated) Hidden Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation) ManyGuitar 1.0 (HKLM-x32\...\ManyGuitar_is1) (Version: - ManyTone) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation) Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation) Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation) Microsoft Project Professional 2013 (HKLM-x32\...\Office15.PRJPROR) (Version: 15.0.4569.1506 - Microsoft Corporation) Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP) Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG) Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) MixMeister BPM Analyzer 1.0 (HKLM-x32\...\MixMeister BPM Analyzer_is1) (Version: - MixMeister Technology LLC) MKVToolNix 6.4.1 (HKLM-x32\...\MKVToolNix) (Version: 6.4.1 - Moritz Bunkus) MOBackup - Datensicherung für Outlook (Vollversion) (HKLM-x32\...\MOBackup-DatensicherungfürOutlook) (Version: 7.0 - Heiko Schröder) Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla) MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Native Instruments Absynth 5 (HKLM-x32\...\Native Instruments Absynth 5) (Version: - Native Instruments) Native Instruments Battery 3 (HKLM-x32\...\Native Instruments Battery 3) (Version: - ) Native Instruments Controller Editor (HKLM-x32\...\Native Instruments Controller Editor) (Version: 1.6.2.1863 - Native Instruments) Native Instruments FM8 (HKLM-x32\...\Native Instruments FM8) (Version: - ) Native Instruments George Duke Soul Treasures (HKLM-x32\...\Native Instruments George Duke Soul Treasures) (Version: - Native Instruments) Native Instruments Hardware Controller Support (HKLM-x32\...\Native Instruments Hardware Controller Support) (Version: - Native Instruments) Native Instruments Komplete 6 (HKLM-x32\...\Native Instruments Komplete 6) (Version: - Native Instruments) Native Instruments Komplete Audio 6 Driver (HKLM-x32\...\Native Instruments Komplete Audio 6 Driver) (Version: - Native Instruments) Native Instruments Kontakt 4 (HKLM-x32\...\Native Instruments Kontakt 4) (Version: - Native Instruments) Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version: - Native Instruments) Native Instruments Maschine (HKLM-x32\...\Native Instruments Maschine) (Version: - Native Instruments) Native Instruments Maschine Driver (HKLM-x32\...\Native Instruments Maschine Driver) (Version: - Native Instruments) Native Instruments Massive v1.0.1.008 VSTi DXi RTAS (HKLM-x32\...\Native Instruments Massive v1.0.1.008 VSTi DXi RTAS) (Version: - ) Native Instruments New York Concert Grand (HKLM-x32\...\Native Instruments New York Concert Grand) (Version: - Native Instruments) Native Instruments Pro-53 (HKLM-x32\...\Native Instruments Pro-53) (Version: - ) Native Instruments Retro Machines Mk2 (HKLM-x32\...\Native Instruments Retro Machines Mk2) (Version: - Native Instruments) Native Instruments Service Center (HKLM-x32\...\Native Instruments Service Center) (Version: 2.5.2.1549 - Native Instruments) Native Instruments Traktor 2 (HKLM-x32\...\Native Instruments Traktor 2) (Version: 2.6.8.382 - Native Instruments) Native Instruments Upright Piano (HKLM-x32\...\Native Instruments Upright Piano) (Version: - Native Instruments) Native Instruments Vienna Concert Grand (HKLM-x32\...\Native Instruments Vienna Concert Grand) (Version: - Native Instruments) Nepheton 1.5.1 (32bit) (HKLM-x32\...\{B2F62BBB-C527-4CE7-90D1-5717110677B6}) (Version: 1.5.1.0 - D16 Group Audio Software) Nepheton 1.5.1 (64bit) (HKLM\...\{02483A2B-9FDD-47BF-81AA-F47D6379EFA5}) (Version: 1.5.1.0 - D16 Group Audio Software) Nero 7 Premium (HKLM-x32\...\{70AB1576-7883-2313-C650-7A71270B1031}) (Version: 7.01.0735 - Nero AG) Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.4.11600.19.100 - Nero AG) Nero Burning ROM 10 (HKLM-x32\...\{7A5D731D-B4B3-490E-B339-75685712BAAB}) (Version: 10.0.11100.10.100 - Nero AG) Nero BurnRights 10 (HKLM-x32\...\{943CFD7D-5336-47AF-9418-E02473A5A517}) (Version: 4.0.11000.12.100 - Nero AG) Nero CoverDesigner 10 (HKLM-x32\...\{FCF00A6E-FB58-477A-ABE9-232907105521}) (Version: 5.0.10900.11.100 - Nero AG) Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-B48BECF0537C}) (Version: 6.0.10800.7.100 - Nero AG) Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.0.11000.10.100 - Nero AG) Nero InfoTool 10 (HKLM-x32\...\{F412B4AF-388C-4FF5-9B2F-33DB1C536953}) (Version: 7.0.10800.8.100 - Nero AG) Nero MediaHub 10 (HKLM-x32\...\{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}) (Version: 1.0.13400.11.100 - Nero AG) Nero Multimedia Suite 10 (HKLM-x32\...\{277C1559-4CF7-44FF-8D07-98AA9C13AABD}) (Version: 10.0.13100 - Nero AG) Nero Recode 10 (HKLM-x32\...\{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}) (Version: 4.6.10900.4.100 - Nero AG) Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.0.10900.9.100 - Nero AG) Nero SoundTrax 10 (HKLM-x32\...\{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}) (Version: 4.6.10600.2.100 - Nero AG) Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.0.11200.12.100 - Nero AG) Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.0017 - Nero AG) Nero Vision 10 (HKLM-x32\...\{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}) (Version: 7.0.11100.8.100 - Nero AG) Nero WaveEditor 10 (HKLM-x32\...\{EDCDFAD5-DF80-4600-A493-E9DAD6810230}) (Version: 5.6.10600.2.100 - Nero AG) Ohmforce Hematohm PRO VST v1.22 (HKLM-x32\...\Ohmforce Hematohm PRO VST v1.22) (Version: - ) Ohmforce Mobilohm PRO VST v1.12 (HKLM-x32\...\Ohmforce Mobilohm PRO VST v1.12) (Version: - ) Ohmforce Ohmboyz PRO VST v1.42 (HKLM-x32\...\Ohmforce Ohmboyz PRO VST v1.42) (Version: - ) Ohmforce Predatohm PRO VST v1.32 (HKLM-x32\...\Ohmforce Predatohm PRO VST v1.32) (Version: - ) Ohmforce Quad Frohmage Pro VST v1.10 (HKLM-x32\...\Ohmforce Quad Frohmage Pro VST v1.10) (Version: - ) Online Plug-in (x32 Version: 13.4.0.25 - Citrix Systems, Inc.) Hidden Outils de vérification linguistique 2013 de Microsoft Office - Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden PDF Settings CS4 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden Photoshop Camera Raw (x32 Version: 5.0 - Adobe Systems Incorporated) Hidden Pixel Bender Toolkit (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden Platform (x32 Version: 1.38 - VIA Technologies, Inc.) Hidden PowerISO (HKLM-x32\...\PowerISO) (Version: 5.5 - Power Software Ltd) Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek) Reason 3.0 (HKLM-x32\...\Reason_is1) (Version: 3.0 - Propellerhead Software AB) Reason Essentials 8.0.0 (HKLM\...\ReasonEssentials8.0_64_is1) (Version: 8.0.0 - Propellerhead Software AB) Reason Essentials Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden reFX Nexus VSTi RTAS v2.2.0 (HKLM-x32\...\reFX Nexus_is1) (Version: - ) reFX Vanguard VSTi v1.6.3 (HKLM-x32\...\reFX Vanguard VSTi_is1) (Version: - ) Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group) Rob Papen Blue VSTi v1.01 (HKLM-x32\...\Rob Papen Blue VSTi v1.01 ) (Version: - ) Rob Papen Predator V1.5.8 32 Bits Single Core (HKLM-x32\...\Predator_is1) (Version: - RPCX) SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.30 - SAP AG) SAP GUI for Windows 7.30 (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 1 - SAP) SAP JNet (HKLM-x32\...\SAP_JNet) (Version: - SAP AG) SAPSetup Automatic Workstation Update Service (HKLM-x32\...\SAP_WUS) (Version: - SAP AG) SchnapperPro 2.0.94 (HKLM-x32\...\SchnapperPro) (Version: 2.0.94 - Schnapper-Software Robert Beer) Secure Download Manager (HKLM-x32\...\{AA57D6F1-6360-4397-B2D9-B21C69863D97}) (Version: 3.1.0 - Kivuto Solutions Inc.) Self-Service Plug-in (x32 Version: 3.4.0.33684 - Citrix Systems, Inc.) Hidden Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{91150000-003B-0000-0000-0000000FF1CE}_Office15.PRJPROR_{115B7592-B71D-4C27-AB34-34268FB199CA}) (Version: - Microsoft) Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version: - Microsoft) SideKick4.3.2 (HKLM-x32\...\SideKick432 ID_mp1) (Version: - Twisted Lemon) Spotify (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB) Steinberg Cubase 5 (HKLM-x32\...\{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}) (Version: 5.1.0 - Steinberg Media Technologies GmbH) Steinberg Drum Loop Expansion 01 (HKLM-x32\...\{490BF87E-1F75-4453-BF55-9F540543A3CA}) (Version: 1.0.0.1 - Steinberg Media Technologies GmbH) Steinberg Groove Agent ONE Content (HKLM-x32\...\{BD86F1AC-B594-46E4-85DC-1258AC9E2232}) (Version: 1.0.0.003 - Steinberg Media Technologies GmbH) Steinberg HALionOne (HKLM-x32\...\{E70E7159-93B1-470D-9FBD-D8E9EF34B538}) (Version: 1.1.0.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Additional Content Set 01 (HKLM-x32\...\{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}) (Version: 1.0.0.001 - Steinberg Media Technologies GmbH) Steinberg HALionOne Expression Set (HKLM-x32\...\{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}) (Version: 1.0.1.0 - Steinberg Media Technologies GmbH) Steinberg HALionOne GM Drum Set (HKLM-x32\...\{AC997F93-0757-4ED4-A701-F40C2D654D09}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne GM Set (HKLM-x32\...\{F057965A-D974-4C64-ADB1-4381CD4B8956}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Pro Set (HKLM-x32\...\{D82CDA0D-C182-42C8-8FF2-5649C98D6003}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Studio Drum Set (HKLM-x32\...\{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg HALionOne Studio Set (HKLM-x32\...\{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH) Steinberg LoopMash Content (HKLM-x32\...\{4D454CF8-12FD-464D-B57B-B46FE27B78BB}) (Version: 1.0.0.005 - Steinberg Media Technologies GmbH) Steinberg REVerence Content 01 (HKLM-x32\...\{532B917B-8235-4FA5-BE36-643A8BB053A5}) (Version: 1.0.0.006 - Steinberg Media Technologies GmbH) Steinberg The Grand VSTi DXi v2.1.0 (HKLM-x32\...\Steinberg The Grand VSTi DXi_is1) (Version: - ) Suite Shared Configuration CS4 (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.) Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version: - Microsoft) Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version: - Microsoft) Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version: - Microsoft) Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version: - Microsoft) Vegas Pro 12.0 (64-bit) (HKLM\...\{7A0D09B0-6575-11E2-89D5-F04DA23A5C58}) (Version: 12.0.486 - Sony) VIA Plattform-Geräte-Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.38 - VIA Technologies, Inc.) VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN) Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.5.0.0 - Azureus Software, Inc.) Waves Complete V9r10 (HKLM-x32\...\{91000001-C561-4E32-99EB-3C5AD3683A70}) (Version: 9.1.10 - Waves) Waves Diamond Bundle v5.2 (HKLM-x32\...\Waves Diamond Bundle v5.2) (Version: - ) Waves GTR Guitar Tool Rack v1.0 (HKLM-x32\...\Waves GTR Guitar Tool Rack v1.0) (Version: - ) Waves IRx v5.2 (HKLM-x32\...\Waves IRx v5.2) (Version: - ) Waves L3 v5.2 (HKLM-x32\...\Waves L3 v5.2) (Version: - ) Waves Musicians Bundle v5.0 (HKLM-x32\...\Waves Musicians Bundle v5.0) (Version: - ) WinRAR 4.20 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.) ==================== Restore Points ========================= 27-12-2014 12:46:44 ComboFix created restore point ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-14 03:34 - 2014-12-28 11:43 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {088AEE40-F12C-46E4-8B37-48501D277C2C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-04-23] (Piriform Ltd) Task: {091A6FF8-99A4-49AB-B0C1-63C5A0FB6B49} - System32\Tasks\Abelssoft\Updater scan => C:\Program Files (x86)\CHIP Updater\CHIPUpdater.exe Task: {1891C158-600A-465F-806F-20EC07AEEA3D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation) Task: {301FC003-77CD-43DB-9226-3BE3A2952428} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24] (Adobe Systems Incorporated) Task: {77D876AF-4E96-4FD1-959A-F377674994E1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation) Task: {8F751E68-DB27-40CD-A6A5-3D26B5307D53} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe Task: {95B909CC-8EBA-4FBF-B56B-2FB75D7FFD4E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc Task: {D3D0748D-ADF6-4A4C-AE63-44F56829CBED} - System32\Tasks\AdobeAAMUpdater-1.0-Admin-PC-Admin => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe ==================== Loaded Modules (whitelisted) ============= 2014-05-01 20:29 - 2014-05-01 20:29 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll 2014-12-28 22:01 - 2014-12-28 22:01 - 00155676 _____ () C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe 2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll 2014-12-29 22:22 - 2014-12-29 22:22 - 00043008 _____ () c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp6ihpta.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll 2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll 2014-12-29 22:23 - 2014-12-29 22:23 - 01277440 _____ () C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL 2014-12-09 09:14 - 2014-12-09 09:14 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll 2014-12-24 16:04 - 2014-12-24 16:04 - 16843952 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll 2014-10-15 02:39 - 2014-10-15 02:39 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\1eeea3ab8d69ec722bdcb28b8eb8dd75\IsdiInterop.ni.dll 2013-03-30 20:31 - 2012-02-01 16:25 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll 2014-08-13 15:09 - 2014-08-13 15:09 - 00035328 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll 2014-05-24 17:41 - 2014-05-24 17:41 - 00091648 _____ () C:\Program Files (x86)\FileZilla FTP Client\libgcc_s_sjlj-1.dll 2014-05-24 17:41 - 2014-05-24 17:41 - 00892416 _____ () C:\Program Files (x86)\FileZilla FTP Client\libstdc++-6.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^JDownloader.lnk => C:\Windows\pss\JDownloader.lnk.CommonStartup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup MSCONFIG\startupreg: GoToMeeting => "C:\Users\Admin\AppData\Local\Citrix\GoToMeeting\1468\g2mstart.exe" "/Trigger RunAtLogon" MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files (x86)\Common Files\Ahead\Lib\NeroCheck.exe MSCONFIG\startupreg: PWRISOVM.EXE => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime MSCONFIG\startupreg: Spotify => "C:\Users\Admin\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun MSCONFIG\startupreg: WSHelperSetup.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe ========================= Accounts: ========================== Admin (S-1-5-21-3347311179-4269016646-269938500-1000 - Administrator - Enabled) => C:\Users\Admin Administrator (S-1-5-21-3347311179-4269016646-269938500-500 - Administrator - Disabled) Gast (S-1-5-21-3347311179-4269016646-269938500-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-3347311179-4269016646-269938500-1002 - Limited - Enabled) ==================== Faulty Device Manager Devices ============= Name: AMD High Definition Audio Device Description: AMD High Definition Audio Device Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318} Manufacturer: Advanced Micro Devices Service: AtiHDAudioService Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: High Definition Audio-Gerät Description: High Definition Audio-Gerät Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: HdAudAddService Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (12/30/2014 06:22:18 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3. Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein. Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0". Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0". Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose. Error: (12/29/2014 10:57:07 PM) (Source: SideBySide) (EventID: 80) (User: ) Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/29/2014 10:26:00 PM) (Source: SideBySide) (EventID: 80) (User: ) Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/29/2014 10:25:53 PM) (Source: SideBySide) (EventID: 80) (User: ) Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion. In Konflikt stehende Komponenten:. Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. System errors: ============= Error: (12/29/2014 10:24:01 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error: (12/29/2014 10:16:48 PM) (Source: Disk) (EventID: 11) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden. Error: (12/29/2014 10:16:48 PM) (Source: Disk) (EventID: 11) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden. Error: (12/29/2014 10:16:47 PM) (Source: Disk) (EventID: 11) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden. Error: (12/29/2014 10:16:47 PM) (Source: Disk) (EventID: 11) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden. Error: (12/29/2014 10:16:46 PM) (Source: Disk) (EventID: 11) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden. Error: (12/29/2014 04:34:27 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error: (12/29/2014 04:33:10 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Avira Service Host erreicht. Microsoft Office Sessions: ========================= Error: (01/01/2014 10:08:39 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 423328 seconds with 3360 seconds of active time. This session ended with a crash. CodeIntegrity Errors: =================================== Date: 2014-12-28 11:36:05.501 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-28 11:36:05.469 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-28 11:36:05.423 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-28 11:36:05.391 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-27 13:05:18.373 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-27 13:05:18.341 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-27 13:05:18.306 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-27 13:05:18.273 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-25 23:38:11.689 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. Date: 2014-12-25 23:38:11.656 Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz Percentage of memory in use: 34% Total physical RAM: 16317.59 MB Available physical RAM: 10710.53 MB Total Pagefile: 32633.35 MB Available Pagefile: 26773.99 MB Total Virtual: 8192 MB Available Virtual: 8191.82 MB ==================== Drives ================================ Drive a: (Primäre Festplatte) (Fixed) (Total:1004.98 GB) (Free:300.73 GB) NTFS Drive b: (Sekundäre Festplatte) (Fixed) (Total:232.88 GB) (Free:10.49 GB) NTFS Drive c: (Windows) (Fixed) (Total:1042.92 GB) (Free:403.96 GB) NTFS Drive p: (Producing) (Fixed) (Total:931.51 GB) (Free:259.2 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 232.9 GB) (Disk ID: 1D631D62) Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: B819B29C) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=1042.9 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=1005 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 9B322B2C) Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS) ======================================================== Disk: 3 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 46830F60) Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS) ======================================================== Disk: 4 (Size: 931.5 GB) (Disk ID: E8900690) Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS) ==================== End Of Log ============================ |
31.12.2014, 15:11 | #13 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter CloseProcesses: A:\software\LinPlug VSTi A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar A:\software\LinPlug VSTi A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar C:\ProgramData\Microsoft\Secure C:\Users\Admin\AppData\Local\Idsoft HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe" HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] () C:\Users\Admin\AppData\Roaming\Urudne Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path Emptytemp: Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
31.12.2014, 15:57 | #14 |
| Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local hier das fixlog: Guten Rutsch schonmal! Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014 Ran by Admin at 2014-12-31 15:43:35 Run:1 Running from C:\Users\Admin\Desktop Loaded Profile: Admin (Available profiles: Admin) Boot Mode: Normal ============================================== Content of fixlist: ***************** CloseProcesses: A:\software\LinPlug VSTi A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar A:\software\LinPlug VSTi A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar C:\ProgramData\Microsoft\Secure C:\Users\Admin\AppData\Local\Idsoft HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe" HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] () C:\Users\Admin\AppData\Roaming\Urudne Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path Emptytemp: ***************** Processes closed successfully. A:\software\LinPlug VSTi => Error: No automatic fix found for this entry. A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Error: No automatic fix found for this entry. B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js => Error: No automatic fix found for this entry. B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js => Error: No automatic fix found for this entry. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] => Moved successfully. C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll => Moved successfully. C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe => Moved successfully. C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll => Moved successfully. C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe => Moved successfully. C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe => Moved successfully. "C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found. Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar => Moved successfully. Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar => Moved successfully. A:\software\LinPlug VSTi => Error: No automatic fix found for this entry. A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe => Error: No automatic fix found for this entry. B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Error: No automatic fix found for this entry. B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js => Error: No automatic fix found for this entry. B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js => Error: No automatic fix found for this entry. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]" => File/Directory not found. "C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll" => File/Directory not found. "C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe" => File/Directory not found. "C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found. C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe => Moved successfully. C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe => Moved successfully. "C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL" => File/Directory not found. "C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe" => File/Directory not found. C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js => Moved successfully. C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js => Moved successfully. "C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe" => File/Directory not found. "C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe" => File/Directory not found. "C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found. "C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe" => File/Directory not found. "C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe" => File/Directory not found. "Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar" => File/Directory not found. "Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar" => File/Directory not found. C:\ProgramData\Microsoft\Secure => Moved successfully. C:\Users\Admin\AppData\Local\Idsoft => Moved successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Icakupsie => value deleted successfully. HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Idsoft => Value not found. "C:\Users\Admin\AppData\Roaming\Urudne" => File/Directory not found. C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk not found. C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe not found. C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate => Moved successfully. "HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully. "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully. EmptyTemp: => Removed 1.3 GB temporary data. The system needed a reboot. ==== End of Fixlog 15:48:23 ==== |
31.12.2014, 18:28 | #15 |
/// the machine /// TB-Ausbilder | Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local Frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local |
appdata, exe-dateien, explorer, file, gen, icons, iexplore.exe, internet, internet explorer, löschen, manager, microsoft, nicht löschen, nicht mehr, nichts, ordner, problem, prozesse, secure, tan, task manager, temp, trojaner, windows, windows 7 |