Win8.1 black scrren -> wscript.exe beendet -> Win8.1 fährt hoch

Jeremy_Sky · 14.02.2015, 10:30

Hallo,

ich gehe davon aus das ich mir ein Trojaner/Virus eingefangen habe.

Nach der Anmeldung von win8.1 bleibt der Bildschimr schwarz.
Maus funktioniert und Taskmanager lässt sich öffnen.

Nachdem der Prozess "Microsoft Windows Based Script Host (32bit)" beendet wird, fährt das systemhoch und kann "normal" genutzt werden.

In der Regedit habt ich versucht die script prozesse zu unterbinden. ohne erfolg.

Gruß

schrauber · 14.02.2015, 10:37

hi,

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:

FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

Starte jetzt FRST.
Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

Jeremy_Sky · 14.02.2015, 10:52

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-02-2015
Ran by Theo van Rickelen (administrator) on WORKSTATION on 14-02-2015 10:48:38
Running from C:\Users\Theo van Rickelen\Desktop
Loaded Profiles: Theo van Rickelen (Available profiles: Theo van Rickelen & UpdatusUser & .NET v4.5 & .NET v4.5 Classic)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(PalmSource, Inc) C:\Program Files (x86)\Palm\Hotsync.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [2583040 2014-04-21] (VIA)
HKLM-x32\...\Run: [HotSync] => "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
HKLM-x32\...\RunOnce: [Binkiland] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\THEOVA~1\AppData\Roaming\Binkiland\UpdateProc\bkup.dat"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\Run: [BrowserChoice] => C:\Windows\BrowserChoice\browserchoice.exe [86816 2013-08-22] (Microsoft Corporation)
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\Run: [Amazon Music] => C:\Users\Theo van Rickelen\AppData\Local\Amazon Music\Amazon Music Helper.exe [6281536 2014-09-06] ()
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\Run: [GetNowUpdater] => C:\Users\Theo van Rickelen\AppData\Roaming\GetNowUpdater\update.6\bin\GetNowUpdater.exe [4252800 2014-12-04] (Live Soft Action S.R.L.)
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\RunOnce: [Binkiland] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\THEOVA~1\AppData\Roaming\Binkiland\UpdateProc\bkup.dat"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
ShortcutTarget: HotSync Manager.lnk -> C:\Program Files (x86)\Palm\Hotsync.exe (PalmSource, Inc)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\phase-6 Reminder.lnk
ShortcutTarget: phase-6 Reminder.lnk -> C:\Program Files (x86)\phase-6\phase-6\reminder\reminder.exe (phase-6)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Symantec Fax Starter Edition-Anschluss.lnk
ShortcutTarget: Symantec Fax Starter Edition-Anschluss.lnk -> C:\Program Files (x86)\Microsoft Office\Office\1031\OLFSNT40.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://binkiland.com/?f=1&a=bnk_adkpub_15_06&cd=2XzuyEtN2Y1L1QzutDtDtByDtBtB0BzzzyyD0CtB0CtBzy0AtN0D0Tzu0StCtCtAtBtN1L2XzutAtFyBtFyBtFyDtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtBzyyCzyzy0EtCtGzzyC0BtBtGtAyD0D0CtG0F0CyB0EtGtAyCzzyDyB0DtD0Fzy0BtB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0DtByBtDtDyEtGyCyB0A0CtGyEyEtBtDtG0ByDtDtCtG0BzzzytAtCzzyEyC0DtAzz0D2Q&cr=198638036&ir=
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = 
SearchScopes: HKU\S-1-5-21-3765307835-3830276005-1159549685-1001 -> DefaultScope {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = https://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3765307835-3830276005-1159549685-1001 -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = https://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3765307835-3830276005-1159549685-1001 -> {4971BFD7-C644-42D7-8845-11328F7847BA} URL = hxxp://binkiland.com/results.php?f=4&q={searchTerms}&a=bnk_adkpub_15_06&cd=2XzuyEtN2Y1L1QzutDtDtByDtBtB0BzzzyyD0CtB0CtBzy0AtN0D0Tzu0StCtCtAtBtN1L2XzutAtFyBtFyBtFyDtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtBzyyCzyzy0EtCtGzzyC0BtBtGtAyD0D0CtG0F0CyB0EtGtAyCzzyDyB0DtD0Fzy0BtB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0DtByBtDtDyEtGyCyB0A0CtGyEyEtBtDtG0ByDtDtCtG0BzzzytAtCzzyEyC0DtAzz0D2Q&cr=198638036&ir=
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Theo van Rickelen\AppData\Roaming\Mozilla\Firefox\Profiles\u0g717lf.default
FF DefaultSearchEngine: Yahoo!
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @palmsource.com/installer,version=1.0 -> C:\PROGRA~2\Palm\PACKAG~1\NPInstal.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF user.js: detected! => C:\Users\Theo van Rickelen\AppData\Roaming\Mozilla\Firefox\Profiles\u0g717lf.default\user.js
FF SearchPlugin: C:\Users\Theo van Rickelen\AppData\Roaming\Mozilla\Firefox\Profiles\u0g717lf.default\searchplugins\Binkiland.xml
FF SearchPlugin: C:\Users\Theo van Rickelen\AppData\Roaming\Mozilla\Firefox\Profiles\u0g717lf.default\searchplugins\yahoo_ff.xml
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome: 
=======
CHR HomePage: Default -> hxxp://binkiland.com/?f=1&a=bnk_adkpub_15_06&cd=2XzuyEtN2Y1L1QzutDtDtByDtBtB0BzzzyyD0CtB0CtBzy0AtN0D0Tzu0StCtCtAtBtN1L2XzutAtFyBtFyBtFyDtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtBzyyCzyzy0EtCtGzzyC0BtBtGtAyD0D0CtG0F0CyB0EtGtAyCzzyDyB0DtD0Fzy0BtB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0DtByBtDtDyEtGyCyB0A0CtGyEyEtBtDtG0ByDtDtCtG0BzzzytAtCzzyEyC0DtAzz0D2Q&cr=198638036&ir=
CHR StartupUrls: Default -> "hxxp://binkiland.com/?f=7&a=bnk_adkpub_15_06&cd=2XzuyEtN2Y1L1QzutDtDtByDtBtB0BzzzyyD0CtB0CtBzy0AtN0D0Tzu0StCtCtAtBtN1L2XzutAtFyBtFyBtFyDtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtBzyyCzyzy0EtCtGzzyC0BtBtGtAyD0D0CtG0F0CyB0EtGtAyCzzyDyB0DtD0Fzy0BtB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0DtByBtDtDyEtGyCyB0A0CtGyEyEtBtDtG0ByDtDtCtG0BzzzytAtCzzyEyC0DtAzz0D2Q&cr=198638036&ir=", "https://de.search.yahoo.com/?type=523482&fr=yo-yhp-ch"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-20]
CHR Extension: (Google Drive) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-20]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-28]
CHR Extension: (YouTube) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-20]
CHR Extension: (Google-Suche) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-20]
CHR Extension: (Google Wallet) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-20]
CHR Extension: (Google Mail) - C:\Users\Theo van Rickelen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-20]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 MSMQ; C:\Windows\system32\mqsvc.exe [25600 2014-04-23] (Microsoft Corporation)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-04-23] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [546304 2014-04-23] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
S2 Update Follow Rules; "C:\Program Files (x86)\Follow Rules\updateFollowRules.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AceecaUSBDx64; C:\Windows\System32\drivers\AceecaUSBDx64.sys [66552 2014-04-26] (PalmSource, Inc.)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [173568 2014-04-23] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
R1 {9f96a9b5-96a5-4002-8a88-ee75706a9e27}Gw64; C:\Windows\System32\drivers\{9f96a9b5-96a5-4002-8a88-ee75706a9e27}Gw64.sys [48784 2015-02-06] (StdLib)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-14 10:48 - 2015-02-14 10:49 - 00012618 _____ () C:\Users\Theo van Rickelen\Desktop\FRST.txt
2015-02-14 10:48 - 2015-02-14 10:48 - 00000000 ____D () C:\FRST
2015-02-14 10:47 - 2015-02-14 10:47 - 02134016 _____ (Farbar) C:\Users\Theo van Rickelen\Desktop\FRST64.exe
2015-02-14 10:33 - 2015-02-14 10:33 - 00000086 _____ () C:\Neu Textdokument.txt
2015-02-11 20:39 - 2015-02-04 00:38 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-11 20:39 - 2015-02-04 00:08 - 00761856 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-11 20:39 - 2015-02-04 00:08 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-11 20:39 - 2015-02-03 00:11 - 01098752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-11 20:39 - 2015-02-03 00:11 - 00894464 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-11 20:39 - 2015-02-03 00:11 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-11 20:39 - 2015-01-19 19:42 - 01487976 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2015-02-11 20:39 - 2015-01-10 09:22 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 20:26 - 2015-02-11 20:26 - 00012288 _____ () C:\Windows\system32\umstartup.etl
2015-02-11 17:05 - 2015-02-11 17:05 - 00000000 ____D () C:\Windows\pss
2015-02-07 16:22 - 2014-06-05 20:21 - 36336080 _____ (Amazon) C:\Users\Theo van Rickelen\Downloads\Kopie von AmazonCloudPlayerInstaller (1).exe
2015-02-07 15:55 - 2015-02-07 15:55 - 00000000 ____D () C:\$WINDOWS.~BT
2015-02-07 15:53 - 2015-02-11 19:37 - 00000000 _____ () C:\Recovery.txt
2015-02-07 15:53 - 2015-02-07 15:53 - 00000000 __SHD () C:\Recovery
2015-02-06 10:46 - 2015-02-06 01:35 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{9f96a9b5-96a5-4002-8a88-ee75706a9e27}Gw64.sys
2015-02-06 10:45 - 2015-02-06 10:45 - 00058044 _____ () C:\Users\Theo van Rickelen\Downloads\10,5 Tage-Rhythmus.xlsm
2015-02-06 10:43 - 2015-02-06 10:43 - 00000000 ____D () C:\Users\Theo van Rickelen\AppData\Roaming\Opera Software
2015-02-06 10:43 - 2015-02-06 10:43 - 00000000 ____D () C:\Users\Theo van Rickelen\AppData\Local\Opera Software
2015-02-06 10:38 - 2015-02-06 10:56 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-02-06 10:37 - 2015-02-06 10:37 - 00000000 ____D () C:\Users\Theo van Rickelen\Documents\PC Speed Maximizer
2015-02-06 10:33 - 2015-02-11 22:34 - 00000346 _____ () C:\Windows\Tasks\Binkiland.job
2015-02-06 10:33 - 2015-02-06 11:03 - 00000000 ____D () C:\Program Files (x86)\Follow Rules
2015-02-06 10:33 - 2015-02-06 10:33 - 00002684 _____ () C:\Windows\System32\Tasks\Binkiland
2015-02-06 10:33 - 2015-02-06 10:33 - 00000000 ____D () C:\Users\Theo van Rickelen\AppData\Roaming\Binkiland
2015-02-06 10:32 - 2015-02-06 10:30 - 01110476 _____ () C:\Users\Theo van Rickelen\Downloads\Setup.exe
2015-02-06 10:28 - 2015-02-06 10:29 - 00713424 _____ (Adknowledge) C:\Users\Theo van Rickelen\Downloads\XLSM Opener.exe
2015-01-29 20:34 - 2015-01-29 20:34 - 04357644 _____ () C:\Saudat-2015-01-29.zip
2015-01-23 18:12 - 2015-01-23 18:12 - 00000000 ___HD () C:\Windows\system32\CanonIJ Uninstaller Information
2015-01-23 18:12 - 2015-01-23 18:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MX710 series
2015-01-23 18:11 - 2015-01-23 18:11 - 00000000 ___HD () C:\Program Files\CanonBJ
2015-01-23 18:09 - 2015-01-23 18:11 - 30346824 _____ () C:\Users\Theo van Rickelen\Downloads\mp68-win-mx710-1_02-ea24.exe
2015-01-18 19:25 - 2015-01-25 19:14 - 00000000 ____D () C:\Users\Theo van Rickelen\AppData\Roaming\.oit
2015-01-18 19:24 - 2015-01-18 19:24 - 00000000 ____D () C:\Program Files (x86)\FoxPDF Software Inc
2015-01-18 19:23 - 2015-01-18 19:23 - 11819037 _____ (FoxPDF Software Inc ) C:\Users\Theo van Rickelen\Downloads\XlsXViewer(1).exe
2015-01-18 19:19 - 2015-01-18 19:19 - 00236344 _____ () C:\Users\Theo van Rickelen\Downloads\XlsXViewer.exe
2015-01-18 19:14 - 2015-01-18 19:09 - 00012770 _____ () C:\Users\Theo van Rickelen\Downloads\Termine 2015  MVA Übersicht-8.xlsx
2015-01-18 19:05 - 2015-01-18 19:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-18 19:04 - 2015-01-18 19:04 - 00000000 __SHD () C:\Users\Theo van Rickelen\AppData\Local\EmieBrowserModeList

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-14 10:48 - 2013-08-22 15:46 - 00114835 _____ () C:\Windows\setupact.log
2015-02-14 10:46 - 2014-04-20 11:04 - 01437911 _____ () C:\Windows\WindowsUpdate.log
2015-02-14 10:45 - 2014-04-20 13:13 - 00003990 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{59DAFBAC-9816-41F1-9629-9F34FD93747F}
2015-02-14 10:42 - 2013-08-22 15:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-14 09:29 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\system32\sru
2015-02-12 21:02 - 2014-04-20 13:13 - 00001142 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-12 20:51 - 2013-08-22 14:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-12 20:33 - 2013-08-22 15:44 - 00367544 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-12 20:29 - 2014-12-11 10:13 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-12 20:29 - 2014-07-11 08:29 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-12 20:29 - 2014-04-20 12:42 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-12 20:26 - 2014-04-20 12:42 - 116773704 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-02-12 20:26 - 2013-08-22 16:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-02-12 20:24 - 2014-04-20 11:17 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3765307835-3830276005-1159549685-1001
2015-02-11 21:52 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-02-11 21:25 - 2014-04-20 11:11 - 00000000 ____D () C:\Users\Theo van Rickelen
2015-02-07 16:43 - 2014-04-20 13:17 - 00000000 ____D () C:\Sicherung Schläge
2015-02-07 16:42 - 2014-04-20 13:18 - 00000000 ____D () C:\KWwin
2015-02-07 16:17 - 2014-04-21 14:00 - 00000000 ____D () C:\Users\Theo van Rickelen\Abschlußfeirer Leonie
2015-02-07 16:04 - 2014-04-23 16:34 - 00000000 ____D () C:\Users\.NET v4.5
2015-02-07 16:04 - 2014-04-23 16:33 - 00000000 ____D () C:\Users\.NET v4.5 Classic
2015-02-07 15:59 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\registration
2015-02-07 15:59 - 2013-08-22 14:36 - 00000000 ____D () C:\Windows\system32\Sysprep
2015-02-07 15:30 - 2014-04-20 13:13 - 00002202 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-06 11:03 - 2014-04-26 11:49 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-06 11:03 - 2014-04-20 10:56 - 00010658 _____ () C:\Windows\PFRO.log
2015-02-06 10:57 - 2014-04-20 13:13 - 00004114 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-06 10:57 - 2014-04-20 13:13 - 00003878 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-06 10:57 - 2014-04-20 13:13 - 00001138 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-06 10:46 - 2013-08-22 14:25 - 00000194 _____ () C:\Windows\win.ini
2015-02-06 10:32 - 2014-09-22 07:28 - 00001170 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-02-05 19:25 - 2014-04-26 12:45 - 00000000 ____D () C:\Users\Theo van Rickelen\Desktop\Formulare Betrieb
2015-01-31 10:54 - 2014-10-07 06:52 - 00000000 ____D () C:\Users\Theo van Rickelen\.phase-6
2015-01-29 20:36 - 2014-04-20 11:09 - 02061176 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 20:36 - 2013-08-23 00:24 - 00875926 _____ () C:\Windows\system32\perfh007.dat
2015-01-29 20:36 - 2013-08-23 00:24 - 00200576 _____ () C:\Windows\system32\perfc007.dat
2015-01-24 21:20 - 2014-04-20 13:08 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-24 21:20 - 2014-04-20 13:08 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-23 18:23 - 2014-06-04 20:02 - 00016384 ___SH () C:\Users\Theo van Rickelen\Desktop\Thumbs.db
2015-01-22 13:14 - 2014-04-26 12:34 - 08319982 _____ () C:\Windows\system32\Drivers\TRACES.TXT

==================== Files in the root of some directories =======

1999-04-29 22:00 - 1999-04-29 22:00 - 0099840 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1999-04-29 22:00 - 1999-04-29 22:00 - 0048640 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1999-04-29 22:00 - 1999-04-29 22:00 - 0070144 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1999-04-29 22:00 - 1999-04-29 22:00 - 0186368 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAREG.DLL
1999-04-29 22:00 - 1999-04-29 22:00 - 0017920 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRASRIAL.DLL
1999-04-29 22:00 - 1999-04-29 22:00 - 0031744 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAWEBTR.DLL

Files to move or delete:
====================
C:\Users\Theo van Rickelen\ackerschlag.exe
C:\Users\Theo van Rickelen\April 2013.exe


Some content of TEMP:
====================
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna1016503699084536077.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna1880251458538013402.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna2382788506229640324.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna2424419840369173824.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna2465644966319957717.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna2664548649442565252.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna3036267034060069587.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna3089324197675366511.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna3766056243247871053.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna4681103642169360662.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna4959807788564204991.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna5127442474787459253.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna5700994643201996123.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna6246697423654066021.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna6323233713548722765.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna6833637014461457514.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna741790886067020230.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna7459554100759013362.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna7534386069498648043.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8038124017191081151.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8177455160518542831.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8298157921680078753.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8355724581931439818.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8631994828298755973.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\jna8732893001192784.hunspell-win-x86-32.dll
C:\Users\Theo van Rickelen\AppData\Local\Temp\SearchProtectionSetup.exe
C:\Users\Theo van Rickelen\AppData\Local\Temp\uninstall.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-12 20:24

==================== End Of Log ============================

--- --- ---

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-02-2015
Ran by Theo van Rickelen at 2015-02-14 10:50:09
Running from C:\Users\Theo van Rickelen\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Amazon Music (HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\Amazon Amazon Music) (Version: 3.4.0.628 - Amazon Services LLC)
AVM FRITZ!Box Dokumentation (HKLM-x32\...\AVMFBox) (Version:  - AVM Berlin)
AVM FRITZ!Box Druckeranschluss (HKLM-x32\...\AVMFBoxPrinter) (Version:  - AVM Berlin)
Canon MX710 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX710_series) (Version:  - Canon Inc.)
GetnowUpdater (HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\GetNowUpdater) (Version: 1.23.2.1 - AppScion)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Landwirtschafts Simulator 2013 (HKLM-x32\...\FarmingSimulator2013DE_is1) (Version: 1.0 - GIANTS Software)
Microsoft Office 2000 Premium (HKLM-x32\...\{00000407-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2816 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 de)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 32.0.2 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 de)) (Version: 31.4.0 - Mozilla)
NVIDIA Grafiktreiber 307.68 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.68 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
Palm Desktop by ACCESS (HKLM-x32\...\{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}) (Version: 6.4.0.0 - Ihr Firmenname)
phase-6 2.3.4 (HKLM-x32\...\phase-6) (Version: 2.3.4 - phase-6)
Platform (x32 Version: 1.34 - VIA Technologies, Inc.) Hidden
PowerBuilder Client Runtime (HKLM-x32\...\{F44EAEB2-332B-48B9-B1B7-E25EAB628124}) (Version: 9.0.0.0 - Sybase)
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal) (HKLM-x32\...\SLABCOMM&10C4&EA60) (Version:  - )
Silicon Laboratories USBXpress Device (Driver Removal) (HKLM-x32\...\SIUSBXP&10C4&EA61) (Version:  - )
Supersau 6 (HKLM-x32\...\Supersau 6) (Version:  - )
VIA Plattform-Geräte-Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.)
Voltcraft - Voltsoft System Version (HKLM-x32\...\{27383738-D10F-4186-A784-7AB19733654D}_is1) (Version:  - Voltcraft)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0E17E8FA-BA32-4F59-90AC-B299BB645F28} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-20] (Google Inc.)
Task: {617DFA41-72B0-4EE6-B501-E8797870099D} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-02-12] (Microsoft Corporation)
Task: {6D9EBCEB-A7B1-446C-8C9B-734C18EBD834} - System32\Tasks\Binkiland => C:\Users\Theo van Rickelen\AppData\Roaming\Binkiland\UpdateProc\UpdateTask.exe [2015-02-06] () <==== ATTENTION
Task: {AE3CAF0B-F88D-4CA6-A19C-9A966D5BD7D5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-20] (Google Inc.)
Task: C:\Windows\Tasks\Binkiland.job => C:\Users\THEOVA~1\AppData\Roaming\BINKIL~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2008-01-03 17:17 - 2008-01-03 17:17 - 00005120 ____R () C:\Program Files (x86)\Palm\VFSLANG.DLL
2015-02-07 15:29 - 2015-02-04 10:02 - 01117512 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libglesv2.dll
2015-02-07 15:29 - 2015-02-04 10:02 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libegl.dll
2015-02-07 15:29 - 2015-02-04 10:02 - 09170760 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Theo van Rickelen\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.178.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: aspnet_state => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: IDriverT => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: nvsvc => 2
MSCONFIG\Services: nvUpdatusService => 2
HKLM\...\StartupApproved\StartupFolder: => "Microsoft Office.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Symantec Fax Starter Edition-Anschluss.lnk"
HKLM\...\StartupApproved\Run32: => "HDAudDeck"
HKLM\...\StartupApproved\Run32: => "HotSync"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\StartupApproved\Run: => "BrowserChoice"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\StartupApproved\Run: => "Amazon Music"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_9DA8CF98DE876F08CDBDD275C5D68BE3"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\StartupApproved\Run: => "Search Protection"
HKU\S-1-5-21-3765307835-3830276005-1159549685-1001\...\StartupApproved\Run: => "GetNowUpdater"

==================== Accounts: =============================

Administrator (S-1-5-21-3765307835-3830276005-1159549685-500 - Administrator - Disabled)
Gast (S-1-5-21-3765307835-3830276005-1159549685-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3765307835-3830276005-1159549685-1003 - Limited - Enabled)
Theo van Rickelen (S-1-5-21-3765307835-3830276005-1159549685-1001 - Administrator - Enabled) => C:\Users\Theo van Rickelen
UpdatusUser (S-1-5-21-3765307835-3830276005-1159549685-1004 - Limited - Enabled) => C:\Users\UpdatusUser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/11/2015 09:15:00 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT-AUTORITÄT)
Description: There was an error with the Windows Location Provider database

Error: (02/06/2015 10:52:10 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm opera.exe, Version 27.0.1689.66 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 7a8

Startzeit: 01d041f1d6e035ab

Endzeit: 60000

Anwendungspfad: C:\Program Files (x86)\Opera\27.0.1689.66\opera.exe

Berichts-ID: 9c3e1f19-ade5-11e4-8270-002522b895c2

Vollständiger Name des fehlerhaften Pakets: 

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Error: (02/06/2015 10:42:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: delegate_execute.exe, Version: 31.0.1650.23, Zeitstempel: 0x54bd2f4d
Name des fehlerhaften Moduls: delegate_execute.exe, Version: 31.0.1650.23, Zeitstempel: 0x54bd2f4d
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002657f
ID des fehlerhaften Prozesses: 0xed0
Startzeit der fehlerhaften Anwendung: 0xdelegate_execute.exe0
Pfad der fehlerhaften Anwendung: delegate_execute.exe1
Pfad des fehlerhaften Moduls: delegate_execute.exe2
Berichtskennung: delegate_execute.exe3
Vollständiger Name des fehlerhaften Pakets: delegate_execute.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: delegate_execute.exe5

Error: (02/06/2015 10:33:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: uninstaller.exe, Version: 0.0.0.0, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eeb4a3
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0005cd54
ID des fehlerhaften Prozesses: 0x7b4
Startzeit der fehlerhaften Anwendung: 0xuninstaller.exe0
Pfad der fehlerhaften Anwendung: uninstaller.exe1
Pfad des fehlerhaften Moduls: uninstaller.exe2
Berichtskennung: uninstaller.exe3
Vollständiger Name des fehlerhaften Pakets: uninstaller.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: uninstaller.exe5

Error: (02/06/2015 10:33:24 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: BNKSTU~1.EXE, Version: 0.0.0.0, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eeb460
Ausnahmecode: 0x000006a6
Fehleroffset: 0x00012f71
ID des fehlerhaften Prozesses: 0x1048
Startzeit der fehlerhaften Anwendung: 0xBNKSTU~1.EXE0
Pfad der fehlerhaften Anwendung: BNKSTU~1.EXE1
Pfad des fehlerhaften Moduls: BNKSTU~1.EXE2
Berichtskennung: BNKSTU~1.EXE3
Vollständiger Name des fehlerhaften Pakets: BNKSTU~1.EXE4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: BNKSTU~1.EXE5

Error: (02/06/2015 10:18:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: Workstation)
Description: Die App „Microsoft.BingSports_3.0.4.244_x64__8wekyb3d8bbwe+AppexSports“ wurde nicht innerhalb der vorgesehenen Zeit gestartet.

Error: (02/06/2015 10:13:29 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17031 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 11dc

Startzeit: 01d041ecf816473d

Endzeit: 4294967295

Anwendungspfad: C:\Windows\system32\wwahost.exe

Berichts-ID: 642728e3-ade0-11e4-8270-002522b895c2

Vollständiger Name des fehlerhaften Pakets: Microsoft.BingNews_3.0.4.268_x64__8wekyb3d8bbwe

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: AppexNews

Error: (02/06/2015 10:13:19 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: Workstation)
Description: Das Paket „Microsoft.BingNews_3.0.4.268_x64__8wekyb3d8bbwe+AppexNews“ wurde beendet, da das Anhalten zu lange dauerte.

Error: (02/06/2015 10:12:44 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17031 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: e78

Startzeit: 01d041ed019f5fd1

Endzeit: 4294967295

Anwendungspfad: C:\Windows\system32\wwahost.exe

Berichts-ID: 49a0b3f9-ade0-11e4-8270-002522b895c2

Vollständiger Name des fehlerhaften Pakets: Microsoft.ZuneVideo_2.6.434.0_x64__8wekyb3d8bbwe

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: Microsoft.ZuneVideo

Error: (02/06/2015 10:12:42 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Workstation)
Description: Bei der Aktivierung der App „Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo“ ist folgender Fehler aufgetreten: -2144927142. Weitere Informationen finden Sie im Protokoll „Microsoft-Windows-TWinUI/Betriebsbereit“.


System errors:
=============
Error: (02/14/2015 10:42:43 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update Follow Rules" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (02/14/2015 09:43:22 AM) (Source: volsnap) (EventID: 29) (User: )
Description: Die Schattenkopien von Volume "C:" wurde während der Ermittlung abgebrochen.

Error: (02/12/2015 09:08:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update Follow Rules" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (02/12/2015 08:51:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update Follow Rules" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (02/12/2015 08:33:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update Follow Rules" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (02/12/2015 08:29:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x8007045b fehlgeschlagen: Sicherheitsupdate für Windows 8.1 für x64-basierte Systeme (KB3023562)

Error: (02/12/2015 08:29:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x8007045b fehlgeschlagen: Update für Windows 8.1 für x64-Systeme (KB3020338)

Error: (02/12/2015 08:29:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x8007045b fehlgeschlagen: Sicherheitsupdate für Internet Explorer Flash Player für Windows 8.1 für x64-Systeme (KB3021953)

Error: (02/12/2015 08:29:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x8007045b fehlgeschlagen: Update für Windows 8.1 für x64-Systeme (KB3019868)

Error: (02/12/2015 08:29:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x8007045b fehlgeschlagen: Sicherheitsupdate für Windows 8.1 für x64-basierte Systeme (KB3004361)


Microsoft Office Sessions:
=========================
Error: (02/11/2015 09:15:00 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT-AUTORITÄT)
Description: -2147024883

Error: (02/06/2015 10:52:10 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: opera.exe27.0.1689.667a801d041f1d6e035ab60000C:\Program Files (x86)\Opera\27.0.1689.66\opera.exe9c3e1f19-ade5-11e4-8270-002522b895c2

Error: (02/06/2015 10:42:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: delegate_execute.exe31.0.1650.2354bd2f4ddelegate_execute.exe31.0.1650.2354bd2f4dc00000050002657fed001d041f12bc89005C:\Users\Theo van Rickelen\AppData\Local\Binkiland\Application\31.0.1650.23\delegate_execute.exeC:\Users\Theo van Rickelen\AppData\Local\Binkiland\Application\31.0.1650.23\delegate_execute.exe6ebcb3ed-ade4-11e4-8270-002522b895c2

Error: (02/06/2015 10:33:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: uninstaller.exe0.0.0.02a425e19ntdll.dll6.3.9600.1727853eeb4a3c00000050005cd547b401d041f006f91497C:\Users\THEOVA~1\AppData\Local\Temp\is620310607\1206BA55_stp\uninstaller.exeC:\Windows\SYSTEM32\ntdll.dll44e32a19-ade3-11e4-8270-002522b895c2

Error: (02/06/2015 10:33:24 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: BNKSTU~1.EXE0.0.0.02a425e19KERNELBASE.dll6.3.9600.1727853eeb460000006a600012f71104801d041efe532a8bcC:\Users\THEOVA~1\AppData\Local\Temp\BNKSTU~1.EXEC:\Windows\SYSTEM32\KERNELBASE.dll31d6a322-ade3-11e4-8270-002522b895c2

Error: (02/06/2015 10:18:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: Workstation)
Description: Microsoft.BingSports_3.0.4.244_x64__8wekyb3d8bbwe+AppexSports

Error: (02/06/2015 10:13:29 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: wwahost.exe6.3.9600.1703111dc01d041ecf816473d4294967295C:\Windows\system32\wwahost.exe642728e3-ade0-11e4-8270-002522b895c2Microsoft.BingNews_3.0.4.268_x64__8wekyb3d8bbweAppexNews

Error: (02/06/2015 10:13:19 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: Workstation)
Description: Microsoft.BingNews_3.0.4.268_x64__8wekyb3d8bbwe+AppexNews

Error: (02/06/2015 10:12:44 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: wwahost.exe6.3.9600.17031e7801d041ed019f5fd14294967295C:\Windows\system32\wwahost.exe49a0b3f9-ade0-11e4-8270-002522b895c2Microsoft.ZuneVideo_2.6.434.0_x64__8wekyb3d8bbweMicrosoft.ZuneVideo

Error: (02/06/2015 10:12:42 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Workstation)
Description: Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo-2144927142


CodeIntegrity Errors:
===================================
  Date: 2015-02-01 18:20:29.112
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-01 18:20:28.960
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-01 18:20:28.722
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-01 18:20:26.489
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-01 18:20:26.216
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-29 08:16:45.195
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-29 08:16:44.962
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-29 08:16:44.604
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-29 08:16:44.360
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-29 08:16:42.267
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info =========================== 

Processor: AMD Athlon(tm) II X2 250 Processor
Percentage of memory in use: 59%
Total physical RAM: 1791.3 MB
Available physical RAM: 726.24 MB
Total Pagefile: 2687.3 MB
Available Pagefile: 1201.21 MB
Total Virtual: 131072 MB
Available Virtual: 131071.8 MB

==================== Drives ================================

Drive c: (Win 8.1) (Fixed) (Total:337.77 GB) (Free:308.84 GB) NTFS
Drive d: (Win XP) (Fixed) (Total:127.99 GB) (Free:90.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 6DF14F71)
Partition 1: (Active) - (Size=128 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=337.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

schrauber · 14.02.2015, 17:09

Downloade Dir bitte

Malwarebytes Anti-Malware

Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
Starte Malwarebytes' Anti-Malware (MBAM).
Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.

Downloade Dir bitte

AdwCleaner auf deinen Desktop.

Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
Starte die AdwCleaner.exe mit einem Doppelklick.
Stimme den Nutzungsbedingungen zu.
Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
- "Tracing" Schlüssel löschen
- Winsock Einstellungen zurücksetzen
- Proxy Einstellungen zurücksetzen
- Internet Explorer Richtlinien zurücksetzen
- Chrome Richtlinien zurücksetzen
- Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
Drücke eine beliebige Taste, um das Tool zu starten.
Je nach System kann der Scan eine Weile dauern.
Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.

und ein frisches FRST log bitte.

Win8.1 black scrren -> wscript.exe beendet -> Win8.1 fährt hoch

Log-Analyse und Auswertung: Win8.1 black scrren -> wscript.exe beendet -> Win8.1 fährt hoch