Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: GMer Analyse: Haben wir ein Rootkit?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 31.03.2015, 14:07   #1
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Hallo,

in unserer Firma ist es zu einer Sperrung des Internetbankings gekommen. Nach Rücksprache mit der Bank, einem gleichzeitigen Scannen aller PCs und des Servers OFFLINE mit der Kaspersky Boot-CD, anschließend im Windows Malwarebytes und Hitman, dachten wir alles ist behoben.
Dennoch vermerkt die Bank, dass bei denen nicht weiter zu nennender Schädlingsverkehr beim Besuch der OnLine-Banking-Seite bemerkt wird.
Ich scanne die Win7 x64 Systeme momentan erneut mit Malwarebytes und möchte Euch bitten, in den folgenden beiden GMER Logs nach Rootkits zu schauen, da ich diese alleine nicht auswerten kann.
Protokoll 1GMER Logfile:
Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-03-31 14:52:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\dwa\AppData\Local\Temp\kfloqpob.sys


---- Threads - GMER 2.1 ----

Thread   C:\program files (x86)\ra-micro\ramicronet\ra7.central.mail.receiver.exe [1508:1208]                                                                                                           0000000071fb32fb
Thread   C:\program files (x86)\ra-micro\ramicronet\ra7.central.mail.receiver.exe [1508:1496]                                                                                                           000000007269786a
---- Processes - GMER 2.1 ----

Library  C:\Windows\system32\32OLCALL.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    0000000011000000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                      000000000b720000
Library  C:\Windows\system32\32OL2000.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    000000000c360000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     0000000010000000
Library  C:\Windows\system32\32ol2007.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    000000000c7b0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                000000000edd0000
Library  C:\Windows\system32\32Hook.Dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                      000000000f300000
Library  C:\Windows\system32\32EAkte.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     0000000010750000
Library  C:\Windows\system32\32EATLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000000c3f0000
Library  C:\Windows\system32\32EAWEBA.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    0000000018c00000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                         000000000fe50000
Library  C:\Windows\system32\XP.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                          000000001c2c0000
Library  C:\Windows\system32\32EACTRL.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    00000000162b0000
Library  C:\Windows\system32\32AKTEN.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000001efd0000
Library  C:\Windows\system32\32AKTSB.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000001f210000
Library  C:\Windows\system32\32kntx.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                      000000001f230000
Library  C:\Windows\system32\32TV.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                        000000001f7b0000
Library  C:\Windows\system32\32TvWTls.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    000000001f800000
Library  C:\Windows\system32\32tvtx.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                      000000001f820000
Library  C:\Windows\system32\32tvrtf.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000001f8a0000
Library  C:\Windows\system32\32TvTls.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000001f8d0000
Library  C:\Windows\system32\druck32.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     000000001fcf0000
Library  C:\Windows\system32\32komfct.ocx (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    000000001f920000
Library  C:\Windows\system32\32ZH2OCX.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    000000001fe50000
Library  C:\Windows\system32\32EaData.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    0000000020d40000
Library  C:\Windows\system32\32ADRAKT.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    0000000020db0000
Library  C:\Windows\system32\32AKTAB.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     0000000022270000
Library  C:\Windows\system32\32Akten.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     0000000022550000
Library  C:\Windows\system32\32ADRESS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                    00000000228d0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RAMICRO.CENTRAL.UI.DIALOGS.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                           00000000213b0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.routines.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                 000000001eee0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.logging.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                  0000000010740000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                       000000001efb0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\log4net.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                              00000000214c0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                            00000000210b0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                00000000215d0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RA7.BUSINESS.DOCUMENTMANAGER.COM.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                     000000000aaa0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                         000000001cdd0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.interfaces.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]              0000000011bf0000
Library  C:\Windows\system32\32DRUCK.OCX (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4660]                                                                     0000000010650000
Library  C:\start\32ra.exe (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                              0000000000400000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                 0000000011000000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                           0000000002af0000
Library  C:\Windows\system32\32PARAM.DLL (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                0000000003040000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RAMICRO.COMHELPER2.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                              0000000004b70000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.common.dropbox.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                              0000000007710000
Library  C:\Program Files (x86)\ra-micro\ramicronet\DropNet.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                         0000000004b80000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.routines.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                            0000000007a80000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.logging.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                             0000000002a20000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                  0000000007b50000
Library  C:\Program Files (x86)\ra-micro\ramicronet\log4net.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                         0000000007c90000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                       0000000007cf0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                           00000000030c0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra.ewf.common.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                   00000000032e0000
Library  C:\Windows\system32\32EATLS.DLL (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                0000000008ba0000
Library  C:\Windows\system32\32EAkte.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                0000000008d90000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RA7.CENTRAL.ROUTINES.COM.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                        0000000007fe0000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                    0000000008ca0000
Library  C:\Windows\system32\XP.OCX (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                     000000000a010000
Library  C:\Windows\system32\32DRUCK.OCX (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                000000000a110000
Library  C:\Windows\system32\druck32.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                0000000003230000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RAMICRO.RABOX.COM.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                               000000000a250000
Library  C:\Program Files (x86)\ra-micro\ramicronet\Ramicro.RaBox.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                   000000000b9f0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.stammdaten.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                         000000000c1d0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.user.interface.components.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                           000000000c550000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ramicro.DropBox.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                 000000000b140000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.compression.SharpZip.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                000000000b150000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RAMICRO.CENTRAL.UI.DIALOGS.dll (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                      000000000b3f0000
Library  C:\Windows\system32\32ADRESS.DLL (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                               000000000b7a0000
Library  C:\Windows\system32\32AKTEN.OCX (*** suspicious ***) @ C:\start\32ra.exe [4324]                                                                                                                00000000074d0000
Library  C:\Windows\SysWOW64\32ELOZIP.EXE (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                0000000000400000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                  0000000011000000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                 0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                            0000000003f60000
Library  C:\Windows\system32\32CTRL.OCX (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                  0000000006ee0000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                     00000000070f0000
Library  C:\Windows\system32\32TV.OCX (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                    00000000071d0000
Library  C:\Windows\system32\32TvWTls.DLL (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                0000000007220000
Library  C:\Windows\system32\32tvtx.DLL (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                  00000000073e0000
Library  C:\Windows\system32\32tvrtf.dll (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                 0000000007240000
Library  C:\Windows\system32\32TvTls.DLL (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                 0000000007260000
Library  C:\Windows\SysWOW64\druck32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\32ELOZIP.EXE [4792]                                                                                                 00000000076d0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                                    0000000000400000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                          0000000002630000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                     00000000051d0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.ramessagelistener.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                      0000000002770000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.routines.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                               00000000056d0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.business.documentmanager.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                       0000000005890000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.logging.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                                0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\log4net.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                                            0000000005ca0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                              0000000006bf0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.generic.output.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                         0000000006c60000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.business.e-postfach.framework.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                  0000000006d60000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.business.dms.applogic.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                          0000000006de0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.business.documentmanager.interfaces.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]            00000000028f0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.compression.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                            0000000005190000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.generic.output.Interfaces.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]              00000000051c0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.business.dms.fulltext.lucene2-9.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                0000000007460000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ramicro.Lucene.Net.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\RAPDFErstellung.exe [4712]                                 000000000d690000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra.dienste.starter.exe (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\ra.dienste.starter.exe [1500]                              0000000000400000
Library  C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                      0000000000400000
Library  C:\program files (x86)\ra-micro\ramicronet\Ramicro.RaBox.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                               0000000010000000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.routines.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                        0000000002a40000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]              0000000004c10000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                   0000000004c50000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.business.stammdaten.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                     0000000006490000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.logging.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                         0000000006750000
Library  C:\program files (x86)\ra-micro\ramicronet\log4net.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                                     0000000006850000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                       0000000007370000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.user.interface.components.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]       00000000077e0000
Library  C:\program files (x86)\ra-micro\ramicronet\ramicro.DropBox.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]                             0000000004cc0000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.compression.SharpZip.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ramicro.rabox.exporter.exe [4608]            0000000007610000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.mail.receiver.exe (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.central.mail.receiver.exe [1508]                0000000000400000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]  0000000000400000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.routines.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]              0000000006440000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.logging.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]               0000000010000000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]    0000000006100000
Library  C:\program files (x86)\ra-micro\ramicronet\log4net.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]                           0000000006040000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]         0000000006090000
Library  C:\program files (x86)\ra-micro\ramicronet\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\program files (x86)\ra-micro\ramicronet\ra7.communication.directmessages.exe [4920]             0000000008180000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                  0000000000400000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.vbnet.applications.extension.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]  0000000002540000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.trace.utility.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                 00000000024b0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.global.definitions.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]            0000000002770000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.routines.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                      0000000005620000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.ramessagelistener.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]             0000000005740000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.generic.output.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                0000000005770000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.logging.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                       0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\log4net.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                                   0000000005bb0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.wsadapter.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                     00000000068f0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.generic.output.Interfaces.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]     0000000005990000
Library  C:\Windows\system32\druck32.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                                                          0000000005100000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\TXTextControl.Windows.Forms.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]               0000000005b70000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\TXTextControl.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                             0000000008000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\txkernel.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                                  000000000a0c0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\txtools.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                                   0000000009600000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\rae.Common.PDFConverter.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                   000000000a680000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\PdfMetamorphosis.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                          000000000ad50000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\PDFVision.dll (*** suspicious ***) @ C:\Program Files (x86)\ra-micro\RAMICRONET\7.central.generic.output.exe [4020]                                 000000000aef0000
Library  c:\ra\winexe\32akto.exe (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                                  0000000000400000
Library  C:\Windows\system32\32FibuFW.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                         0000000011000000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                           00000000005e0000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                          0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                     0000000000f40000
Library  C:\Windows\system32\32EAkte.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                          0000000007150000
Library  C:\Windows\system32\32EATLS.DLL (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                          0000000007240000
Library  C:\Windows\system32\32dmenue.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                         0000000008d70000
Library  c:\ra\winexe\rmx.men.menu.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                            0000000009060000
Library  c:\ra\winexe\ra7.central.trace.utility.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                               00000000040d0000
Library  c:\ra\winexe\ra7.central.global.definitions.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                          0000000007980000
Library  c:\ra\winexe\ra7.central.routines.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                    0000000009530000
Library  c:\ra\winexe\ra7.central.user.interface.components.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                   00000000096f0000
Library  c:\ra\winexe\ra7.central.logging.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                     0000000003040000
Library  c:\ra\winexe\log4net.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                                 0000000009be0000
Library  c:\ra\winexe\ra7.central.wsadapter.dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                   000000000a890000
Library  C:\Windows\system32\32BUCHEN.DLL (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                         000000000b130000
Library  C:\Windows\system32\XP.OCX (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                               000000000b490000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                              000000000b3e0000
Library  C:\Windows\system32\32AKTEN.OCX (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                          000000000baf0000
Library  C:\Windows\system32\32Hook.Dll (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                           000000000bc30000
Library  C:\Windows\system32\32ADRESS.DLL (*** suspicious ***) @ c:\ra\winexe\32akto.exe [6060]                                                                                                         000000000bf80000
Library  c:\ra\winexe\32gebneu.exe (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                              0000000000400000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                         0000000011000000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        0000000010000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                   0000000002810000
Library  C:\Windows\system32\XP.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                             0000000008270000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                            0000000008330000
Library  C:\Windows\system32\32BILANZ.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000009220000
Library  C:\Windows\system32\32dmenue.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000009530000
Library  c:\ra\winexe\rmx.men.menu.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                          0000000009730000
Library  c:\ra\winexe\ra7.central.trace.utility.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                             00000000099b0000
Library  c:\ra\winexe\ra7.central.global.definitions.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                        00000000099d0000
Library  c:\ra\winexe\ra7.central.routines.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                  0000000009f20000
Library  c:\ra\winexe\ra7.central.user.interface.components.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                 000000000a0e0000
Library  c:\ra\winexe\ra7.central.logging.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                   0000000009660000
Library  c:\ra\winexe\log4net.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                               000000000a600000
Library  c:\ra\winexe\ra7.central.wsadapter.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                 000000000a7e0000
Library  C:\Windows\system32\32Akten.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        0000000022000000
Library  C:\Windows\system32\32ADRESS.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       000000000b7a0000
Library  C:\Windows\system32\32ABTree.ocx (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000002e40000
Library  C:\Windows\system32\32AKTEN.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        00000000090a0000
Library  C:\Windows\system32\32DRUCK.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        00000000091a0000
Library  C:\Windows\system32\32Hook.Dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                         000000000ba50000
Library  C:\Windows\system32\32DMOCX.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        000000000ba90000
Library  C:\Windows\system32\32CTRL.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                         000000000bac0000
Library  C:\Windows\system32\druck32.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        000000000c1f0000
Library  C:\Windows\system32\32TvWTls.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       000000000c260000
Library  C:\Windows\system32\32tvtx.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                         000000000cbb0000
Library  C:\Windows\system32\32tvrtf.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        000000000c280000
Library  C:\Windows\system32\32TvTls.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        000000000cd50000
Library  C:\Windows\system32\32HALTER.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000002c40000
Library  C:\Windows\system32\32BUCHEN.DLL (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       000000000fb80000
Library  C:\Windows\system32\32FibuFW.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000009fe0000
Library  C:\Windows\system32\32BKLIST.OCX (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                       0000000002ec0000
Library  C:\Windows\system32\32EAkte.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                        000000000b940000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RA7.CENTRAL.GENERIC.OUTPUT.COM.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                          0000000009190000
Library  c:\ra\winexe\ra7.central.generic.output.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                            000000000a4b0000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\ra7.central.generic.output.Interfaces.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                   0000000009710000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RA7.BUSINESS.DOCUMENTMANAGER.COM.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                        000000000a0b0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                            000000000b260000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.interfaces.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                 000000000a5d0000
Library  c:\ra\winexe\ra7.central.compression.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                               000000000dab0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.dms.fulltext.lucene2-9.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                     000000000daf0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ramicro.Lucene.Net.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                      0000000010e60000
Library  c:\ra\winexe\ra7.central.Core.dll (*** suspicious ***) @ c:\ra\winexe\32gebneu.exe [5720]                                                                                                      0000000002ce0000
Library  C:\Windows\system32\32WW2007.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000001fee0000
Library  C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     0000000010000000
Library  C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                      0000000011000000
Library  C:\Program Files (x86)\ra-micro\RAMICRONET\RAMICRO2.WIN.RACrypto.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                00000000078b0000
Library  C:\Windows\system32\32TXWAHL.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000000ac60000
Library  C:\Windows\system32\32DRUCK.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     000000000aea0000
Library  C:\Windows\system32\32WW2000.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    0000000002f10000
Library  C:\Windows\system32\druck32.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     000000000af00000
Library  C:\Windows\system32\32EAWEBA.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000000afc0000
Library  C:\DictaNet\DNCom.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                               000000000b2d0000
Library  C:\Windows\system32\32EAkte.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     000000000c550000
Library  C:\Windows\system32\32EATLS.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     000000000c6f0000
Library  C:\Windows\system32\32CALLWW.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    0000000005350000
Library  C:\Windows\system32\XP2.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                         000000000ef00000
Library  C:\Windows\system32\XP.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                          000000000fe50000
Library  C:\Windows\system32\32Akten.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     0000000022000000
Library  C:\Windows\system32\32EGVP.ocx (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                      000000000c450000
Library  C:\Windows\system32\32Hook.Dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                      000000000ed50000
Library  C:\Windows\system32\32AKTEN.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     0000000013200000
Library  C:\Windows\system32\32EACTRL.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000000ff90000
Library  C:\Windows\system32\32AKTSB.OCX (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     0000000014380000
Library  C:\Windows\system32\32ADRESS.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    00000000146b0000
Library  C:\Windows\system32\32EaData.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    00000000148a0000
Library  C:\Windows\system32\32DOKUVW.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    0000000018fe0000
Library  C:\Windows\system32\32ADRAKT.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    0000000018d50000
Library  C:\Windows\system32\32AKTAB.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                     0000000019c90000
Library  C:\Program Files (x86)\ra-micro\ramicronet\RA7.BUSINESS.DOCUMENTMANAGER.COM.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                     0000000012640000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                         0000000014510000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.routines.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                 0000000018ca0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.global.definitions.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                       00000000131c0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.logging.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                  0000000014670000
Library  C:\Program Files (x86)\ra-micro\ramicronet\log4net.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                              0000000019a90000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.trace.utility.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                            0000000018d40000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.central.wsadapter.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                000000001a1d0000
Library  C:\Program Files (x86)\ra-micro\ramicronet\ra7.business.documentmanager.interfaces.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]              000000000a590000
Library  C:\Windows\system32\32BRIEFE.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000000a6c0000
Library  C:\Windows\system32\32ABTree.ocx (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    000000000a5b0000
Library  C:\Windows\system32\32kntx.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                      0000000002940000
Library  C:\Windows\system32\32alte.dll (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                      000000001cde0000
Library  C:\Windows\system32\32HALTER.DLL (*** suspicious ***) @ c:\program files (x86)\microsoft office\office14\winword.exe [2688]                                                                    0000000014920000

---- EOF - GMER 2.1 ----
         
--- --- ---

Protokoll 2
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-03-31 15:01:23
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3160318AS rev.CC44 149,05GB
Running: Gmer-19357.exe; Driver: C:\Users\HWU~1.GAP\AppData\Local\Temp\fwdoqpob.sys


---- Threads - GMER 2.1 ----

Thread C:\Windows\SysWOW64\explorer.exe [872:3480] 0000000000256e54
Thread C:\Windows\SysWOW64\explorer.exe [872:3816] 00000000002472e4
Thread C:\Windows\SysWOW64\explorer.exe [872:1452] 0000000000256c80
---- Processes - GMER 2.1 ----

Library C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop_ResDEU.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2920] 0000000073950000
Library C:\Windows\system32\32OLCALL.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [3896] 0000000011000000
Library C:\Windows\system32\RAMAIN.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [3896] 0000000005130000
Library C:\Windows\system32\32OL2000.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [3896] 000000000ace0000
Library C:\Windows\system32\RAMAINC.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [3896] 0000000010000000
Library C:\Windows\system32\32ol2007.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [3896] 000000000b340000


Dies sind die beiden PCs, die Banking durchführen.
Vielen Dank schonmal im Vorwege

Alt 31.03.2015, 14:20   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Hi und H

Verdächtig sieht das allemal aus.
Willst du weiter bereinigen? Wenn ja lies bitte das hier => http://www.trojaner-board.de/108422-...-anfragen.html (Bereinigung von gewerblich genutzten Rechnern)
__________________

__________________

Alt 01.04.2015, 09:47   #3
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Hallo cosinus,

vielen Dank. Ich habe mir das durchgelesen. Ich BIN der Admin. Genauer gesagt bin ich der Admin, der von extern dazugerufen wird. Leider gehört das Verstehen und Auswerten der Logfiles nicht zu meinem Tagesgeschäft. Klar, formatieren und neu aufsetzen ist immer das Beste, jedoch wollte ich das vermeiden, das bedeutet nämlich irre viele Arbeitsstunden und somit Geld.
Säubern, die Arbeit durchführen würde ich selber, ich würd mich jedoch freuen, wenn mir jemand die Logfiles nach Verdächtigem absucht.
__________________

Alt 01.04.2015, 10:43   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Du hast auch zur Kenntnis genommen, dass wir im Nachhinein keine Logs löschen?
Dass dort keine sensible Daten wie zB komplette Vor- und Nachnamen in den Logs zu sehen sind, dafür bist du verantwortlich, also musst du entsprechendes durch Sternchen im Logs vor dem Posten ersetzen.

Und bitte nicht Logs von mehreren Rechnern in einen Strang posten. Das endet sonst im Chaos. Entscheide dich welchen Rechner wir uns zuerst ansehen sollen, dann postest du nur von diesem die Logs.

Los gehts:

Scan mit Farbar's Recovery Scan Tool (FRST)

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 07.04.2015, 10:19   #5
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



OK, vielen Dank.
Ich fange mit Rechner 1 an.
Die Dateien liegen zwar heutzutage im Download-Ordner, anstelle des Desktop, aber ich habe sie auch so gefunden
Namen und so habe ich geschwärzt.

FRST.txt
FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by dwa (administrator) on GAPWS28W7 on 07-04-2015 11:09:16
Running from C:\Users\*****\Downloads
Loaded Profiles: dwa (Available profiles: awa & hka & dwa & serviceuser)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe
(NCP Engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe
() C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Security Agent\TmListen.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x939C50A800AAE751\cmd.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x81ACAAA657A54A6B\OUTLOOK.EXE
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xC470558F098276C4\32ra.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x609C1ED1C5785400\32ELOZIP.EXE
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x1EE623CE19082647\RAPDFErstellung.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xCEC970771AE09040\ra.dienste.starter.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x0AAA4A087FC3E039\ramicro.rabox.exporter.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x0AAA4A087FC3E039\ra7.central.mail.receiver.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x7D9802F9BD3B3408\ra7.communication.directmessages.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x6E233C94260A9D09\32termin.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xA0FD2043CFA39508\32aterm.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [219480 2011-10-17] (Trend Micro Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [895512 2010-10-22] (PDF Complete Inc)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [NcpMonitor] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe [7730928 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpBudgetGui] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe [1819888 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpPopup] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncppopup.exe [964848 2015-01-20] (NCP engineering GmbH)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Run: [AdobeChk] => C:\Users\dwa\AppData\Roaming\AdobeChk\chk.exe
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2015-03-25] (Google Inc.)
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=CMDTDF
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKLM -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=CMDTDF
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKLM-x32 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll [2015-03-25] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll [2012-07-05] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll [2015-03-25] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll [2012-07-05] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
Toolbar: HKU\S-1-5-21-1386967835-2426692312-148520297-1206 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Security Agent\UIFramework\ProToolbarIMRatingActiveX.dll [2011-11-10] (Trend Micro Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.18.11 192.168.18.1
Tcpip\..\Interfaces\{F20B1D66-5CA0-4301-A8AD-78E1BEE25E87}: [NameServer] 192.168.2.100

FireFox:
========
FF ProfilePath: C:\Users\dwa\AppData\Roaming\Mozilla\Firefox\Profiles\8nglco5m.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll [2013-03-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll [2013-03-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: G Data BankGuard - C:\Program Files (x86)\Mozilla Firefox\extensions\{906305f7-aafc-45e9-8bbd-941950a84dad} [2014-01-24]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2013-04-26]

Chrome: 
=======
CHR Profile: C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-02]
CHR Extension: (Google Drive) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-02]
CHR Extension: (YouTube) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-02]
CHR Extension: (McAfee Security Scan+) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh [2014-06-23]
CHR Extension: (Google Search) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-02]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-02]
CHR Extension: (Gmail) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-02]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
R2 ncpclcfg; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe [531208 2015-01-20] (NCP engineering GmbH)
R2 ncprwsnt; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe [1782024 2015-01-20] (NCP Engineering GmbH)
R2 ncpsec; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe [125952 2015-01-20] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
S3 Olympus DVR Service; C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [176128 2010-02-26] (OLYMPUS IMAGING CORP.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1121304 2010-10-22] (PDF Complete Inc)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R3 TmListen; C:\Program Files\Trend Micro\Security Agent\tmlisten.exe [1017360 2011-11-16] (Trend Micro Inc.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x64.sys [339728 2010-08-14] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X64.sys [65808 2010-08-14] (Intel(R) Corporation)
S3 ncpfilt; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R3 ncplelhp; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-06-23] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [146192 2011-06-23] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69904 2011-06-23] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-30] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-07 11:09 - 2015-04-07 11:10 - 00017446 _____ () C:\Users\dwa\Downloads\FRST.txt
2015-04-07 11:09 - 2015-04-07 11:09 - 00000000 ____D () C:\FRST
2015-04-07 11:08 - 2015-04-07 11:08 - 02095616 _____ (Farbar) C:\Users\dwa\Downloads\FRST64.exe
2015-03-31 14:50 - 2015-03-31 14:50 - 00380416 _____ () C:\Users\dwa\Downloads\Gmer-19357.exe
2015-03-25 09:42 - 2015-03-27 14:35 - 00000000 ____D () C:\Users\dwa\AppData\Roaming\Google
2015-03-23 12:57 - 2015-03-23 13:04 - 00011200 _____ () C:\Users\dwa\Documents\Kontodaten wg. FG - Inka Akten.xlsx
2015-03-10 12:12 - 2015-03-10 12:12 - 00000000 ____D () C:\Users\dwa\Documents\Gappmayer - Akten
2015-03-10 12:11 - 2015-03-10 12:11 - 00000000 ____D () C:\Users\dwa\Documents\Gappmayer - Büro
2015-03-10 12:09 - 2015-04-02 16:42 - 00000000 ____D () C:\Users\dwa\Documents\Mue-Stö - Akten
2015-03-10 12:07 - 2015-03-10 12:11 - 00000000 ____D () C:\Users\dwa\Documents\Mue-Stö - Büro
2015-03-10 11:23 - 2015-03-10 11:27 - 00002060 _____ () C:\Users\dwa\Desktop\DATEV Terminalserver Weitnauer-MUC.RDP
2015-03-10 11:16 - 2015-03-10 11:16 - 00002035 _____ () C:\Users\Public\Desktop\LANCOM Advanced VPN Client.lnk
2015-03-10 11:16 - 2015-03-10 11:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LANCOM
2015-03-10 11:16 - 2015-01-20 16:03 - 00112560 _____ (NCP Engineering GmbH) C:\Windows\system32\Drivers\ncplelhp.sys
2015-03-10 11:15 - 2015-03-10 11:15 - 00000000 ____D () C:\ProgramData\NCP
2015-03-10 11:15 - 2015-03-10 11:15 - 00000000 ____D () C:\Program Files (x86)\LANCOM
2015-03-10 11:14 - 2015-03-10 11:14 - 00000000 ____D () C:\Users\dwa\AppData\Local\Downloaded Installations
2015-03-10 11:07 - 2015-03-10 11:14 - 32785128 _____ (NCP engineering GmbH) C:\Users\dwa\Downloads\LC-Advanced-VPN-Client-Win-3.00-REL-x86-64.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-07 11:05 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-07 10:41 - 2012-09-04 12:15 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-07 10:29 - 2012-08-10 09:54 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-07 10:27 - 2015-01-26 11:56 - 00000000 ____D () C:\MSIT
2015-04-07 10:08 - 2011-07-15 10:12 - 00000000 ____D () C:\ProgramData\PDFC
2015-04-07 09:26 - 2011-07-15 10:11 - 00000000 ____D () C:\ProgramData\Temp
2015-04-07 09:15 - 2014-01-02 12:54 - 00000000 ____D () C:\Users\dwa
2015-04-07 09:15 - 2012-09-04 12:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-07 09:15 - 2011-08-16 14:25 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2015-04-07 09:14 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-07 09:14 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-07 09:11 - 2011-04-12 09:43 - 00704134 _____ () C:\Windows\system32\perfh007.dat
2015-04-07 09:11 - 2011-04-12 09:43 - 00151134 _____ () C:\Windows\system32\perfc007.dat
2015-04-07 09:11 - 2009-07-14 07:13 - 01633276 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-07 09:07 - 2014-01-02 12:54 - 00000250 ___SH () C:\Users\dwa\ntuser.ini
2015-04-07 09:07 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-07 09:07 - 2009-07-14 06:51 - 01675215 _____ () C:\Windows\setupact.log
2015-04-07 09:01 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\spool
2015-04-02 17:09 - 2013-06-14 13:41 - 00000040 _____ () C:\Windows\DICTANET.INI
2015-04-02 16:13 - 2013-06-14 13:41 - 00000051 _____ () C:\Windows\Error.Ini
2015-04-02 09:24 - 2011-10-14 03:24 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForGAPWS28W7$
2015-04-02 09:24 - 2011-10-14 03:24 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForGAPWS28W7$.job
2015-03-31 15:10 - 2015-01-29 16:55 - 00002004 ____H () C:\Users\dwa\Documents\Default.rdp
2015-03-31 14:44 - 2015-01-30 09:40 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-27 09:52 - 2014-01-02 15:06 - 00000000 ____D () C:\Users\dwa\AppData\Local\Google
2015-03-26 09:28 - 2010-11-21 05:47 - 00197018 _____ () C:\Windows\PFRO.log
2015-03-25 09:42 - 2014-06-24 11:10 - 00000000 ____D () C:\Users\dwa\AppData\Local\Adobe
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\ProgramData\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-25 09:42 - 2012-08-10 09:54 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-25 09:42 - 2012-08-10 09:54 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-25 09:42 - 2011-08-16 15:34 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Some content of TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\APNStub.exe
C:\Users\administrator\AppData\Local\Temp\fx-runtime.exe
C:\Users\administrator\AppData\Local\Temp\JavaIC.dll
C:\Users\administrator\AppData\Local\Temp\msscct32.dll
C:\Users\awa\AppData\Local\Temp\ivstqa3l.dll
C:\Users\awa\AppData\Local\Temp\rmx.stp.04.elster.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.07.secsigner.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.10.AdobeAir.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.12.SurfaceInstaller.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.12.syncframework.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.14.ddbac.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.15.uninst.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.18.sqlce4.exe
C:\Users\awa\AppData\Local\Temp\rmx.stp.exe
C:\Users\awa\AppData\Local\Temp\spoonrestarter.exe
C:\Users\cga\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\dwa\AppData\Local\Temp\1owti-rr.dll
C:\Users\dwa\AppData\Local\Temp\22y5jpmt.dll
C:\Users\dwa\AppData\Local\Temp\2nqjrxr4.dll
C:\Users\dwa\AppData\Local\Temp\bft0jpna.dll
C:\Users\dwa\AppData\Local\Temp\decdzmbr.dll
C:\Users\dwa\AppData\Local\Temp\elf4j3n5.dll
C:\Users\dwa\AppData\Local\Temp\f0r05dbo.dll
C:\Users\dwa\AppData\Local\Temp\imm0tciu.dll
C:\Users\dwa\AppData\Local\Temp\j2dwt0dg.dll
C:\Users\dwa\AppData\Local\Temp\ju3vi5fl.dll
C:\Users\dwa\AppData\Local\Temp\k3tjeurq.dll
C:\Users\dwa\AppData\Local\Temp\lxfe3e2u.dll
C:\Users\dwa\AppData\Local\Temp\nbbzrdy1.dll
C:\Users\dwa\AppData\Local\Temp\orp4h0hc.dll
C:\Users\dwa\AppData\Local\Temp\qohjzsfy.dll
C:\Users\dwa\AppData\Local\Temp\rmx.stp.01.framework4.exe
C:\Users\dwa\AppData\Local\Temp\rmx.stp.06.xchangedictanet.exe
C:\Users\dwa\AppData\Local\Temp\rmx.stp.07.secsigner.exe
C:\Users\dwa\AppData\Local\Temp\rmx.stp.09.AdobeFlashplayer.exe
C:\Users\dwa\AppData\Local\Temp\rmx.stp.10.AdobeAir.exe
C:\Users\dwa\AppData\Local\Temp\rmx.stp.14.ddbac.exe
C:\Users\dwa\AppData\Local\Temp\rvmq4ad5.dll
C:\Users\dwa\AppData\Local\Temp\tiesxkod.dll
C:\Users\dwa\AppData\Local\Temp\ttwiqvnx.dll
C:\Users\dwa\AppData\Local\Temp\tubdyhpr.dll
C:\Users\dwa\AppData\Local\Temp\u5bmjbt4.dll
C:\Users\dwa\AppData\Local\Temp\v4gl0dsd.dll
C:\Users\dwa\AppData\Local\Temp\wlvrfeqr.dll
C:\Users\dwa\AppData\Local\Temp\x5cc4lnt.dll
C:\Users\dwa\AppData\Local\Temp\y0oqlh3o.dll
C:\Users\dwa\AppData\Local\Temp\zcre5sb5.dll
C:\Users\dwa\AppData\Local\Temp\zx0kedfl.dll
C:\Users\master\AppData\Local\Temp\rmx.stp.01.infragistics103.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.02.leadtools.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.03.textcontrol.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.04.elster.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.05.OpenLimit.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.06.xchange.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.07.secsigner.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.09.AdobeFlashplayer.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.10.AdobeAir.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.12.SurfaceInstaller.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.12.syncframework.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.13.ramicrosystem.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.14.ddbac.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.15.uninst.exe
C:\Users\master\AppData\Local\Temp\rmx.stp.17.pia.exe
C:\Users\sku\AppData\Local\Temp\rmx.stp.09.AdobeFlashplayer.exe
C:\Users\sku\AppData\Local\Temp\rmx.stp.10.AdobeAir.exe
C:\Users\tvr\AppData\Local\Temp\0oh5c5ki.dll
C:\Users\tvr\AppData\Local\Temp\2sp5hjko.dll
C:\Users\tvr\AppData\Local\Temp\rmx.stp.10.AdobeAir.exe
C:\Users\tvr\AppData\Local\Temp\rmx.stp.14.ddbac.exe
C:\Users\tvr\AppData\Local\Temp\rmx.stp.15.uninst.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-31 15:57

==================== End Of Log ============================
         
--- --- ---

--- --- ---

--- --- ---


Addition.txtFRST Additions Logfile:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by dwa at 2015-04-07 11:10:50
Running from C:\Users\*****\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Trend Micro Security Agent (Enabled - Up to date) {7193B549-236F-55EE-9AEC-F65279E59A92}
AS: Trend Micro Security Agent (Enabled - Up to date) {CAF254AD-0555-5A60-A05C-CD200262D02F}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ActiveCheck component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.356 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader X (10.1.13) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}) (Version: 6.0.0.59 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Autodesk Buzzsaw 2013.1.27.1368 (HKLM-x32\...\Autodesk Buzzsaw 2013) (Version: 2013.1.27.1368 - Autodesk)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Corel WinDVD (HKLM-x32\...\{5C1F18D2-F6B7-4242-B803-B5A78648185D}) (Version: 10.0.5.835 - Corel Inc.)
DDBAC (HKLM-x32\...\{021BC94E-D464-4B9D-96F1-C6566B476A71}) (Version: 5.3.3 - DataDesign)
DDBAC (HKLM-x32\...\{7121136B-462F-46F7-8FC0-6A35E8DC2D5B}) (Version: 4.3.77 - DataDesign)
DDBAC (HKLM-x32\...\{88A0F52F-A024-4268-977E-E75B1F9C67ED}) (Version: 5.3.28 - DataDesign)
DDBAC (HKLM-x32\...\{CB3F10A6-3BD7-43C8-A011-22B00FEB61D5}) (Version: 5.3.7 - DataDesign)
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Dragon NaturallySpeaking 11 (HKLM-x32\...\{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}) (Version: 11.50.100 - Nuance Communications Inc.)
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 13.3.0.9066 - Landesfinanzdirektion Thüringen)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
HP LaserJet 400 M401 (HKLM-x32\...\{8989F6D9-550C-4178-A8CB-75B82A06621F}) (Version: 5.0.12200.835 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{05BA6A83-C7A7-4F85-88F1-150142305229}) (Version: 8.5.4489.3576 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
HPAsset component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM401DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPLaserJet400-M401_HelpLearnCenter_SI (HKLM-x32\...\{4989DD05-86FB-4CA2-96C5-923DFAD89DA3}) (Version: 1.01.0000 - Hewlett-Packard)
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM401LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM401 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Network Connections 15.7.176.0 (HKLM\...\PROSetDX) (Version: 15.7.176.0 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2253 - Intel Corporation)
Java(TM) 7 Update 5 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217005FF}) (Version: 7.0.50 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
LANCOM Advanced VPN Client (HKLM\...\{81C44F7F-5A1E-4FA9-ADE2-B84C866B8091}) (Version: 3.00.21499 - NCP engineering GmbH)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM-x32\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Mein CEWE FOTOBUCH (HKLM-x32\...\Mein CEWE FOTOBUCH) (Version: 5.0.1 - CEWE COLOR AG u Co. OHG)
Meine CEWE FOTOWELT (HKLM-x32\...\Meine CEWE FOTOWELT) (Version: 5.0.1 - CEWE COLOR AG u Co. OHG)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2010 Primary Interop Assemblies (HKLM-x32\...\{90140000-1105-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1024 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 x64 DEU (HKLM\...\{CCBF4FD7-F4D2-4DB0-BC0E-F4EC42220EFF}) (Version: 4.0.8482.1 - Microsoft Corporation)
Microsoft Surface 2.0 Runtime (HKLM-x32\...\{69C2B39D-F060-49AD-8877-01C4144A8424}) (Version: 2.0.21114.00 - Microsoft Corporation)
Microsoft Surface Toolkit Runtime for Windows Touch Beta (HKLM-x32\...\{788755AD-6DD7-4736-9CA9-24B05D87845C}) (Version: 1.5.10404.01 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x86) DEU  (HKLM-x32\...\{E6415AEF-3B3E-43FF-AD3A-0258D854E7D6}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x86) DEU  (HKLM-x32\...\{E90A1941-4989-4172-AB5C-DBCB02202A84}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.1 Core Components (x86) DEU  (HKLM-x32\...\{D0F06337-3406-4162-9990-7853DCE4F345}) (Version: 2.1.1648.0 - Microsoft Corporation)
Microsoft Sync Framework 2.1 Provider Services (x86) DEU  (HKLM-x32\...\{349B4707-5F45-49EB-9A9D-8F89C94355F2}) (Version: 2.1.1648.0 - Microsoft Corporation)
Microsoft Visual Basic PowerPacks 10.0 (HKLM-x32\...\{D95B72D8-DE21-3DAE-B2C5-B1EE64EEBEFA}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31007 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.31007 - Microsoft Corporation)
Microsoft_VC90_CRT_x86 (HKLM-x32\...\{DF2035BE-5820-4965-BD97-7FAF8D4A7879}) (Version: 1.0.0 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 26.0 (x86 de)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.14 - PDF Complete, Inc)
PDF-XChange 2012 (HKLM\...\{504022CD-6A58-42D5-ACC9-966F695AAD93}_is1) (Version: 5.0.269.0 - Tracker Software Products Ltd)
PDF-XChange 4 (HKLM\...\{EA08048C-3823-4DC8-B169-1D5D11FFC19F}_is1) (Version: 4.0.162.0 - Tracker Software Products Ltd)
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
RA-MICRO Datenschnittstelle (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\7F68B937B5888AFC8A4D798DDB7B57C56D80CD93) (Version: 14.3.10.1 - RA-MICRO Software GmbH)
RA-MICRO Datenschnittstelle MS Excel (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\7F05E7A558F6A5154CB3EAB36AFDBC20670C6725) (Version: 14.5.22.0 - RA-MICRO Software GmbH)
RA-MICRO Datenschnittstelle MS Outlook (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\D4525534804412C9DE054E9AD6B06290C74C7DD7) (Version: 14.5.22.0 - RA-MICRO GmbH & Co. KGaA)
RA-MICRO Deinstallation (HKLM-x32\...\ra-micro Deinstallation) (Version:  - RA-MICRO GmbH & Co. KGaA)
RA-MICRO Elster (HKLM-x32\...\{EC15998D-5C48-43D9-B5A6-43085531B31C}) (Version: 4.25.0000 - RA-MICRO GmbH & Co KGaA)
RA-MICRO Infragistics 10.3 (HKLM-x32\...\{2592ACCF-8D9B-4CF8-B791-16A94A8A75B8}) (Version: 10.01.30101 - RA-MICRO Software GmbH)
RA-MICRO Leadtools (HKLM-x32\...\{DE726A89-0BF3-433D-B975-4201BF2E8156}) (Version: 2.01.0000 - RA-MICRO Software GmbH)
RA-MICRO Systemdateien (HKLM-x32\...\{22674A89-CE4D-428D-BA79-4446933FBAF0}) (Version: 1.2.2010.0 - RA-MICRO Software GmbH)
RA-MICRO TextControl 14.0 SP4 (HKLM-x32\...\{01201D0C-0AD2-471D-8CB6-E1574A5A0D8D}) (Version: 2.00.0000 - RA-MICRO Software GmbH)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3621 - CyberLink Corp.) Hidden
SecCommerce SecSigner 3.6 (HKLM\...\SecCommerce SecSigner) (Version: 3.6 - SecCommerce Informationssysteme GmbH)
sv.net (HKLM-x32\...\sv.net) (Version: 13.2 - ITSG GmbH)
TeamViewer 6 (HKLM-x32\...\TeamViewer 6) (Version: 6.0.10722 - TeamViewer GmbH)
TeamViewer 7 (HKLM-x32\...\TeamViewer 7) (Version: 7.0.13989 - TeamViewer)
Trend Micro Worry-Free Business Security Agent (HKLM\...\Wofie) (Version: 7.0.2316 - Trend Micro Inc.)
Trend Micro Worry-Free Business Security Agent (Version: 7.0 - Trend Micro Inc.) Hidden
Trend Micro Worry-Free Business Security Agent (x32 Version: 1.0.0 - Trend Micro Inc.) Hidden
TWAIN Driver (HKLM-x32\...\InstallShield_{3D5D6830-C051-4273-857F-61CF7A3B5A6A}) (Version: 1.7.0717 - TWAIN Driver)
TWAIN Driver (x32 Version: 1.7.0717 - TWAIN Driver) Hidden
UTAX TA Software Library (HKLM\...\UTAX TA Software Library) (Version: 2.0.0713 - Kyocera Mita Corporation)
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64) (HKLM\...\{4A5A427F-BA39-4BF0-7777-9A47FBE60C9F}) (Version: 11.0.0 - Nuance Communications Inc.)
Windows Small Business Server 2011 Standard ClientAgent (HKLM\...\{5C72F8A3-BF39-4733-B41E-0ED7EF622E37}) (Version: 6.1.7900.1 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

26-01-2015 16:54:22 Geplanter Prüfpunkt
06-02-2015 15:07:24 Geplanter Prüfpunkt
16-02-2015 17:00:49 Geplanter Prüfpunkt
24-02-2015 15:49:00 Geplanter Prüfpunkt
05-03-2015 12:02:22 Geplanter Prüfpunkt
10-03-2015 11:15:08 Installed LANCOM Advanced VPN Client.
19-03-2015 15:04:15 Geplanter Prüfpunkt

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {249C792D-8790-4ACE-94F8-842AD6C27AFF} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {2858ACED-AC06-4C93-8400-93B42F7DEA0A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-25] (Adobe Systems Incorporated)
Task: {2A1BBFCA-4412-4D4F-A03D-10E18261E70C} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {47CB48F8-BE23-48B3-8EA1-913F56243121} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {57B392D0-F84B-4E5F-AA46-3C5328A248B8} - System32\Tasks\HPCeeScheduleForGAPWS28W7$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {AD9F5268-16CD-4434-BA38-E8D3112D8E74} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B9A5170B-00DA-4CF1-A95C-6099FB9D09E0} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {BD05FB36-C2DF-4EB4-A7ED-B6876F18DDAB} - System32\Tasks\Registration => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-11-17] ()
Task: {D14F873E-FFE0-418C-8892-7345422D82B2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: {E56A8D7F-945F-4B81-B7C0-98582A7A3900} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForGAPWS28W7$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) ==============

2013-04-26 15:23 - 2011-01-03 19:53 - 00047104 _____ () C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll
2013-04-26 15:23 - 2011-01-03 19:53 - 00042496 _____ () C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll
2013-04-26 15:23 - 2011-01-03 21:53 - 00731136 _____ () C:\Program Files\Trend Micro\AMSP\sqlite3.dll
2013-04-26 15:23 - 2011-01-03 21:53 - 01719808 _____ () C:\Program Files\Trend Micro\AMSP\libprotobuf.dll
2011-10-05 14:16 - 2011-10-05 14:16 - 00289056 _____ () C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00169472 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\x64\ncpbudget2008.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00112392 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\x64\ncpmif32.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00125952 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe
2011-01-03 19:54 - 2011-01-03 19:54 - 00047104 _____ () C:\Program Files\Trend Micro\Security Agent\boost_thread-vc80-mt-1_36.dll
2011-01-03 19:54 - 2011-01-03 19:54 - 00042496 _____ () C:\Program Files\Trend Micro\Security Agent\boost_date_time-vc80-mt-1_36.dll
2011-11-16 18:59 - 2011-11-16 18:59 - 00176640 _____ () C:\Program Files\Trend Micro\Security Agent\libTmHttpServer.dll
2011-11-16 18:59 - 2011-11-16 18:59 - 00167424 _____ () C:\Program Files\Trend Micro\Security Agent\libTmHttpClient.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 01759232 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpgacc.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00099840 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\bsdntif.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00101640 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmif32.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00117760 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpcfg.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00198144 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpdlg.dll
2011-03-17 01:11 - 2011-03-17 01:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-12-21 02:15 - 2010-12-21 02:15 - 01041248 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2015-04-07 09:42 - 2015-03-30 23:07 - 01174856 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\libglesv2.dll
2015-04-07 09:42 - 2015-03-30 23:07 - 00080200 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\libegl.dll
2015-04-07 09:42 - 2015-03-30 23:07 - 09279304 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.118\pdf.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:0FF263E8

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1386967835-2426692312-148520297-1206\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.2.100 - 192.168.18.11

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: Intel(R) PROSet Monitoring Service => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: IviRegMgr => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: TmListen => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: DNS7reminder => "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

==================== Accounts: =============================

Administrator (S-1-5-21-3558825690-141422522-473755175-500 - Administrator - Disabled)
Gast (S-1-5-21-3558825690-141422522-473755175-501 - Limited - Disabled)
serviceuser (S-1-5-21-3558825690-141422522-473755175-1000 - Administrator - Enabled) => C:\Users\serviceuser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/07/2015 09:09:32 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/07/2015 08:56:16 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2015 08:35:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/01/2015 03:06:54 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Word: Rejected Safe Mode action : Schwerwiegender Fehler in Word beim ra-micro datenschnittstelle word 2007-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?.
Rejected Safe Mode action : Microsoft Word.

Error: (04/01/2015 03:05:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm winword.exe, Version 14.0.7106.5001 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 1320

Startzeit: 01d06c78d4e24d5d

Endzeit: 0

Anwendungspfad: c:\program files (x86)\microsoft office\office14\winword.exe

Berichts-ID:

Error: (04/01/2015 08:31:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2015 08:41:26 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2015 08:35:23 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/27/2015 09:34:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/26/2015 09:30:07 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/07/2015 11:06:35 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/07/2015 11:06:34 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/07/2015 11:00:28 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/07/2015 11:00:27 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/07/2015 10:54:04 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/07/2015 10:54:04 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/07/2015 10:48:07 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/07/2015 10:48:07 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/07/2015 10:46:47 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: GAPPMAYER)
Description: Fehler beim Verarbeiten der Gruppenrichtlinie. Der Name eines Domänencontrollers konnte nicht abgerufen werden. Dies kann auf einen Fehler bei der Namensauflösung zurückzuführen sein. Überprüfen Sie, ob DNS (Domain Name System) konfiguriert ist und richtig ausgeführt wird.

Error: (04/07/2015 10:41:59 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.


Microsoft Office Sessions:
=========================
Error: (04/07/2015 09:09:32 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/07/2015 08:56:16 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2015 08:35:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/01/2015 03:06:54 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft WordSchwerwiegender Fehler in Word beim ra-micro datenschnittstelle word 2007-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?

Error: (04/01/2015 03:05:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: winword.exe14.0.7106.5001132001d06c78d4e24d5d0c:\program files (x86)\microsoft office\office14\winword.exe

Error: (04/01/2015 08:31:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2015 08:41:26 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2015 08:35:23 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/27/2015 09:34:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/26/2015 09:30:07 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Percentage of memory in use: 47%
Total physical RAM: 3984.02 MB
Available physical RAM: 2085.82 MB
Total Pagefile: 7966.21 MB
Available Pagefile: 5617.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:458.86 GB) (Free:371.84 GB) NTFS
Drive g: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS
Drive h: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS
Drive r: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1981C818)
Partition 1: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=458.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=6.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         
--- --- ---


Alt 07.04.2015, 10:22   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Dann bitte jetzt Combofix ausführen:

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

__________________
--> GMer Analyse: Haben wir ein Rootkit?

Alt 07.04.2015, 11:21   #7
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Combofix Logfile:
Code:
ATTFilter
ComboFix 15-04-01.01 - dwa 07.04.2015  11:49:19.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.3984.2595 [GMT 2:00]
ausgeführt von:: c:\users\*****\Desktop\ComboFix.exe
AV: Trend Micro Security Agent *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Security Agent *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\ntuser.pol
C:\Thumbs.db
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0069E3AD-7734-4B4B-978E-195DB2A3227B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{130BE979-2DD5-4B8E-85DA-3602546BA50C}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{141C435A-0352-432B-97FE-CC5359B508E8}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{147E0098-9A3A-49E4-9565-36444A74D986}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{156981D9-1DEE-419D-8651-C19962432B4B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{15A54724-C02D-4EDD-8A17-A3F76838BBCA}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1AA8C91D-71DC-49F8-B628-FC75919FA25B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1B37CCD9-42F4-4CB4-8479-E491C1E6B3CF}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1CE1EA24-9F33-48C4-A469-F69904DA5072}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1FD968FF-D9A3-4346-8853-5B343CF8A70E}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{24E6946F-4316-4E5C-BAAE-03FAE0C0BBD1}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2594C6B0-68E6-4EA2-86E9-E3D75681C5C2}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2BC49670-2F60-49AE-8ED3-53D133401024}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2CDC23D6-8BED-4D9F-8E8D-7D32DF3A1DB5}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2E9DC0D2-3469-4512-BF93-2AE70E9C6439}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2FC9364C-6C5B-4E76-9BB1-A14BCA606880}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{323550C3-A13C-4251-A73D-C612D66E3CDD}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{32DA1E6F-10DC-4115-8F5B-DC5A8B9C759B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{34BA78D6-876B-40B2-B685-31B14B4F11FC}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{35A652C1-903A-4F1D-8C25-5368E649C1F4}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{38A78940-54A0-4594-88C1-28917459D41E}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3D3F1A5B-1136-4FE1-AC22-E08C36C58BA1}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3D5C6A98-5A72-4342-8C6D-0C65382DBE62}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3F21EE6F-2078-4931-AB09-27FA05851DD8}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{49BE2411-FEFA-482C-83A6-9550D4A78FEE}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{49DAEB67-FC2A-4752-93CE-AE75FE92F867}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{50E6F95F-CCAB-4918-BE07-415234ED9FBD}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{52A6CF78-6975-4411-8B55-D44DB9F0FF44}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5B252CBF-903F-4A64-BFCD-618AB939C57C}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5BE46558-25CB-435A-8D7B-D92DE4154E99}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5CF2AB67-A62F-4446-A40B-C0267486CA8A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{63795872-AEA3-414B-B7DF-0CB70983C44B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6585B2E8-3BE3-4E13-9B6A-7C48BA035D33}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{684AE93E-2CCA-406F-B771-8D5E7B254498}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6C4E4D56-11B4-4164-B136-67671117ABFF}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7111C7E7-5109-4A97-8D61-583508B01BBD}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{71E19C7A-ADD3-4BE8-99BA-A4ABB58CBD9A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{72D9BB31-9C55-45A3-8B16-C94E62946342}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{749DF377-C398-4440-A5CF-558696E40D4F}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{799CA3B6-169B-4859-8DF1-80F1A187FE18}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7C33E5CE-618C-4B78-82AC-65DD48485FA4}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{817AEFF6-63F5-4B3D-8697-098E3B04D555}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{82CE2B67-DFF7-452D-86CF-038527C644C1}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{84663F54-45B6-4E93-BE16-D25FAD658E2F}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{876FA891-F00F-4807-84EB-D69411F3231E}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8F540928-6065-48C1-98B4-1F2C7790E2C0}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8F5BF257-2422-4B14-B5C2-46E5698ABD17}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9738A782-AF37-43AD-AEB8-2D000A2B404A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9A5197AB-B44E-4BDE-B155-7AA938D698AC}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9F22E003-4BA0-4E0F-AA5C-5B3C801650E2}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9FB3DDF4-9250-4766-AACA-7E541FE94DC6}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A0E6192C-D982-4169-826A-609D522865E8}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A1CDF01C-9CF5-4127-8C24-DEC604EF576A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A4DD77E4-5D59-45EF-BC36-DFF46D4E3C8D}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A594E8A9-760D-49BC-9176-00B946DD64F2}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A7A0E79E-6971-454D-A7F7-DBCB39A3A37B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A9418980-D54A-42EC-AE35-27D55CB17A0D}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AE20C711-6140-451B-A486-40DE750FB791}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AEBF3788-8410-4110-BFF7-87A9B84BD596}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B2DC0E7A-7FBE-4B88-BDE1-BDBE613899CF}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B3CE18BB-2CCF-46C7-B96E-FF43E987E434}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B4199E09-4310-44C0-BDAA-4FA24F875ECD}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B4DD3160-53B3-4283-8E8F-7EBB0F9DC79A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BB58E9CE-75DB-4935-B93A-1165478F85FF}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C1B293AE-9727-4AF8-A909-C52B9EEA0005}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C550C7AA-EF5A-4707-BF30-5EAB6B67AA9D}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C597BE72-608E-4A61-A26A-1EEBFCD5FF19}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C70CDAD8-4508-49F2-B6DD-38E14494FAB5}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C937ADF3-75F2-47E4-A1DB-97ABC4C404B7}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CC5C44C7-5490-4492-A759-73C2939D952A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D0FEDF04-BBFC-47F6-AD43-171686135D63}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D654D110-878A-4D92-9C4F-148D4A34E09D}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D6963523-72BC-4FA6-89F4-41EE24606A60}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D6BC1140-629B-446E-B3A0-8BDA7F49A88B}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D7986490-1EB5-49DF-883C-790868A24778}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D93A2DCB-B4D0-4FA9-BB9A-7206D8E9B18A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DDEB7F81-1C58-4058-87BF-13C4A69483F8}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DE56D43D-E70E-4CC0-8A65-7492F01FCAB2}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DE672BC6-A0AE-476D-912A-E1F5F6FB0A7F}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DEC1F115-B1C9-4BE7-ABD0-31FF611256BC}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DFC4602D-5927-4ECE-B5E5-26B281B6B1C1}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E104BDE5-81A1-4782-B001-123992CAAB42}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E52205DB-6811-4B0D-BD60-C8481E822C4D}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E60D64C6-2BA4-41D6-B4B1-6EE9447FAFCD}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E65630A8-C375-4384-B497-91DF93951116}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E981632C-3B90-4406-A51C-F4030738B0D9}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F1D705A2-A206-4837-89D0-E8EF000A4B05}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F3034001-5926-4A9F-B3F1-54B1DC34CAC5}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F651A0FC-AF83-43A0-85CA-4FED49991202}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F8099862-4B16-477B-917B-0A5F34AE9671}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F86F8069-2E5C-4A35-872B-C9826E60E39A}.xps
c:\users\awa\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FE36F8BE-0354-4FD4-B3C1-27D428745E58}.xps
c:\users\dwa\AppData\Local\assembly\tmp
c:\users\dwa\AppData\Local\assembly\tmp\7C2MXU0C\__AssemblyInfo__.ini
c:\users\sku\AppData\Local\assembly\tmp
.
.
(((((((((((((((((((((((   Dateien erstellt von 2015-03-07 bis 2015-04-07  ))))))))))))))))))))))))))))))
.
.
2015-04-07 10:01 . 2015-04-07 10:01	--------	d-----w-	c:\users\swi.*****\AppData\Local\temp
2015-04-07 10:01 . 2015-04-07 10:01	--------	d-----w-	c:\users\Default\AppData\Local\temp
2015-04-07 10:01 . 2015-04-07 10:01	--------	d-----w-	c:\users\awa.*****\AppData\Local\temp
2015-04-07 09:09 . 2015-04-07 09:11	--------	d-----w-	C:\FRST
2015-03-10 09:16 . 2015-01-20 14:03	112560	----a-w-	c:\windows\system32\drivers\ncplelhp.sys
2015-03-10 09:15 . 2015-03-10 09:15	--------	d-----w-	c:\programdata\NCP
2015-03-10 09:15 . 2015-03-10 09:15	--------	d-----w-	c:\program files (x86)\LANCOM
2015-03-10 09:14 . 2015-03-10 09:14	--------	d-----w-	c:\users\dwa\AppData\Local\Downloaded Installations
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-31 12:44 . 2015-01-30 07:40	129752	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-25 07:42 . 2012-08-10 07:54	778928	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2015-03-25 07:42 . 2011-08-16 13:34	142512	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-20 14:03 . 2015-01-20 14:03	2231048	----a-w-	c:\windows\system32\NcpCredentialProvider.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2015-03-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StatusAlerts"="c:\program files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe" [2012-07-18 313248]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"NcpMonitor"="c:\program files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe" [2015-01-20 7730928]
"NcpBudgetGui"="c:\program files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe" [2015-01-20 1819888]
"NcpPopup"="c:\program files (x86)\LANCOM\Advanced VPN Client\ncppopup.exe" [2015-01-20 964848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [x]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys;c:\windows\SYSNATIVE\drivers\ifM52x64.sys [x]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys;c:\windows\SYSNATIVE\drivers\ifP52X64.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.8.150\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\3.8.150\McCHSvc.exe [x]
R3 ncpfilt;LANCOM Filter;c:\windows\system32\DRIVERS\ncplelhp.sys;c:\windows\SYSNATIVE\DRIVERS\ncplelhp.sys [x]
R3 Olympus DVR Service;Olympus DVR Service;c:\program files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe;c:\program files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [x]
R4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [x]
S2 ncpclcfg;NCP Client Configuration Support;c:\program files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe;c:\program files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe [x]
S2 ncprwsnt;NCP Client VPN und Dialing Service;c:\program files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe;c:\program files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe [x]
S2 ncpsec;NCP Client PKI Support;c:\program files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe;c:\program files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [x]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]
S3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 ncplelhp;LANCOM Secure Client NDIS6 Driver;c:\windows\system32\DRIVERS\ncplelhp.sys;c:\windows\SYSNATIVE\DRIVERS\ncplelhp.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-07 07:42	1061704	----a-w-	c:\program files (x86)\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2015-04-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-10 07:42]
.
2015-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-04 12:26]
.
2015-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-04 12:26]
.
2015-04-02 c:\windows\Tasks\HPCeeScheduleForGAPWS28W7$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-10-17 219480]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: An OneNote s&enden - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.18.11 192.168.18.1
FF - ProfilePath - c:\users\dwa\AppData\Roaming\Mozilla\Firefox\Profiles\8nglco5m.default\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-AdobeChk - c:\users\dwa\AppData\Roaming\AdobeChk\chk.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NCP engineering GmbH\NCP Secure Client\restricted*Path]
"NcpDb_Nonce"="8IpAHlOQ3cVhXZ0oZ2XJodAkIa8GVA3"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\TeamViewer\Version7\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version7\tv_w32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2015-04-07  12:10:16 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2015-04-07 10:10
.
Vor Suchlauf: 19 Verzeichnis(se), 399.353.958.400 Bytes frei
Nach Suchlauf: 28 Verzeichnis(se), 406.397.083.648 Bytes frei
.
- - End Of File - - 7D918B07C2471EFE5AC63FC3167BC028
         
--- --- ---

Geändert von HtHNightwolf (07.04.2015 um 11:28 Uhr)

Alt 07.04.2015, 12:29   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Adware/Junkware/Toolbars entfernen

Alte Versionen von adwCleaner und falls vorhanden JRT vorher löschen, danach neu runterladen auf den Desktop!
Virenscanner jetzt vor dem Einsatz dieser Tools bitte komplett deaktivieren!


1. Schritt: adwCleaner

Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).




2. Schritt: JRT - Junkware Removal Tool

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.




3. Schritt: Frisches Log mit FRST

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 08.04.2015, 14:09   #9
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



AdwCelaner:AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v4.200 - Bericht erstellt 07/04/2015 um 16:16:12
# Aktualisiert 29/03/2015 von Xplode
# Datenbank : 2015-04-06.3 [Server]
# Betriebssystem : Windows 7 Professional Service Pack 1 (x64)
# Benutzername : dwa - GAPWS28W7
# Gestarted von : C:\Users\dwa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0DB3SRBE\AdwCleaner_4.200[1].exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****

Ordner Gelöscht : C:\ProgramData\Ask
Ordner Gelöscht : C:\ProgramData\Tarma Installer
Ordner Gelöscht : C:\Users\serviceuser\AppData\LocalLow\AskToolbar
Ordner Gelöscht : C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Datei Gelöscht : C:\Users\serviceuser\AppData\Roaming\Mozilla\Firefox\Profiles\muwijcsh.default\searchplugins\Askcom.xml

***** [ Geplante Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}

***** [ Internetbrowser ] *****

-\\ Internet Explorer v8.0.7601.17514


-\\ Mozilla Firefox v26.0 (de)

[sm8y7qqc.default\prefs.js] - Zeile Gelöscht : user_pref("browser.search.order.1", "Ask.com");
[sm8y7qqc.default\prefs.js] - Zeile Gelöscht : user_pref("browser.search.selectedEngine", "Ask.com");
[muwijcsh.default\prefs.js] - Zeile Gelöscht : user_pref("browser.search.defaultengine", "Ask.com");
[muwijcsh.default\prefs.js] - Zeile Gelöscht : user_pref("browser.search.defaultenginename", "Ask.com");
[muwijcsh.default\prefs.js] - Zeile Gelöscht : user_pref("browser.search.order.1", "Ask.com");
[muwijcsh.default\prefs.js] - Zeile Gelöscht : user_pref("extensions.asktb.ff-original-keyword-url", "");

-\\ Google Chrome v41.0.2272.118

[C:\Users\awa.GAPPMAYER\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Gelöscht [Search Provider] : hxxp://de.ask.com/web?q={searchTerms}
[C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Gelöscht [Extension] : bopakagnckmlgajfccecajhnimjiiedh
[C:\Users\serviceuser.GAPPMAYER\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Gelöscht [Search Provider] : hxxp://de.ask.com/web?q={searchTerms}
[C:\Users\serviceuser.GAPPMAYER.000\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Gelöscht [Search Provider] : hxxp://de.ask.com/web?q={searchTerms}
[C:\Users\swi.GAPPMAYER\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Gelöscht [Search Provider] : hxxp://de.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [3445 Bytes] - [07/04/2015 15:39:25]
AdwCleaner[S0].txt - [3285 Bytes] - [07/04/2015 16:16:12]

########## EOF - H:\AdwCleaner\AdwCleaner[S0].txt - [3344  Bytes] ##########
         
--- --- ---


JRT:JRT Logfile:
Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.5.2 (04.06.2015:1)
OS: Windows 7 Professional x64
Ran by dwa on 07.04.2015 at 16:28:11,42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}



~~~ Files

Successfully deleted: [File] C:\Windows\prefetch\GOOGLETOOLBARMANAGER_BA9226F4-3D073F18.pf
Successfully deleted: [File] C:\Windows\prefetch\GOOGLETOOLBARNOTIFIER.EXE-7AE0A20E.pf
Successfully deleted: [File] C:\Windows\prefetch\GOOGLETOOLBARUSER_32.EXE-34B1B1C5.pf



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\flexnet"
Successfully deleted: [Folder] "C:\Users\dwa\AppData\Roaming\flexnet"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07.04.2015 at 16:34:16,32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         
--- --- ---

FRST:
FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by dwa (administrator) on GAPWS28W7 on 07-04-2015 16:34:53
Running from C:\Users\dwa\Downloads
Loaded Profiles: dwa (Available profiles: Serviceuser & awa & swi & hka & tvr & sku & dwa & serviceuser)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe
(NCP Engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe
() C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Security Agent\TmListen.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Desktop.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [219480 2011-10-17] (Trend Micro Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [895512 2010-10-22] (PDF Complete Inc)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [NcpMonitor] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe [7730928 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpBudgetGui] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe [1819888 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpPopup] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncppopup.exe [964848 2015-01-20] (NCP engineering GmbH)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2015-03-25] (Google Inc.)
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1386967835-2426692312-148520297-1206\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll [2015-03-25] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll [2012-07-05] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll [2012-07-05] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
Toolbar: HKU\S-1-5-21-1386967835-2426692312-148520297-1206 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Security Agent\UIFramework\ProToolbarIMRatingActiveX.dll [2011-11-10] (Trend Micro Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.18.11 192.168.18.1

FireFox:
========
FF ProfilePath: C:\Users\dwa\AppData\Roaming\Mozilla\Firefox\Profiles\8nglco5m.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll [2013-03-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll [2013-03-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: G Data BankGuard - C:\Program Files (x86)\Mozilla Firefox\extensions\{906305f7-aafc-45e9-8bbd-941950a84dad} [2014-01-24]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2013-04-26]

Chrome: 
=======
CHR Profile: C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-02]
CHR Extension: (Google Drive) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-02]
CHR Extension: (YouTube) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-02]
CHR Extension: (Google Search) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-02]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-02]
CHR Extension: (Gmail) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-02]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
R2 ncpclcfg; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe [531208 2015-01-20] (NCP engineering GmbH)
R2 ncprwsnt; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe [1782024 2015-01-20] (NCP Engineering GmbH)
R2 ncpsec; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe [125952 2015-01-20] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
S3 Olympus DVR Service; C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [176128 2010-02-26] (OLYMPUS IMAGING CORP.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1121304 2010-10-22] (PDF Complete Inc)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R3 TmListen; C:\Program Files\Trend Micro\Security Agent\tmlisten.exe [1017360 2011-11-16] (Trend Micro Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x64.sys [339728 2010-08-14] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X64.sys [65808 2010-08-14] (Intel(R) Corporation)
S3 ncpfilt; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R3 ncplelhp; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-06-23] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [146192 2011-06-23] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69904 2011-06-23] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-30] (Trend Micro Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-07 16:34 - 2015-04-07 16:35 - 00014744 _____ () C:\Users\dwa\Downloads\FRST.txt
2015-04-07 16:34 - 2015-04-07 16:34 - 00001623 _____ () C:\Users\dwa\Desktop\JRT.txt
2015-04-07 16:29 - 2015-04-07 16:29 - 00001074 _____ () C:\Users\dwa\Desktop\FRST64 - Verknüpfung.lnk
2015-04-07 16:28 - 2015-04-07 16:28 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-GAPWS28W7-Windows-7-Professional-(64-bit).dat
2015-04-07 16:28 - 2015-04-07 16:28 - 00000000 ____D () C:\RegBackup
2015-04-07 15:40 - 2015-04-07 15:40 - 02691312 _____ (Thisisu) C:\Users\dwa\Downloads\JRT.exe
2015-04-07 12:18 - 2015-04-07 12:18 - 00027016 _____ () C:\SF.txt
2015-04-07 12:10 - 2015-04-07 12:18 - 00027016 _____ () C:\ComboFix.txt
2015-04-07 11:43 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-07 11:43 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-07 11:43 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-07 11:39 - 2015-04-07 11:36 - 05617096 ____R (Swearware) C:\Users\dwa\Desktop\ComboFix.exe
2015-04-07 11:37 - 2015-04-07 12:10 - 00000000 ____D () C:\Qoobox
2015-04-07 11:37 - 2015-04-07 12:08 - 00000000 ____D () C:\Windows\erdnt
2015-04-07 11:35 - 2015-04-07 11:36 - 05617096 _____ (Swearware) C:\Users\dwa\Downloads\ComboFix.exe
2015-04-07 11:09 - 2015-04-07 16:34 - 00000000 ____D () C:\FRST
2015-04-07 11:08 - 2015-04-07 11:08 - 02095616 _____ (Farbar) C:\Users\dwa\Downloads\FRST64.exe
2015-03-31 14:50 - 2015-03-31 14:50 - 00380416 _____ () C:\Users\dwa\Downloads\Gmer-19357.exe
2015-03-25 09:42 - 2015-03-27 14:35 - 00000000 ____D () C:\Users\dwa\AppData\Roaming\Google
2015-03-23 12:57 - 2015-03-23 13:04 - 00011200 _____ () C:\Users\dwa\Documents\Kontodaten wg. FG - Inka Akten.xlsx
2015-03-10 12:12 - 2015-03-10 12:12 - 00000000 ____D () C:\Users\dwa\Documents\Gappmayer - Akten
2015-03-10 12:11 - 2015-03-10 12:11 - 00000000 ____D () C:\Users\dwa\Documents\Gappmayer - Büro
2015-03-10 12:09 - 2015-04-02 16:42 - 00000000 ____D () C:\Users\dwa\Documents\Mue-Stö - Akten
2015-03-10 12:07 - 2015-03-10 12:11 - 00000000 ____D () C:\Users\dwa\Documents\Mue-Stö - Büro
2015-03-10 11:23 - 2015-03-10 11:27 - 00002060 _____ () C:\Users\dwa\Desktop\DATEV Terminalserver Weitnauer-MUC.RDP
2015-03-10 11:16 - 2015-03-10 11:16 - 00002035 _____ () C:\Users\Public\Desktop\LANCOM Advanced VPN Client.lnk
2015-03-10 11:16 - 2015-03-10 11:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LANCOM
2015-03-10 11:16 - 2015-01-20 16:03 - 00112560 _____ (NCP Engineering GmbH) C:\Windows\system32\Drivers\ncplelhp.sys
2015-03-10 11:15 - 2015-03-10 11:15 - 00000000 ____D () C:\ProgramData\NCP
2015-03-10 11:15 - 2015-03-10 11:15 - 00000000 ____D () C:\Program Files (x86)\LANCOM
2015-03-10 11:14 - 2015-03-10 11:14 - 00000000 ____D () C:\Users\dwa\AppData\Local\Downloaded Installations
2015-03-10 11:07 - 2015-03-10 11:14 - 32785128 _____ (NCP engineering GmbH) C:\Users\dwa\Downloads\LC-Advanced-VPN-Client-Win-3.00-REL-x86-64.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-07 16:29 - 2012-08-10 09:54 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-07 16:24 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-07 16:24 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-07 16:21 - 2011-04-12 09:43 - 00704134 _____ () C:\Windows\system32\perfh007.dat
2015-04-07 16:21 - 2011-04-12 09:43 - 00151134 _____ () C:\Windows\system32\perfc007.dat
2015-04-07 16:21 - 2009-07-14 07:13 - 01633276 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-07 16:20 - 2013-04-26 11:46 - 01480779 _____ () C:\Windows\WindowsUpdate.log
2015-04-07 16:19 - 2014-01-02 12:54 - 00000000 ____D () C:\Users\dwa
2015-04-07 16:19 - 2012-09-04 12:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-07 16:18 - 2011-08-16 14:25 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2015-04-07 16:17 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-07 16:17 - 2009-07-14 06:51 - 01680563 _____ () C:\Windows\setupact.log
2015-04-07 16:16 - 2014-01-02 12:54 - 00000250 ___SH () C:\Users\dwa\ntuser.ini
2015-04-07 15:41 - 2012-09-04 12:15 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-07 15:38 - 2013-06-14 13:41 - 00000040 _____ () C:\Windows\DICTANET.INI
2015-04-07 15:36 - 2015-01-26 11:56 - 00000000 ____D () C:\MSIT
2015-04-07 15:36 - 2011-07-15 10:11 - 00000000 ____D () C:\ProgramData\Temp
2015-04-07 14:18 - 2013-06-14 13:41 - 00000051 _____ () C:\Windows\Error.Ini
2015-04-07 14:05 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-07 12:10 - 2013-04-25 10:07 - 00000000 ____D () C:\Users\hka
2015-04-07 12:10 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2015-04-07 12:05 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2015-04-07 12:03 - 2010-11-21 05:47 - 00197558 _____ () C:\Windows\PFRO.log
2015-04-07 10:08 - 2011-07-15 10:12 - 00000000 ____D () C:\ProgramData\PDFC
2015-04-07 09:01 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\spool
2015-04-02 09:24 - 2011-10-14 03:24 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForGAPWS28W7$
2015-04-02 09:24 - 2011-10-14 03:24 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForGAPWS28W7$.job
2015-03-31 15:10 - 2015-01-29 16:55 - 00002004 ____H () C:\Users\dwa\Documents\Default.rdp
2015-03-31 14:44 - 2015-01-30 09:40 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-27 09:52 - 2014-01-02 15:06 - 00000000 ____D () C:\Users\dwa\AppData\Local\Google
2015-03-25 09:42 - 2014-06-24 11:10 - 00000000 ____D () C:\Users\dwa\AppData\Local\Adobe
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\ProgramData\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-25 09:42 - 2012-08-10 09:54 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-25 09:42 - 2012-08-10 09:54 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-25 09:42 - 2011-08-16 15:34 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Some content of TEMP:
====================
C:\Users\dwa\AppData\Local\Temp\Quarantine.exe
C:\Users\dwa\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-31 15:57

==================== End Of Log ============================
         
--- --- ---

--- --- ---

Geändert von HtHNightwolf (08.04.2015 um 14:44 Uhr)

Alt 08.04.2015, 15:21   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Bitte auch ne neue Addition.txt erstellen, dazu FRST starten und einen Haken setzen bei Addition.txt, dann auf Scan klicken.

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 14.04.2015, 09:33   #11
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Additions:FRST Additions Logfile:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-04-2015
Ran by dwa at 2015-04-14 10:37:49
Running from C:\Users\dwa\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Trend Micro Security Agent (Enabled - Up to date) {7193B549-236F-55EE-9AEC-F65279E59A92}
AS: Trend Micro Security Agent (Enabled - Up to date) {CAF254AD-0555-5A60-A05C-CD200262D02F}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: LANCOM Advanced VPN Client (Disabled) {BEB21647-135A-7893-42A0-BBC3960C218D}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ActiveCheck component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.356 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader X (10.1.13) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}) (Version: 6.0.0.59 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Autodesk Buzzsaw 2013.1.27.1368 (HKLM-x32\...\Autodesk Buzzsaw 2013) (Version: 2013.1.27.1368 - Autodesk)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Corel WinDVD (HKLM-x32\...\{5C1F18D2-F6B7-4242-B803-B5A78648185D}) (Version: 10.0.5.835 - Corel Inc.)
DDBAC (HKLM-x32\...\{021BC94E-D464-4B9D-96F1-C6566B476A71}) (Version: 5.3.3 - DataDesign)
DDBAC (HKLM-x32\...\{7121136B-462F-46F7-8FC0-6A35E8DC2D5B}) (Version: 4.3.77 - DataDesign)
DDBAC (HKLM-x32\...\{88A0F52F-A024-4268-977E-E75B1F9C67ED}) (Version: 5.3.28 - DataDesign)
DDBAC (HKLM-x32\...\{CB3F10A6-3BD7-43C8-A011-22B00FEB61D5}) (Version: 5.3.7 - DataDesign)
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Dragon NaturallySpeaking 11 (HKLM-x32\...\{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}) (Version: 11.50.100 - Nuance Communications Inc.)
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 13.3.0.9066 - Landesfinanzdirektion Thüringen)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
HP LaserJet 400 M401 (HKLM-x32\...\{8989F6D9-550C-4178-A8CB-75B82A06621F}) (Version: 5.0.12200.835 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{05BA6A83-C7A7-4F85-88F1-150142305229}) (Version: 8.5.4489.3576 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
HPAsset component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM401DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPLaserJet400-M401_HelpLearnCenter_SI (HKLM-x32\...\{4989DD05-86FB-4CA2-96C5-923DFAD89DA3}) (Version: 1.01.0000 - Hewlett-Packard)
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM401LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM401 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Network Connections 15.7.176.0 (HKLM\...\PROSetDX) (Version: 15.7.176.0 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2253 - Intel Corporation)
Java(TM) 7 Update 5 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217005FF}) (Version: 7.0.50 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
LANCOM Advanced VPN Client (HKLM\...\{81C44F7F-5A1E-4FA9-ADE2-B84C866B8091}) (Version: 3.00.21499 - NCP engineering GmbH)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM-x32\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Mein CEWE FOTOBUCH (HKLM-x32\...\Mein CEWE FOTOBUCH) (Version: 5.0.1 - CEWE COLOR AG u Co. OHG)
Meine CEWE FOTOWELT (HKLM-x32\...\Meine CEWE FOTOWELT) (Version: 5.0.1 - CEWE COLOR AG u Co. OHG)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2010 Primary Interop Assemblies (HKLM-x32\...\{90140000-1105-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1024 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 x64 DEU (HKLM\...\{CCBF4FD7-F4D2-4DB0-BC0E-F4EC42220EFF}) (Version: 4.0.8482.1 - Microsoft Corporation)
Microsoft Surface 2.0 Runtime (HKLM-x32\...\{69C2B39D-F060-49AD-8877-01C4144A8424}) (Version: 2.0.21114.00 - Microsoft Corporation)
Microsoft Surface Toolkit Runtime for Windows Touch Beta (HKLM-x32\...\{788755AD-6DD7-4736-9CA9-24B05D87845C}) (Version: 1.5.10404.01 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x86) DEU  (HKLM-x32\...\{E6415AEF-3B3E-43FF-AD3A-0258D854E7D6}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x86) DEU  (HKLM-x32\...\{E90A1941-4989-4172-AB5C-DBCB02202A84}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.1 Core Components (x86) DEU  (HKLM-x32\...\{D0F06337-3406-4162-9990-7853DCE4F345}) (Version: 2.1.1648.0 - Microsoft Corporation)
Microsoft Sync Framework 2.1 Provider Services (x86) DEU  (HKLM-x32\...\{349B4707-5F45-49EB-9A9D-8F89C94355F2}) (Version: 2.1.1648.0 - Microsoft Corporation)
Microsoft Visual Basic PowerPacks 10.0 (HKLM-x32\...\{D95B72D8-DE21-3DAE-B2C5-B1EE64EEBEFA}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31007 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.31007 - Microsoft Corporation)
Microsoft_VC90_CRT_x86 (HKLM-x32\...\{DF2035BE-5820-4965-BD97-7FAF8D4A7879}) (Version: 1.0.0 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 26.0 (x86 de)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.14 - PDF Complete, Inc)
PDF-XChange 2012 (HKLM\...\{504022CD-6A58-42D5-ACC9-966F695AAD93}_is1) (Version: 5.0.269.0 - Tracker Software Products Ltd)
PDF-XChange 4 (HKLM\...\{EA08048C-3823-4DC8-B169-1D5D11FFC19F}_is1) (Version: 4.0.162.0 - Tracker Software Products Ltd)
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
RA-MICRO Datenschnittstelle (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\7F68B937B5888AFC8A4D798DDB7B57C56D80CD93) (Version: 14.3.10.1 - RA-MICRO Software GmbH)
RA-MICRO Datenschnittstelle MS Excel (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\7F05E7A558F6A5154CB3EAB36AFDBC20670C6725) (Version: 14.5.22.0 - RA-MICRO Software GmbH)
RA-MICRO Datenschnittstelle MS Outlook (HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\D4525534804412C9DE054E9AD6B06290C74C7DD7) (Version: 14.5.22.0 - RA-MICRO GmbH & Co. KGaA)
RA-MICRO Deinstallation (HKLM-x32\...\ra-micro Deinstallation) (Version:  - RA-MICRO GmbH & Co. KGaA)
RA-MICRO Elster (HKLM-x32\...\{EC15998D-5C48-43D9-B5A6-43085531B31C}) (Version: 4.25.0000 - RA-MICRO GmbH & Co KGaA)
RA-MICRO Infragistics 10.3 (HKLM-x32\...\{2592ACCF-8D9B-4CF8-B791-16A94A8A75B8}) (Version: 10.01.30101 - RA-MICRO Software GmbH)
RA-MICRO Leadtools (HKLM-x32\...\{DE726A89-0BF3-433D-B975-4201BF2E8156}) (Version: 2.01.0000 - RA-MICRO Software GmbH)
RA-MICRO Systemdateien (HKLM-x32\...\{22674A89-CE4D-428D-BA79-4446933FBAF0}) (Version: 1.2.2010.0 - RA-MICRO Software GmbH)
RA-MICRO TextControl 14.0 SP4 (HKLM-x32\...\{01201D0C-0AD2-471D-8CB6-E1574A5A0D8D}) (Version: 2.00.0000 - RA-MICRO Software GmbH)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3621 - CyberLink Corp.) Hidden
SecCommerce SecSigner 3.6 (HKLM\...\SecCommerce SecSigner) (Version: 3.6 - SecCommerce Informationssysteme GmbH)
sv.net (HKLM-x32\...\sv.net) (Version: 13.2 - ITSG GmbH)
TeamViewer 6 (HKLM-x32\...\TeamViewer 6) (Version: 6.0.10722 - TeamViewer GmbH)
TeamViewer 7 (HKLM-x32\...\TeamViewer 7) (Version: 7.0.13989 - TeamViewer)
Trend Micro Worry-Free Business Security Agent (HKLM\...\Wofie) (Version: 7.0.2316 - Trend Micro Inc.)
Trend Micro Worry-Free Business Security Agent (Version: 7.0 - Trend Micro Inc.) Hidden
Trend Micro Worry-Free Business Security Agent (x32 Version: 1.0.0 - Trend Micro Inc.) Hidden
TWAIN Driver (HKLM-x32\...\InstallShield_{3D5D6830-C051-4273-857F-61CF7A3B5A6A}) (Version: 1.7.0717 - TWAIN Driver)
TWAIN Driver (x32 Version: 1.7.0717 - TWAIN Driver) Hidden
UTAX TA Software Library (HKLM\...\UTAX TA Software Library) (Version: 2.0.0713 - Kyocera Mita Corporation)
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64) (HKLM\...\{4A5A427F-BA39-4BF0-7777-9A47FBE60C9F}) (Version: 11.0.0 - Nuance Communications Inc.)
Windows Small Business Server 2011 Standard ClientAgent (HKLM\...\{5C72F8A3-BF39-4733-B41E-0ED7EF622E37}) (Version: 6.1.7900.1 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

19-03-2015 15:04:15 Geplanter Prüfpunkt
07-04-2015 11:43:13 ComboFix created restore point
07-04-2015 12:17:18 Windows Update
07-04-2015 17:13:44 Windows Update
08-04-2015 08:44:20 Windows Update
13-04-2015 09:40:23 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2015-04-07 12:05 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {249C792D-8790-4ACE-94F8-842AD6C27AFF} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {2858ACED-AC06-4C93-8400-93B42F7DEA0A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-25] (Adobe Systems Incorporated)
Task: {2A1BBFCA-4412-4D4F-A03D-10E18261E70C} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {47CB48F8-BE23-48B3-8EA1-913F56243121} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {57B392D0-F84B-4E5F-AA46-3C5328A248B8} - System32\Tasks\HPCeeScheduleForGAPWS28W7$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {AD9F5268-16CD-4434-BA38-E8D3112D8E74} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B9A5170B-00DA-4CF1-A95C-6099FB9D09E0} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {BD05FB36-C2DF-4EB4-A7ED-B6876F18DDAB} - System32\Tasks\Registration => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-11-17] ()
Task: {D14F873E-FFE0-418C-8892-7345422D82B2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: {E56A8D7F-945F-4B81-B7C0-98582A7A3900} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForGAPWS28W7$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) ==============

2013-04-26 15:23 - 2011-01-03 19:53 - 00047104 _____ () C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll
2013-04-26 15:23 - 2011-01-03 19:53 - 00042496 _____ () C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll
2013-04-26 15:23 - 2011-01-03 21:53 - 00731136 _____ () C:\Program Files\Trend Micro\AMSP\sqlite3.dll
2013-04-26 15:23 - 2011-01-03 21:53 - 01719808 _____ () C:\Program Files\Trend Micro\AMSP\libprotobuf.dll
2011-10-05 14:16 - 2011-10-05 14:16 - 00289056 _____ () C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00169472 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\x64\ncpbudget2008.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00112392 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\x64\ncpmif32.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00125952 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe
2011-01-03 19:54 - 2011-01-03 19:54 - 00047104 _____ () C:\Program Files\Trend Micro\Security Agent\boost_thread-vc80-mt-1_36.dll
2011-01-03 19:54 - 2011-01-03 19:54 - 00042496 _____ () C:\Program Files\Trend Micro\Security Agent\boost_date_time-vc80-mt-1_36.dll
2011-11-16 18:59 - 2011-11-16 18:59 - 00176640 _____ () C:\Program Files\Trend Micro\Security Agent\libTmHttpServer.dll
2011-11-16 18:59 - 2011-11-16 18:59 - 00167424 _____ () C:\Program Files\Trend Micro\Security Agent\libTmHttpClient.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 01759232 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpgacc.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00099840 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\bsdntif.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00101640 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmif32.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00117760 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpcfg.dll
2015-01-20 16:03 - 2015-01-20 16:03 - 00198144 _____ () C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpdlg.dll
2011-03-17 01:11 - 2011-03-17 01:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-12-21 02:15 - 2010-12-21 02:15 - 01041248 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2009-07-13 23:03 - 2009-07-14 03:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:0FF263E8

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1386967835-2426692312-148520297-1206\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.18.11 - 192.168.18.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: Intel(R) PROSet Monitoring Service => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: IviRegMgr => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: TmListen => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: DNS7reminder => "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

==================== Accounts: =============================

Administrator (S-1-5-21-3558825690-141422522-473755175-500 - Administrator - Disabled)
Gast (S-1-5-21-3558825690-141422522-473755175-501 - Limited - Disabled)
serviceuser (S-1-5-21-3558825690-141422522-473755175-1000 - Administrator - Enabled) => C:\Users\serviceuser

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/14/2015 08:33:06 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/13/2015 08:41:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/10/2015 08:35:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/09/2015 08:38:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:58:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:56:14 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: mcstoredb, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020

Error: (04/08/2015 08:56:13 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: mcstore, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020

Error: (04/08/2015 08:41:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:38:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:35:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/14/2015 10:28:52 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/14/2015 10:28:52 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/14/2015 10:28:34 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/14/2015 10:28:33 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/14/2015 10:25:09 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: *****)
Description: Fehler beim Verarbeiten der Gruppenrichtlinie. Der Name eines Domänencontrollers konnte nicht abgerufen werden. Dies kann auf einen Fehler bei der Namensauflösung zurückzuführen sein. Überprüfen Sie, ob DNS (Domain Name System) konfiguriert ist und richtig ausgeführt wird.

Error: (04/14/2015 10:22:30 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/14/2015 10:22:29 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/14/2015 10:22:11 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 40.

Error: (04/14/2015 10:22:11 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.

Error: (04/14/2015 10:16:22 AM) (Source: Schannel) (EventID: 4119) (User: NT-AUTORITÄT)
Description: Es wurde eine schwerwiegende Warnung empfangen: 112.


Microsoft Office Sessions:
=========================
Error: (04/14/2015 08:33:06 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/13/2015 08:41:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/10/2015 08:35:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/09/2015 08:38:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:58:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:56:14 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: mcstoredb, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020 
mcstoredb, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (04/08/2015 08:56:13 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to compile: mcstore, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020 
mcstore, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Error: (04/08/2015 08:41:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:38:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/08/2015 08:35:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Percentage of memory in use: 33%
Total physical RAM: 3984.02 MB
Available physical RAM: 2652.5 MB
Total Pagefile: 7966.22 MB
Available Pagefile: 5743.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:458.86 GB) (Free:375.58 GB) NTFS
Drive g: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS
Drive h: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS
Drive r: (Daaten) (Network) (Total:465.73 GB) (Free:359.71 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1981C818)
Partition 1: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=458.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=6.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         
--- --- ---

und nochmal die FRST
FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by dwa (administrator) on GAPWS28W7 on 14-04-2015 10:36:59
Running from C:\Users\dwa\Downloads
Loaded Profiles: dwa (Available profiles: Serviceuser & awa & swi & hka & tvr & sku & dwa & serviceuser)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe
(NCP Engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe
() C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Security Agent\TmListen.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe
(NCP engineering GmbH) C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x939C50A800AAE751\cmd.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x81ACAAA657A54A6B\OUTLOOK.EXE
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xC470558F098276C4\32ra.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xCEC970771AE09040\ra.dienste.starter.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x609C1ED1C5785400\32ELOZIP.EXE
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x1EE623CE19082647\RAPDFErstellung.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x0AAA4A087FC3E039\ramicro.rabox.exporter.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x0AAA4A087FC3E039\ra7.central.mail.receiver.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0x7D9802F9BD3B3408\ra7.communication.directmessages.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xFC99FDBB3439DE26\7.central.generic.output.exe
() C:\Users\dwa\AppData\Local\Xenocode\Sandbox\ra-micro Startprogramm\10.4\local\stubexe\0xCB9589B879C0A4E9\32akto.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Desktop.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [219480 2011-10-17] (Trend Micro Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [StatusAlerts] => C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe [313248 2012-07-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [895512 2010-10-22] (PDF Complete Inc)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [NcpMonitor] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpmon.exe [7730928 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpBudgetGui] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\NcpBudgetGui.exe [1819888 2015-01-20] (NCP engineering GmbH)
HKLM-x32\...\Run: [NcpPopup] => C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncppopup.exe [964848 2015-01-20] (NCP engineering GmbH)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2015-03-25] (Google Inc.)
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1386967835-2426692312-148520297-1206\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll [2015-03-25] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll [2012-07-05] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll [2012-07-05] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-25] (Google Inc.)
Toolbar: HKU\S-1-5-21-1386967835-2426692312-148520297-1206 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-25] (Google Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll [2011-09-28] (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg32.dll [2010-09-30] (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Security Agent\UIFramework\ProToolbarIMRatingActiveX.dll [2011-11-10] (Trend Micro Inc.)

FireFox:
========
FF ProfilePath: C:\Users\dwa\AppData\Roaming\Mozilla\Firefox\Profiles\8nglco5m.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll [2013-03-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll [2013-03-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll [2012-07-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: G Data BankGuard - C:\Program Files (x86)\Mozilla Firefox\extensions\{906305f7-aafc-45e9-8bbd-941950a84dad} [2014-01-24]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2013-04-26]

Chrome: 
=======
CHR Profile: C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-02]
CHR Extension: (Google Drive) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-02]
CHR Extension: (YouTube) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-02]
CHR Extension: (Google Search) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-02]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-02]
CHR Extension: (Gmail) - C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-02]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
R2 ncpclcfg; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpclcfg.exe [531208 2015-01-20] (NCP engineering GmbH)
R2 ncprwsnt; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncprwsnt.exe [1782024 2015-01-20] (NCP Engineering GmbH)
R2 ncpsec; C:\Program Files (x86)\LANCOM\Advanced VPN Client\ncpsec.exe [125952 2015-01-20] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
S3 Olympus DVR Service; C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [176128 2010-02-26] (OLYMPUS IMAGING CORP.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1121304 2010-10-22] (PDF Complete Inc)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R3 TmListen; C:\Program Files\Trend Micro\Security Agent\tmlisten.exe [1017360 2011-11-16] (Trend Micro Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=qb -dt=60000 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x64.sys [339728 2010-08-14] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X64.sys [65808 2010-08-14] (Intel(R) Corporation)
S3 ncpfilt; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R3 ncplelhp; C:\Windows\System32\DRIVERS\ncplelhp.sys [112560 2015-01-20] (NCP Engineering GmbH)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-06-23] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [146192 2011-06-23] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69904 2011-06-23] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-30] (Trend Micro Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 10:36 - 2015-04-14 10:37 - 00016265 _____ () C:\Users\dwa\Downloads\FRST.txt
2015-04-14 10:30 - 2015-04-14 10:30 - 00000000 ____D () C:\Users\dwa\Downloads\FRST-OlderVersion
2015-04-08 08:45 - 2014-10-14 04:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2015-04-07 18:30 - 2014-12-11 19:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-04-07 18:28 - 2015-02-20 06:41 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-04-07 18:28 - 2015-02-20 06:40 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-04-07 18:28 - 2015-02-20 06:40 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-04-07 18:28 - 2015-02-20 06:40 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-04-07 18:28 - 2015-02-20 06:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2015-04-07 18:28 - 2015-02-20 06:13 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-04-07 18:28 - 2015-02-20 06:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2015-04-07 18:28 - 2015-02-20 06:12 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2015-04-07 18:28 - 2015-02-20 05:29 - 00372224 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-04-07 18:28 - 2015-02-20 05:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-04-07 18:25 - 2015-01-07 05:15 - 00104896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mup.sys
2015-04-07 18:25 - 2015-01-07 05:10 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2015-04-07 18:25 - 2015-01-07 04:44 - 00079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2015-04-07 18:25 - 2015-01-07 03:49 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2015-04-07 18:25 - 2015-01-07 03:49 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-04-07 18:25 - 2015-01-07 03:48 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-04-07 18:25 - 2015-01-07 03:48 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-04-07 18:25 - 2015-01-07 03:48 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2015-04-07 18:20 - 2014-04-25 04:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2015-04-07 18:20 - 2014-04-25 04:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2015-04-07 18:13 - 2015-02-03 05:34 - 05554104 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-04-07 18:13 - 2015-02-03 05:34 - 00693176 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-04-07 18:13 - 2015-02-03 05:34 - 00094656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-04-07 18:13 - 2015-02-03 05:33 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-04-07 18:13 - 2015-02-03 05:31 - 14632960 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 02644992 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 01574400 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00641024 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00432128 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-04-07 18:13 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-04-07 18:13 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-04-07 18:13 - 2015-02-03 05:30 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 01202176 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00842240 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-04-07 18:13 - 2015-02-03 05:30 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe
2015-04-07 18:13 - 2015-02-03 05:30 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2015-04-07 18:13 - 2015-02-03 05:29 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll
2015-04-07 18:13 - 2015-02-03 05:28 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-04-07 18:13 - 2015-02-03 05:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-04-07 18:13 - 2015-02-03 05:19 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2015-04-07 18:13 - 2015-02-03 05:16 - 03973048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-04-07 18:13 - 2015-02-03 05:16 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-04-07 18:13 - 2015-02-03 05:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 02135040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptui.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmv2clt.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\blackbox.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmdrmsdk.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscp.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmmgrtn.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msnetobj.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsp.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-04-07 18:13 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-04-07 18:13 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-04-07 18:13 - 2015-02-03 05:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-04-07 18:13 - 2015-02-03 05:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2015-04-07 18:13 - 2015-02-03 05:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2015-04-07 18:13 - 2015-02-03 05:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2015-04-07 18:13 - 2015-02-03 05:08 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-04-07 18:13 - 2015-02-03 04:32 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-04-07 18:13 - 2014-11-01 00:24 - 00619056 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-04-07 18:13 - 2014-06-28 02:21 - 00532176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-04-07 18:13 - 2014-06-28 02:21 - 00457400 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-04-07 18:03 - 2014-12-19 05:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2015-04-07 18:01 - 2014-06-19 00:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2015-04-07 18:00 - 2013-10-19 04:18 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2015-04-07 18:00 - 2013-10-19 03:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2015-04-07 17:59 - 2014-04-05 04:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2015-04-07 17:59 - 2014-04-05 04:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2015-04-07 17:59 - 2013-11-26 13:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2015-04-07 17:50 - 2014-12-06 06:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-04-07 17:50 - 2014-12-06 05:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-04-07 17:50 - 2014-12-06 05:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-04-07 17:50 - 2012-10-03 19:44 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-04-07 17:50 - 2012-10-03 19:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-04-07 17:49 - 2014-03-26 16:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-04-07 17:49 - 2014-03-26 16:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2015-04-07 17:49 - 2014-03-26 16:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2015-04-07 17:49 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll
2015-04-07 17:47 - 2013-10-04 04:16 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2015-04-07 17:47 - 2013-10-04 03:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2015-04-07 17:46 - 2014-12-19 03:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-04-07 17:46 - 2014-06-18 04:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2015-04-07 17:46 - 2014-06-18 03:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2015-04-07 17:45 - 2015-02-03 05:31 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll
2015-04-07 17:45 - 2015-02-03 05:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ubpm.dll
2015-04-07 17:44 - 2014-08-21 08:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-04-07 17:44 - 2014-08-21 08:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2015-04-07 17:44 - 2014-08-21 08:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2015-04-07 17:44 - 2014-08-21 08:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2015-04-07 17:44 - 2013-11-27 03:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2015-04-07 17:44 - 2013-11-27 03:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2015-04-07 17:44 - 2013-11-27 03:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2015-04-07 17:44 - 2013-11-27 03:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2015-04-07 17:44 - 2013-11-27 03:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2015-04-07 17:43 - 2015-02-13 07:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-04-07 17:43 - 2015-02-13 07:22 - 14177280 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-04-07 17:43 - 2014-06-06 12:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2015-04-07 17:43 - 2014-06-06 11:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2015-04-07 17:42 - 2014-05-30 08:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-04-07 17:40 - 2015-02-10 18:44 - 01188864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-04-07 17:40 - 2015-02-10 18:43 - 01539584 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-04-07 17:40 - 2015-02-10 18:43 - 00610816 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-04-07 17:40 - 2015-02-10 18:43 - 00134144 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 12297728 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 09059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 02468864 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00735232 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00495616 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00082944 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-04-07 17:40 - 2015-02-10 18:42 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-04-07 17:40 - 2015-02-10 18:41 - 00174592 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-04-07 17:40 - 2015-02-10 18:41 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-04-07 17:40 - 2015-02-10 18:41 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-04-07 17:40 - 2015-02-10 18:40 - 01538048 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-04-07 17:40 - 2015-02-10 18:21 - 01267712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-04-07 17:40 - 2015-02-10 18:21 - 00981504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-04-07 17:40 - 2015-02-10 18:21 - 00428544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-04-07 17:40 - 2015-02-10 18:21 - 00132096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 11026432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 06030336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 02087424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00627712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00345600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00064512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2015-04-07 17:40 - 2015-02-10 18:20 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-04-07 17:40 - 2015-02-10 18:19 - 01466368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-04-07 17:40 - 2015-02-10 18:19 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-04-07 17:40 - 2015-02-10 18:19 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2015-04-07 17:40 - 2015-02-10 18:19 - 00016384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2015-04-07 17:40 - 2015-02-10 17:21 - 00482816 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-04-07 17:40 - 2015-02-10 16:59 - 00386048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-04-07 17:40 - 2015-02-10 15:50 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-04-07 17:40 - 2015-02-10 15:21 - 01638912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-04-07 17:39 - 2014-06-03 12:02 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-04-07 17:39 - 2014-06-03 12:02 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-04-07 17:39 - 2014-06-03 12:02 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2015-04-07 17:39 - 2014-06-03 12:02 - 00112064 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-04-07 17:39 - 2014-06-03 11:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2015-04-07 17:39 - 2014-06-03 11:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-04-07 17:39 - 2014-06-03 11:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2015-04-07 17:39 - 2013-02-27 07:47 - 00070144 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2015-04-07 17:36 - 2014-03-04 11:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2015-04-07 17:36 - 2014-03-04 11:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-04-07 17:36 - 2014-03-04 11:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2015-04-07 17:36 - 2014-03-04 11:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2015-04-07 17:36 - 2014-03-04 11:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2015-04-07 17:36 - 2014-03-04 11:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2015-04-07 17:36 - 2014-03-04 11:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2015-04-07 17:36 - 2014-03-04 11:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2015-04-07 17:36 - 2014-03-04 11:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2015-04-07 17:36 - 2014-03-04 11:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-04-07 17:35 - 2014-08-12 04:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2015-04-07 17:35 - 2014-08-12 03:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2015-04-07 17:35 - 2014-06-16 04:10 - 00985536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2015-04-07 17:33 - 2015-03-06 07:56 - 00155576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-04-07 17:33 - 2015-03-06 07:56 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-04-07 17:33 - 2015-03-06 07:42 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-04-07 17:33 - 2015-03-06 07:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-04-07 17:33 - 2015-03-06 07:41 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-04-07 17:33 - 2015-03-06 07:41 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-04-07 17:33 - 2015-03-06 07:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-04-07 17:33 - 2015-03-06 07:38 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-04-07 17:33 - 2015-03-06 07:36 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-04-07 17:33 - 2015-03-06 07:10 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-04-07 17:33 - 2015-03-06 07:09 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-04-07 17:33 - 2015-03-06 07:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-04-07 17:33 - 2015-03-06 07:07 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-04-07 17:33 - 2015-03-06 07:07 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-04-07 17:33 - 2015-03-06 07:06 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-04-07 17:33 - 2015-01-31 01:56 - 00459336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-04-07 17:32 - 2014-11-11 05:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2015-04-07 17:32 - 2014-11-11 04:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2015-04-07 17:31 - 2015-01-17 04:48 - 01067520 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-04-07 17:31 - 2015-01-17 04:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-04-07 17:30 - 2015-02-03 05:31 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-04-07 17:30 - 2015-02-03 05:12 - 01011200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-04-07 17:30 - 2014-09-04 07:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2015-04-07 17:30 - 2014-09-04 07:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2015-04-07 17:28 - 2014-10-25 03:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2015-04-07 17:28 - 2014-10-25 03:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2015-04-07 17:25 - 2014-07-17 04:07 - 03722240 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-04-07 17:25 - 2014-07-17 04:07 - 01118720 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-04-07 17:25 - 2014-07-17 04:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-04-07 17:25 - 2014-07-17 04:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2015-04-07 17:25 - 2014-07-17 04:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2015-04-07 17:25 - 2014-07-17 03:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2015-04-07 17:25 - 2014-07-17 03:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-04-07 17:25 - 2014-07-17 03:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2015-04-07 17:25 - 2014-07-17 03:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-04-07 17:25 - 2014-07-17 03:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2015-04-07 17:25 - 2014-07-17 03:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2015-04-07 17:23 - 2015-02-26 05:25 - 03204096 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-04-07 17:23 - 2014-12-08 05:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-04-07 17:23 - 2014-12-08 04:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-04-07 17:23 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-04-07 17:23 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-04-07 17:23 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-04-07 17:23 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-04-07 17:23 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-04-07 17:23 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-04-07 17:23 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-04-07 17:23 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-04-07 17:23 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-04-07 17:23 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-04-07 17:23 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-04-07 17:23 - 2013-10-12 04:32 - 00150016 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2015-04-07 17:23 - 2013-10-12 04:31 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2015-04-07 17:23 - 2013-10-12 04:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshom.ocx
2015-04-07 17:23 - 2013-10-12 04:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2015-04-07 17:23 - 2013-10-12 03:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2015-04-07 17:23 - 2013-10-12 03:33 - 00156160 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2015-04-07 17:23 - 2013-10-12 03:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2015-04-07 17:23 - 2013-10-12 03:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2015-04-07 17:21 - 2014-10-18 04:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-04-07 17:21 - 2014-10-18 03:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-04-07 17:21 - 2014-08-23 04:07 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-04-07 17:21 - 2014-08-23 03:45 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-04-07 17:18 - 2015-02-04 05:16 - 00392192 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-04-07 17:18 - 2015-02-04 04:54 - 00318464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2015-04-07 17:18 - 2014-07-14 04:02 - 01216000 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-04-07 17:18 - 2014-07-14 03:40 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-04-07 17:15 - 2014-07-01 00:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2015-04-07 17:15 - 2014-07-01 00:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2015-04-07 17:15 - 2014-03-09 23:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2015-04-07 17:15 - 2014-03-09 23:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2015-04-07 17:15 - 2014-03-09 23:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2015-04-07 17:15 - 2014-03-09 23:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
2015-04-07 17:14 - 2014-06-06 08:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2015-04-07 17:14 - 2014-06-06 08:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2015-04-07 16:36 - 2015-04-07 16:36 - 00001058 _____ () C:\Users\dwa\Desktop\FRST - Verknüpfung.lnk
2015-04-07 16:34 - 2015-04-07 16:34 - 00001623 _____ () C:\Users\dwa\Desktop\JRT.txt
2015-04-07 16:29 - 2015-04-07 16:29 - 00001074 _____ () C:\Users\dwa\Desktop\FRST64 - Verknüpfung.lnk
2015-04-07 16:28 - 2015-04-07 16:28 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-GAPWS28W7-Windows-7-Professional-(64-bit).dat
2015-04-07 16:28 - 2015-04-07 16:28 - 00000000 ____D () C:\RegBackup
2015-04-07 15:40 - 2015-04-07 15:40 - 02691312 _____ (Thisisu) C:\Users\dwa\Downloads\JRT.exe
2015-04-07 12:18 - 2015-04-07 12:18 - 00027016 _____ () C:\SF.txt
2015-04-07 12:10 - 2015-04-07 12:18 - 00027016 _____ () C:\ComboFix.txt
2015-04-07 11:43 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-07 11:43 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-07 11:43 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-07 11:43 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2015-04-07 11:39 - 2015-04-07 11:36 - 05617096 ____R (Swearware) C:\Users\dwa\Desktop\ComboFix.exe
2015-04-07 11:37 - 2015-04-07 12:10 - 00000000 ____D () C:\Qoobox
2015-04-07 11:37 - 2015-04-07 12:08 - 00000000 ____D () C:\Windows\erdnt
2015-04-07 11:35 - 2015-04-07 11:36 - 05617096 _____ (Swearware) C:\Users\dwa\Downloads\ComboFix.exe
2015-04-07 11:09 - 2015-04-14 10:37 - 00000000 ____D () C:\FRST
2015-04-07 11:08 - 2015-04-14 10:30 - 02096640 _____ (Farbar) C:\Users\dwa\Downloads\FRST64.exe
2015-03-31 14:50 - 2015-03-31 14:50 - 00380416 _____ () C:\Users\dwa\Downloads\Gmer-19357.exe
2015-03-25 09:42 - 2015-03-27 14:35 - 00000000 ____D () C:\Users\dwa\AppData\Roaming\Google
2015-03-23 12:57 - 2015-03-23 13:04 - 00011200 _____ () C:\Users\dwa\Documents\Kontodaten wg. FG - Inka Akten.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-14 10:30 - 2011-08-16 14:25 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2015-04-14 10:29 - 2012-08-10 09:54 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-14 10:28 - 2013-04-26 11:46 - 02074839 _____ () C:\Windows\WindowsUpdate.log
2015-04-14 10:12 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-14 09:41 - 2012-09-04 12:15 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-14 09:32 - 2011-07-15 10:12 - 00000000 ____D () C:\ProgramData\PDFC
2015-04-14 09:16 - 2013-06-14 13:41 - 00000040 _____ () C:\Windows\DICTANET.INI
2015-04-14 08:58 - 2015-03-10 12:11 - 00000000 ____D () C:\Users\dwa\Documents\***** - Büro
2015-04-14 08:58 - 2013-06-14 13:41 - 00000051 _____ () C:\Windows\Error.Ini
2015-04-14 08:38 - 2015-01-26 11:56 - 00000000 ____D () C:\MSIT
2015-04-14 08:38 - 2011-04-12 09:43 - 00704144 _____ () C:\Windows\system32\perfh007.dat
2015-04-14 08:38 - 2011-04-12 09:43 - 00151144 _____ () C:\Windows\system32\perfc007.dat
2015-04-14 08:38 - 2009-07-14 07:13 - 01633324 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-14 08:38 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-14 08:38 - 2009-07-14 06:45 - 00035984 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-14 08:36 - 2011-07-15 10:11 - 00000000 ____D () C:\ProgramData\Temp
2015-04-14 08:35 - 2012-09-04 12:15 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-14 08:34 - 2014-01-02 12:54 - 00000000 ____D () C:\Users\dwa
2015-04-14 08:31 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-14 08:31 - 2009-07-14 06:51 - 01701955 _____ () C:\Windows\setupact.log
2015-04-13 17:27 - 2014-01-02 12:54 - 00000250 ___SH () C:\Users\dwa\ntuser.ini
2015-04-09 15:46 - 2014-05-15 10:54 - 00000000 ____D () C:\Users\dwa\AppData\Local\RA-MICRO_GmbH_&_Co._KGaA
2015-04-08 08:48 - 2009-07-14 06:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-04-08 08:37 - 2009-07-14 06:45 - 00357792 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-08 08:35 - 2011-04-12 09:55 - 00000000 ____D () C:\Program Files\Windows Journal
2015-04-08 08:35 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2015-04-08 08:35 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Dism
2015-04-08 08:35 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-04-08 08:34 - 2013-03-13 04:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-04-08 08:34 - 2013-03-13 04:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-04-07 18:29 - 2011-08-16 08:30 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-04-07 17:42 - 2013-04-26 14:21 - 01606668 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-04-07 17:28 - 2013-03-13 04:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-04-07 12:10 - 2013-04-25 10:07 - 00000000 ____D () C:\Users\hka
2015-04-07 12:10 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2015-04-07 12:05 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2015-04-07 12:03 - 2010-11-21 05:47 - 00197558 _____ () C:\Windows\PFRO.log
2015-04-07 09:01 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\spool
2015-04-02 16:42 - 2015-03-10 12:09 - 00000000 ____D () C:\Users\dwa\Documents\Mue-Stö - Akten
2015-04-02 09:24 - 2011-10-14 03:24 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForGAPWS28W7$
2015-04-02 09:24 - 2011-10-14 03:24 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForGAPWS28W7$.job
2015-03-31 15:10 - 2015-01-29 16:55 - 00002004 ____H () C:\Users\dwa\Documents\Default.rdp
2015-03-31 14:44 - 2015-01-30 09:40 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-27 09:52 - 2014-01-02 15:06 - 00000000 ____D () C:\Users\dwa\AppData\Local\Google
2015-03-25 09:42 - 2014-06-24 11:10 - 00000000 ____D () C:\Users\dwa\AppData\Local\Adobe
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\ProgramData\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files\Google
2015-03-25 09:42 - 2012-09-04 12:15 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-25 09:42 - 2012-08-10 09:54 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-25 09:42 - 2012-08-10 09:54 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-03-25 09:42 - 2011-08-16 15:34 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Some content of TEMP:
====================
C:\Users\dwa\AppData\Local\Temp\Quarantine.exe
C:\Users\dwa\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-09 14:42

==================== End Of Log ============================
         
--- --- ---

Geändert von HtHNightwolf (14.04.2015 um 09:46 Uhr)

Alt 14.04.2015, 10:05   #12
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



FRST-Fix

Virenscanner jetzt bitte komplett deaktivieren, damit sichergestellt ist, dass der Fix sauber durchläuft!


Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
ATTFilter
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
AlternateDataStreams: C:\ProgramData\Temp:0FF263E8
EmptyTemp:
         

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 14.04.2015, 10:33   #13
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-04-2015
Ran by dwa at 2015-04-14 11:15:07 Run:1
Running from C:\Users\dwa\Desktop
Loaded Profiles: dwa (Available profiles: Serviceuser & awa & swi & hka & tvr & sku & dwa & serviceuser)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-1386967835-2426692312-148520297-1206\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
AlternateDataStreams: C:\ProgramData\Temp:0FF263E8
EmptyTemp:
*****************

"HKU\S-1-5-21-1386967835-2426692312-148520297-1206\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\ProgramData\Temp => ":0FF263E8" ADS removed successfully.
EmptyTemp: => Removed 787.8 MB temporary data.


The system needed a reboot.

==== End of Fixlog 11:16:10 ====

Alt 14.04.2015, 10:44   #14
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



Okay, dann Kontrollscans mit MBAM und ESET bitte:

Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.




ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 16.04.2015, 13:21   #15
HtHNightwolf
 
GMer Analyse: Haben wir ein Rootkit? - Standard

GMer Analyse: Haben wir ein Rootkit?



mbam:

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Suchlauf Datum: 15.04.2015
Suchlauf-Zeit: 15:44:31
Logdatei: mbam.txt
Administrator: Ja

Version: 2.00.4.1028
Malware Datenbank: v2015.04.15.05
Rootkit Datenbank: v2015.03.31.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: dwa

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 1099306
Verstrichene Zeit: 15 Min, 8 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(Keine schädliche Elemente erkannt)

Module: 0
(Keine schädliche Elemente erkannt)

Registrierungsschlüssel: 0
(Keine schädliche Elemente erkannt)

Registrierungswerte: 0
(Keine schädliche Elemente erkannt)

Registrierungsdaten: 0
(Keine schädliche Elemente erkannt)

Ordner: 0
(Keine schädliche Elemente erkannt)

Dateien: 0
(Keine schädliche Elemente erkannt)

Physische Sektoren: 0
(Keine schädliche Elemente erkannt)


(end)


ESET:
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=f99efea16942e64ca4dc10afa1da4c5e
# engine=23399
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-04-15 04:04:43
# local_time=2015-04-15 06:04:43 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Trend Micro Security Agent'
# compatibility_mode=519 16777213 100 94 18109 135040277 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 30867 180743733 0 0
# scanned=295346
# found=1
# cleaned=0
# scan_time=5689
sh=09905D12C593B0FF8C8317EB41C0516750A264D8 ft=1 fh=197a80c1d46e2dbd vn="Win32/Somoto.G evtl. unerwünschte Anwendung" ac=I fn="C:\Users\dwa\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000001"


Wie du sehen kannst, hat ESET einen Verdacht gefunden, Somoto.G. Bin ich clean, wenn ich die lösche? Bzw. gleich das Chrome Profil lösche?

Antwort

Themen zu GMer Analyse: Haben wir ein Rootkit?
appdata, auswerten, banking, c:\windows, driver, explorer.exe, folge, gmer, gmer log auswertung, harddisk, kaspersky, log auswerten, malwarebytes, microsoft, office, offline, pcs, rootkit, rootkits, scan, scannen, start, system32, systeme, tan, temp, win7, windows




Ähnliche Themen: GMer Analyse: Haben wir ein Rootkit?


  1. GMER Logfile - bitte um Analyse
    Log-Analyse und Auswertung - 19.05.2015 (11)
  2. GMER-Rootkit-Analyse !
    Log-Analyse und Auswertung - 05.11.2014 (6)
  3. GMER - Rootkit - Analayse
    Log-Analyse und Auswertung - 09.07.2014 (3)
  4. gmer log bei rootkit
    Log-Analyse und Auswertung - 21.12.2013 (7)
  5. GMER - Rootkit Scanner - VMAUTHSERVICE Rootkit
    Log-Analyse und Auswertung - 27.10.2013 (5)
  6. Rootkit Infektion, danach Windows-Neuinstallation, GMER zeigt erneut Rootkit Aktivitäten an (Avast! false positive?)
    Log-Analyse und Auswertung - 05.03.2013 (2)
  7. Möglicherweise Rootkit - GMER Logfile Analyse
    Log-Analyse und Auswertung - 18.12.2012 (6)
  8. Bitte um Analyse Gmer Logfile
    Log-Analyse und Auswertung - 09.06.2011 (1)
  9. GMER hat Rootkit gefunden (vdrv1000.sys)
    Plagegeister aller Art und deren Bekämpfung - 15.02.2011 (5)
  10. Absturz durch Rootkit beim GMER Rootkit Scan
    Plagegeister aller Art und deren Bekämpfung - 16.12.2010 (4)
  11. Pc Absturz durch Rootkit bei GMER Rootkit Scan
    Plagegeister aller Art und deren Bekämpfung - 12.08.2010 (20)
  12. GMER hat Rootkit gefunden!
    Plagegeister aller Art und deren Bekämpfung - 08.03.2010 (1)
  13. Rootkit mit Gmer gefunden
    Plagegeister aller Art und deren Bekämpfung - 03.03.2010 (5)
  14. Rootkit? (Bisher nur gmer-Log)
    Mülltonne - 08.02.2010 (2)
  15. Rootkit Untersuchung mit GMER
    Plagegeister aller Art und deren Bekämpfung - 16.11.2009 (5)
  16. Frage zu GMER Rootkit Scan
    Antiviren-, Firewall- und andere Schutzprogramme - 17.02.2009 (3)

Zum Thema GMer Analyse: Haben wir ein Rootkit? - Hallo, in unserer Firma ist es zu einer Sperrung des Internetbankings gekommen. Nach Rücksprache mit der Bank, einem gleichzeitigen Scannen aller PCs und des Servers OFFLINE mit der Kaspersky Boot-CD, - GMer Analyse: Haben wir ein Rootkit?...
Archiv
Du betrachtest: GMer Analyse: Haben wir ein Rootkit? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.