Win 7: Schaden durch DHL-Spam-Mail? Eine Spam-Mail vermeintlich vom "DHL Fachteam" mit Titel "Paket, Ihre Sendung ..." wurde durch ein Familienmitglied geöffnet (Win7-64, Thunderbird), bevor ich einschreiten konnte:
- Text der Email: leer (habe ich verifiziert)
- PDF-Datei im Anhang wurde geöffnet (ab hier nur der Erzählung nach)
- Es wurde auf mindestens ein Bild / Link geklickt.
Frage: Ist mein Rechner nun noch infiziert und was muss ich dagegen tun?
Es gibt derzeit keine Verhaltensauffälligkeiten, aber woher weiß ich, dass nicht bereits meine Passwörter abgegriffen wurden?
Ich habe bisher das folgende unternommen:
- Mail als Spam markiert. Sie ist noch im Spam-Ordner, ich könnte sie also weiterleiten wenn gewünscht.
- Kaspersky-AV aktualisiert und vollständige Untersuchung durchgeführt. Die dabei von KAV gefundenen Dateien waren bis zu diesem Scan einige Stunden auf dem Rechner, während derer auch Passwörter eingegeben und evtl. andere sensible Arbeiten durchgeführt wurden.
Hier das KAV-Logfile ("heute" = gestern):
Code:
Alles auswählen Aufklappen ATTFilter
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf Unbekannte Bedrohung Heute, 22:02
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf//data0001 C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 22:02
Gefundenes Objekt (Datei) ist nicht mehr verfügbar C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf//data0001 C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 20:45
Gefundenes Objekt (Datei) ist nicht mehr verfügbar C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf//data0001 C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-2.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 20:45
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf//data0001 C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 22:02
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf Unbekannte Bedrohung Heute, 22:02
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf Unbekannte Bedrohung Heute, 22:02
Gefundenes Objekt (Datei) ist nicht mehr verfügbar C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf//data0001 C:\Documents and Settings\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 20:45
Gefundenes Objekt (Datei) wurde gelöscht C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf//data0001 C:\Users\RAHN_NEU\AppData\Local\Temp\DHL_Report_98810218518-1.pdf//data0001 Trojan-Downloader.PDF.Agent.r Trojanisches Programm Heute, 22:02
- MBAM aktualisiert und Bedrohungssuchlauf durchgeführt. Hier zwei Protokolle:
Code:
Alles auswählen Aufklappen ATTFilter
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 18.05.2015
Suchlauf-Zeit: 22:41:07
Logdatei:
Administrator: Ja
Version: 2.01.6.1022
Malware Datenbank: v2015.05.18.05
Rootkit Datenbank: v2015.05.16.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: RAHN_NEU
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 347366
Verstrichene Zeit: 14 Min, 23 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Tiefer Rootkit-Suchlauf: Aktiviert
Heuristik: Aktiviert
PUP: Warnen
PUM: Aktiviert
Prozesse: 0
(Keine schädliche Elemente gefunden)
Module: 0
(Keine schädliche Elemente gefunden)
Registrierungsschlüssel: 0
(Keine schädliche Elemente gefunden)
Registrierungswerte: 0
(Keine schädliche Elemente gefunden)
Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)
Ordner: 0
(Keine schädliche Elemente gefunden)
Dateien: 0
(Keine schädliche Elemente gefunden)
Physische Sektoren: 0
(Keine schädliche Elemente gefunden)
(end)
Code:
Alles auswählen Aufklappen ATTFilter
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 18.05.2015
Suchlauf-Zeit: 22:56:48
Logdatei:
Administrator: Ja
Version: 2.01.6.1022
Malware Datenbank: v2015.05.18.06
Rootkit Datenbank: v2015.05.16.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: RAHN_NEU
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgebrochen
Durchsuchte Objekte: 0
(Keine schädliche Elemente gefunden)
Verstrichene Zeit: 0 Min, 15 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Tiefer Rootkit-Suchlauf: Aktiviert
Heuristik: Aktiviert
PUP: Warnen
PUM: Aktiviert
Prozesse: 0
(Keine schädliche Elemente gefunden)
Module: 0
(Keine schädliche Elemente gefunden)
Registrierungsschlüssel: 0
(Keine schädliche Elemente gefunden)
Registrierungswerte: 0
(Keine schädliche Elemente gefunden)
Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)
Ordner: 0
(Keine schädliche Elemente gefunden)
Dateien: 0
(Keine schädliche Elemente gefunden)
Physische Sektoren: 0
(Keine schädliche Elemente gefunden)
(end)
- Defogger ohne Probleme auf "disable" gesetzt.
- Systemscan mit FRST. Hier die Logfiles:
FRST.txt:
Code:
Alles auswählen Aufklappen ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-05-2015 02
Ran by RAHN_NEU (administrator) on RAHN_NEU-PC on 18-05-2015 23:33:34
Running from C:\Users\RAHN_NEU\Desktop
Loaded Profiles: RAHN_NEU (Available profiles: RAHN_NEU)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe
(BonSoft) C:\Program Files (x86)\ClocX\ClocX.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Geek Software GmbH) C:\Program Files (x86)\PDF24\pdf24.exe
(Logitech, Inc.) C:\Program Files\Common Files\logishrd\KHAL3\KHALMNPR.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avpui.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\wmi64.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3100440 2014-05-19] (Logitech, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ClocX] => C:\Program Files (x86)\ClocX\ClocX.exe [2090496 2013-01-14] (BonSoft)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [191528 2014-07-04] (Geek Software GmbH)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\...\MountPoints2: {faba187e-a88a-11e3-b124-806e6f6e6963} - E:\Run.exe
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\ssText3d.scr [333824 2010-11-21] (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-03-12] (Kaspersky Lab ZAO)
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-12-17] (Kaspersky Lab ZAO)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-23] (Oracle Corporation)
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll [2014-03-12] (Kaspersky Lab ZAO)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-23] (Oracle Corporation)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll [2014-03-12] (Kaspersky Lab ZAO)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-03-12] (Kaspersky Lab ZAO)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-12-17] (Kaspersky Lab ZAO)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll [2014-03-12] (Kaspersky Lab ZAO)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll [2014-03-12] (Kaspersky Lab ZAO)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
FireFox:
========
FF ProfilePath: C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default
FF SelectedSearchEngine: Google.de
FF Homepage: https://www.google.de/
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-15] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-23] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-23] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-15] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\searchplugins\googlede.xml [2011-11-02]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\artur.dubovoy@gmail.com [2015-04-19]
FF Extension: German Dictionary, extended for Austria - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\de-AT@dictionaries.addons.mozilla.org [2014-08-24]
FF Extension: German Dictionary - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\de-DE@dictionaries.addons.mozilla.org [2014-09-06]
FF Extension: No Name - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\nostmp [2014-03-12]
FF Extension: Youtube MP3 Podcaster - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\youtubemp3podcaster@jeremy.d.gregorio.com [2015-04-06]
FF Extension: Lightshot (screenshot tool) - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B} [2014-12-05]
FF Extension: EPUBReader - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2015-04-18]
FF Extension: Classic Theme Restorer (Customize UI) - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-09-06]
FF Extension: Facebook Disconnect - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\facebook@disconnect.me.xpi [2014-09-06]
FF Extension: Bookmarks Checker - check for bad links - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\firefoxbookmarkchecker@everhelper.me.xpi [2014-09-06]
FF Extension: ProxTube - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\ich@maltegoetz.de.xpi [2014-09-12]
FF Extension: Lightbeam - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2014-10-31]
FF Extension: Flagfox - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2014-10-31]
FF Extension: Download Status Bar - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{6c28e999-e900-4635-a39d-b1ec90ba0c0f}.xpi [2014-03-12]
FF Extension: Google Analytics Opt-out Browser Add-on - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi [2014-03-12]
FF Extension: Adblock Plus - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-12]
FF Extension: User Agent Switcher - C:\Users\RAHN_NEU\AppData\Roaming\Mozilla\Firefox\Profiles\ycyx4tgv.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi [2014-09-06]
FF HKLM-x32\...\Firefox\Extensions: - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\url_advisor@kaspersky.com
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\url_advisor@kaspersky.com [2014-03-12]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-03-12]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\content_blocker@kaspersky.com
FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\FFExt\content_blocker@kaspersky.com [2014-03-12]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-09-06]
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [blbkdnmdcafmfhinpmnlhhddbepgkeaa] - https://chrome.google.com/webstore/detail/blbkdnmdcafmfhinpmnlhhddbepgkeaa
CHR HKLM-x32\...\Chrome\Extension: [blbkdnmdcafmfhinpmnlhhddbepgkeaa] - https://chrome.google.com/webstore/detail/blbkdnmdcafmfhinpmnlhhddbepgkeaa
CHR HKLM-x32\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\ChromeExt\urladvisor.crx [2013-10-17]
CHR HKLM-x32\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\ChromeExt\content_blocker_chrome.crx [2013-10-17]
CHR HKLM-x32\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\ChromeExt\virtkbd.crx [2013-10-17]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AAV UpdateService; C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-30] (Advanced Micro Devices, Inc.) [File not signed]
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe [214512 2013-10-17] (Kaspersky Lab ZAO)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
S2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22240 2013-10-28] ()
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [458336 2014-03-12] (Kaspersky Lab ZAO)
S4 klflt; C:\Windows\System32\DRIVERS\klflt.sys [115296 2014-03-24] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [625248 2014-03-24] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [29792 2013-10-17] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [29280 2014-03-12] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [29280 2013-10-17] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [55904 2013-05-14] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [178272 2014-03-12] (Kaspersky Lab ZAO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
R0 sfdrv01a; C:\Windows\System32\drivers\sfdrv01a.sys [77432 2009-02-03] (Protection Technology (StarForce))
R0 sfsync04; C:\Windows\System32\drivers\sfsync04.sys [79800 2012-06-19] (Protection Technology (StarForce))
S1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S0 hyglvro; System32\drivers\ebqljbw.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-05-18 23:33 - 2015-05-18 23:34 - 00017559 _____ () C:\Users\RAHN_NEU\Desktop\FRST.txt
2015-05-18 23:33 - 2015-05-18 23:33 - 00000000 ____D () C:\FRST
2015-05-18 23:29 - 2015-05-18 23:29 - 00000478 _____ () C:\Users\RAHN_NEU\Desktop\defogger_disable.log
2015-05-18 23:29 - 2015-05-18 23:29 - 00000000 _____ () C:\Users\RAHN_NEU\defogger_reenable
2015-05-18 23:20 - 2015-05-18 23:20 - 00380416 _____ () C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe
2015-05-18 23:19 - 2015-05-18 23:19 - 02107392 _____ (Farbar) C:\Users\RAHN_NEU\Desktop\FRST64.exe
2015-05-18 23:18 - 2015-05-18 23:18 - 00050477 _____ () C:\Users\RAHN_NEU\Desktop\Defogger.exe
2015-05-17 21:26 - 2015-05-17 21:26 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Local\CrashDumps
2015-05-17 11:27 - 2015-05-17 11:27 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-05-15 22:27 - 2015-05-15 22:27 - 00000000 ____D () C:\Users\RAHN_NEU\Documents\Steuerfälle
2015-05-15 22:23 - 2015-05-15 22:23 - 00002052 _____ () C:\Users\Public\Desktop\SteuerBerater 2014-2015.lnk
2015-05-15 22:22 - 2015-05-15 22:26 - 00002095 _____ () C:\Users\Public\Desktop\SteuerSparErklärung Plus 2015.lnk
2015-05-15 22:22 - 2015-05-15 22:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steuertipps
2015-05-15 22:22 - 2015-05-15 22:22 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Local\AAV
2015-05-15 22:21 - 2015-05-15 22:21 - 00000000 ____D () C:\Programme (x86)
2015-05-15 22:17 - 2015-05-15 22:23 - 00000000 ____D () C:\ProgramData\AAV
2015-05-13 22:49 - 2015-05-01 15:17 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 22:49 - 2015-05-01 15:16 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 15:20 - 2015-05-05 03:29 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-13 15:20 - 2015-05-05 03:12 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-05-13 15:20 - 2015-04-22 04:28 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-13 15:20 - 2015-04-22 03:48 - 00342736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-05-13 15:20 - 2015-04-21 19:14 - 24971776 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-13 15:20 - 2015-04-21 19:08 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-05-13 15:20 - 2015-04-21 19:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-05-13 15:20 - 2015-04-21 18:51 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-05-13 15:20 - 2015-04-21 18:50 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-13 15:20 - 2015-04-21 18:50 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-13 15:20 - 2015-04-21 18:50 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-05-13 15:20 - 2015-04-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-13 15:20 - 2015-04-21 18:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-05-13 15:20 - 2015-04-21 18:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-05-13 15:20 - 2015-04-21 18:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-05-13 15:20 - 2015-04-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-13 15:20 - 2015-04-21 18:35 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-13 15:20 - 2015-04-21 18:35 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-05-13 15:20 - 2015-04-21 18:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-05-13 15:20 - 2015-04-21 18:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-05-13 15:20 - 2015-04-21 18:31 - 06025728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-13 15:20 - 2015-04-21 18:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-05-13 15:20 - 2015-04-21 18:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-05-13 15:20 - 2015-04-21 18:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-05-13 15:20 - 2015-04-21 18:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-05-13 15:20 - 2015-04-21 18:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-05-13 15:20 - 2015-04-21 18:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-05-13 15:20 - 2015-04-21 18:11 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-05-13 15:20 - 2015-04-21 18:10 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-05-13 15:20 - 2015-04-21 18:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-05-13 15:20 - 2015-04-21 18:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-05-13 15:20 - 2015-04-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-13 15:20 - 2015-04-21 18:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-05-13 15:20 - 2015-04-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-13 15:20 - 2015-04-21 18:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-05-13 15:20 - 2015-04-21 18:03 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-05-13 15:20 - 2015-04-21 18:02 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-05-13 15:20 - 2015-04-21 18:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-05-13 15:20 - 2015-04-21 17:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-05-13 15:20 - 2015-04-21 17:58 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-05-13 15:20 - 2015-04-21 17:57 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-05-13 15:20 - 2015-04-21 17:49 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-13 15:20 - 2015-04-21 17:49 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-13 15:20 - 2015-04-21 17:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-05-13 15:20 - 2015-04-21 17:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-05-13 15:20 - 2015-04-21 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-13 15:20 - 2015-04-21 17:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-05-13 15:20 - 2015-04-21 17:40 - 14401536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-13 15:20 - 2015-04-21 17:39 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-05-13 15:20 - 2015-04-21 17:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-05-13 15:20 - 2015-04-21 17:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-05-13 15:20 - 2015-04-21 17:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-05-13 15:20 - 2015-04-21 17:27 - 02352128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-13 15:20 - 2015-04-21 17:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-05-13 15:20 - 2015-04-21 17:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-05-13 15:20 - 2015-04-21 17:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-05-13 15:20 - 2015-04-21 17:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-05-13 15:20 - 2015-04-21 17:15 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-13 15:20 - 2015-04-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-13 15:20 - 2015-04-21 17:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-05-13 15:20 - 2015-04-21 16:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-05-13 15:20 - 2015-04-21 16:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-05-13 15:20 - 2015-04-18 05:10 - 00460800 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-13 15:20 - 2015-04-18 04:56 - 00342016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-05-13 15:20 - 2015-04-04 05:29 - 00155576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-05-13 15:20 - 2015-04-04 05:29 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-05-13 15:20 - 2015-04-04 05:22 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-05-13 15:20 - 2015-04-04 05:22 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-05-13 15:20 - 2015-04-04 05:20 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-05-13 15:20 - 2015-04-04 05:20 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-05-13 15:20 - 2015-04-04 05:17 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-05-13 15:20 - 2015-04-04 05:17 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-05-13 15:20 - 2015-04-04 05:15 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-05-13 15:20 - 2015-04-04 05:05 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-05-13 15:20 - 2015-04-04 05:04 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-05-13 15:20 - 2015-04-04 05:04 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-05-13 15:20 - 2015-04-04 05:01 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-05-13 15:20 - 2015-04-04 05:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-05-13 15:20 - 2015-04-04 04:59 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-05-13 15:18 - 2015-04-20 05:17 - 01647104 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-13 15:18 - 2015-04-20 05:17 - 01179136 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-13 15:18 - 2015-04-20 04:56 - 01250816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-05-13 15:18 - 2015-04-20 04:11 - 03204608 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-13 15:18 - 2015-04-13 05:28 - 00328704 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-13 15:18 - 2015-04-08 05:29 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-05-13 15:18 - 2015-04-08 05:29 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-05-13 15:18 - 2015-04-08 05:14 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-05-13 15:18 - 2015-02-18 09:06 - 00123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2015-05-13 15:18 - 2015-02-18 09:04 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2015-05-04 21:03 - 2015-05-10 20:52 - 00000680 _____ () C:\Windows\LkmdfCoInst.log
2015-05-04 21:03 - 2015-05-04 21:03 - 00000000 ____D () C:\ProgramData\Logitech
2015-05-03 00:02 - 2015-05-03 00:02 - 449194244 _____ () C:\Windows\MEMORY.DMP
2015-05-03 00:02 - 2015-05-03 00:02 - 00805912 _____ () C:\Windows\Minidump\050315-76877-01.dmp
2015-04-29 09:28 - 2015-05-18 23:30 - 00003215 _____ () C:\Windows\setupact.log
2015-04-29 09:28 - 2015-04-29 09:28 - 00000000 _____ () C:\Windows\setuperr.log
2015-04-28 21:01 - 2015-04-28 21:01 - 00000000 ____D () C:\Program Files (x86)\MySQL
2015-04-28 20:57 - 2015-04-28 20:57 - 00000000 ____D () C:\Program Files\MySQL
2015-04-19 21:22 - 2015-04-19 21:22 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Roaming\EXIF Date Changer
2015-04-19 21:22 - 2015-04-19 21:22 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Local\Rellik_Software
2015-04-19 21:22 - 2015-04-19 21:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EXIF Date Changer
2015-04-19 21:22 - 2015-04-19 21:22 - 00000000 ____D () C:\Program Files (x86)\EXIF Date Changer
2015-04-18 23:03 - 2015-04-18 23:03 - 00070904 _____ () C:\Users\RAHN_NEU\.recently-used.xbel
2015-04-18 23:01 - 2015-04-18 23:01 - 00000057 _____ () C:\Users\RAHN_NEU\.gtk-bookmarks
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-05-18 23:33 - 2014-03-10 21:42 - 02051905 _____ () C:\Windows\WindowsUpdate.log
2015-05-18 23:30 - 2014-03-12 21:39 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-05-18 23:30 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-18 23:29 - 2014-03-10 21:42 - 00000000 ____D () C:\Users\RAHN_NEU
2015-05-18 23:12 - 2014-09-06 23:12 - 00000911 _____ () C:\Windows\Tasks\EPSON XP-610 Series Update {E24B71F2-12BE-466D-89DD-F2D365ADC08C}.job
2015-05-18 23:12 - 2014-09-06 23:12 - 00000725 _____ () C:\Windows\Tasks\EPSON XP-610 Series Invitation {E24B71F2-12BE-466D-89DD-F2D365ADC08C}.job
2015-05-18 23:12 - 2014-03-12 22:09 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-05-18 23:12 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-05-18 23:11 - 2010-11-21 08:50 - 00699092 _____ () C:\Windows\system32\perfh007.dat
2015-05-18 23:11 - 2010-11-21 08:50 - 00149232 _____ () C:\Windows\system32\perfc007.dat
2015-05-18 23:11 - 2009-07-14 07:13 - 01619284 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-18 22:56 - 2015-01-03 10:23 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-18 21:50 - 2015-01-03 10:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2015-05-18 21:50 - 2015-01-03 10:23 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-05-18 18:05 - 2009-07-14 06:45 - 00022512 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-18 18:05 - 2009-07-14 06:45 - 00022512 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-18 06:59 - 2014-03-10 23:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-05-18 00:05 - 2014-03-15 14:45 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Roaming\vlc
2015-05-17 18:39 - 2014-09-07 13:42 - 00000000 ____D () C:\Users\RAHN_NEU\.mediathek3
2015-05-16 09:24 - 2015-01-10 23:04 - 00000600 _____ () C:\Users\RAHN_NEU\AppData\Local\PUTTY.RND
2015-05-16 09:24 - 2014-09-07 13:12 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Roaming\FileZilla
2015-05-16 08:47 - 2014-03-10 22:20 - 00071832 _____ () C:\Users\RAHN_NEU\AppData\Local\GDIPFONTCACHEV1.DAT
2015-05-16 08:42 - 2009-07-14 06:45 - 00325560 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-05-15 15:42 - 2014-03-12 22:42 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-05-14 10:34 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2015-05-14 09:23 - 2014-03-15 14:38 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-13 22:56 - 2014-03-12 23:59 - 00000000 ____D () C:\Windows\system32\MRT
2015-05-13 22:56 - 2010-11-21 09:01 - 00000000 ____D () C:\Program Files\Windows Journal
2015-05-13 22:54 - 2014-03-12 23:59 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-13 22:49 - 2014-03-13 00:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-13 22:48 - 2014-03-13 00:28 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-05-13 22:48 - 2014-03-13 00:28 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-05-10 20:52 - 2014-09-06 23:23 - 00018960 _____ (Logitech, Inc.) C:\Windows\system32\Drivers\LNonPnP.sys
2015-05-05 22:31 - 2015-03-17 22:02 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Local\Deployment
2015-05-05 21:22 - 2015-04-03 17:24 - 00000000 ____D () C:\Program Files (x86)\ElsterFormular
2015-05-03 19:19 - 2014-09-07 12:20 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Roaming\BOM
2015-05-03 00:02 - 2014-09-06 22:13 - 00000000 ____D () C:\Windows\Minidump
2015-04-28 21:09 - 2014-09-21 22:32 - 00000168 _____ () C:\Windows\ODBC.INI
2015-04-28 21:01 - 2014-10-02 07:18 - 00000493 _____ () C:\Windows\ODBCINST.INI
2015-04-28 20:43 - 2014-09-21 21:38 - 00001799 _____ () C:\Users\RAHN_NEU\Desktop\Waldschänke 18.lnk
2015-04-27 20:34 - 2014-09-07 08:59 - 00000000 ____D () C:\Program Files\CCleaner
2015-04-27 07:28 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-23 07:05 - 2015-02-21 12:12 - 00000000 ____D () C:\Program Files\Java
2015-04-23 07:05 - 2014-09-07 13:40 - 00000000 ____D () C:\ProgramData\Oracle
2015-04-23 07:04 - 2015-02-21 12:13 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-04-19 22:25 - 2014-11-30 22:29 - 00000000 ____D () C:\Users\RAHN_NEU\.gimp-2.4
2015-04-18 23:03 - 2014-11-30 22:37 - 00000000 ____D () C:\Users\RAHN_NEU\AppData\Roaming\gtk-2.0
==================== Files in the root of some directories =======
2015-01-10 23:04 - 2015-05-16 09:24 - 0000600 _____ () C:\Users\RAHN_NEU\AppData\Local\PUTTY.RND
2014-08-28 21:04 - 2014-08-28 21:04 - 0001534 _____ () C:\ProgramData\ss.ini
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-05-14 10:27
==================== End Of Log ============================
addition.txt:
Code:
Alles auswählen Aufklappen ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-05-2015 02
Ran by RAHN_NEU at 2015-05-18 23:34:40
Running from C:\Users\RAHN_NEU\Desktop
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-3720886606-3869830146-954996509-500 - Administrator - Disabled)
Gast (S-1-5-21-3720886606-3869830146-954996509-501 - Limited - Disabled)
RAHN_NEU (S-1-5-21-3720886606-3869830146-954996509-1000 - Administrator - Enabled) => C:\Users\RAHN_NEU
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Kaspersky Anti-Virus (Enabled - Up to date) {179979E8-273D-D14E-0543-2861940E4886}
AS: Kaspersky Anti-Virus (Enabled - Up to date) {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
AAVUpdateManager (HKLM-x32\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.11) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
Advanced Renamer (HKLM-x32\...\Advanced Renamer_is1) (Version: 3.64 - Hulubulu Software)
AMD Catalyst Install Manager (HKLM\...\{1D1DCF8A-6961-F848-0DA0-5401969C44CE}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
AutoMetadata (HKU\S-1-5-21-3720886606-3869830146-954996509-1000\...\c934834aea0c0bc3) (Version: 1.0.0.8 - EverMap)
Biet-O-Matic v2.14.12 (HKLM-x32\...\Biet-O-Matic v2.14.12) (Version: 2.14.12 - BOM Development Team)
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.05 - Piriform)
ClocX (1.6.0) (HKLM-x32\...\ClocX) (Version: - )
Die Sims™ 3 (HKLM-x32\...\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}) (Version: 1.67.2 - Electronic Arts)
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 16.1.16835 - Landesfinanzdirektion Thüringen)
Epson Print CD (HKLM-x32\...\{D16A31F9-276D-4968-A753-FFEAC56995D0}) (Version: 2.33.00 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON XP-610 Series Printer Uninstall (HKLM\...\EPSON XP-610 Series) (Version: - SEIKO EPSON Corporation)
EPSON-Handbücher (HKLM-x32\...\{84CECC1B-21EF-41B1-9A91-3E724E5D99D3}) (Version: 1.32.0.0 - SEIKO EPSON CORPORATION)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
EXIF Date Changer v3.1.2 (HKLM-x32\...\{26CA1B07-BC53-4196-B9C2-A11C6F6F3E08}_is1) (Version: - Rellik Software)
Exif-Viewer 2.51 (HKLM-x32\...\Exif-Viewer) (Version: 2.51 - Ralf Bibinger)
FastStone Image Viewer 4.9 (HKLM-x32\...\FastStone Image Viewer) (Version: 4.9 - FastStone Soft)
FileZilla Client 3.10.3 (HKLM-x32\...\FileZilla Client) (Version: 3.10.3 - Tim Kosse)
Freemake Video Converter Version 4.1.4 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.4 - Ellora Assets Corporation)
FreeRIP MP3 Converter 4.5.2 (HKLM-x32\...\{501451DE-5808-4599-B544-8BD0915B6B24}_is1) (Version: 4.5.2 - GreenTree Applications SRL)
GimPad 1.1 (HKLM-x32\...\GimPad) (Version: 1.1 - Ek kian)
GimPhoto 1.4.3 (HKLM-x32\...\GimPhoto) (Version: 1.4.3 - Ek kian)
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
JDiskReport 1.4.1 (HKLM-x32\...\JDiskReport 1.4.1) (Version: 1.4.1 (2014-02-26 11:50:44) - JGoodies Karsten Lentzsch)
Kaspersky Anti-Virus (HKLM-x32\...\InstallWIX_{6F6873E3-5C92-4049-B511-231A138DD090}) (Version: 14.0.0.4651 - Kaspersky Lab)
Kaspersky Anti-Virus (x32 Version: 14.0.0.4651 - Kaspersky Lab) Hidden
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Logitech Webcam-Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
Malwarebytes Anti-Malware Version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
MediaHuman YouTube to MP3 Converter Version 3.5.5 (HKLM-x32\...\MediaHuman YouTube to MP3 Converter_is1) (Version: 3.5.5 - )
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Expression Web 4 (HKLM-x32\...\Web_4.0.1460.0) (Version: 4.0.1460.0 - Microsoft Corporation)
Microsoft Flight Simulator 2004 - Das Jahrhundert der Luftfahrt (HKLM-x32\...\Flight Simulator 9.0) (Version: 9.0 - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{e6e75766-da0f-4ba2-9788-6ea593ce702d}) (Version: 12.0.30501.0 - Microsoft Corporation)
MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version: - Pavel Cvrcek)
Mozilla Firefox 38.0.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 38.0.1 (x86 de)) (Version: 38.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.1.0 - Mozilla)
Mozilla Thunderbird 31.6.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 31.6.0 (x86 de)) (Version: 31.6.0 - Mozilla)
Mp3tag v2.63 (HKLM-x32\...\Mp3tag) (Version: v2.63 - Florian Heidenreich)
MySQL Connector/ODBC 5.3 (HKLM\...\{A1991404-2634-47E1-BC45-8F3B5014B1D1}) (Version: 5.3.4 - Oracle Corporation)
MySQL Connector/ODBC 5.3 (HKLM-x32\...\{4C6A664C-DCA0-4CC6-8752-ED0850E3135A}) (Version: 5.3.4 - Oracle Corporation)
NetBeans IDE 8.0.2 (HKLM\...\nbi-nb-base-8.0.2.0.201411181905) (Version: 8.0.2 - NetBeans.org)
ON_OFF Charge 2 B13.1028.1 (HKLM-x32\...\InstallShield_{6B4ED6F7-BB88-4945-B0C6-01410E1BAC3A}) (Version: 1.00.0000 - GIGABYTE)
ON_OFF Charge 2 B13.1028.1 (x32 Version: 1.00.0000 - GIGABYTE) Hidden
PDF Layout 3.01 (HKLM\...\PDF Layout_is1) (Version: 3.01 - Bureausoft Corporation)
PDF Split And Merge Basic (HKLM\...\{9A40D2F8-9458-458B-95E3-B57797C574E1}) (Version: 2.2.4 - Andrea Vacondio)
PDF24 Creator 6.7.0 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version: - PDF24.org)
Puzzle Agent - The Mystery of Scoggins (HKLM-x32\...\The Mystery of Scoggins) (Version: 1.0.0.0 - Telltale Games)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.49.927.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7076 - Realtek Semiconductor Corp.)
ReNamer (HKLM-x32\...\ReNamer_is1) (Version: 5.74 - Denis Kozlov)
Secure Eraser (HKLM-x32\...\Secure Eraser_is1) (Version: 4.2.0.1 - ASCOMP Software GmbH)
SimCity 4 Deluxe (HKLM-x32\...\{3F0D0ABE-CDAF-431A-00BC-CBBE018EA74E}) (Version: - )
Skype™ 6.18 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.106 - Skype Technologies S.A.)
Software Updater (HKLM-x32\...\{B307472F-7BD9-4040-9255-CE6D6A1196A3}) (Version: 4.3.1 - SEIKO EPSON CORPORATION)
SteuerBerater 2014-2015 (HKLM-x32\...\{415227BD-34D9-4DB3-B74C-554407208203}) (Version: 14.11.2 - Akademische Arbeitsgemeinschaft)
SteuerSparErklärung Plus 2015 (HKLM-x32\...\{312C0E08-8F94-4536-AAF6-3413F784AC5F}) (Version: 20.34.161 - Akademische Arbeitsgemeinschaft)
streamWriter (HKLM-x32\...\streamWriter_is1) (Version: - )
TIPP10 Version 2.1.0 (HKLM-x32\...\TIPP10_is1) (Version: - (c) 2006-2011, Tom Thielicke IT Solutions)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version: - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version: - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version: - Microsoft)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WinMerge 2.14.0 (HKLM-x32\...\WinMerge_is1) (Version: 2.14.0 - Thingamahoochie Software)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
14-05-2015 12:03:45 Windows Update
15-05-2015 22:21:04 SteuerSparErklärung 2015 wurde installiert.
15-05-2015 22:22:07 SteuerBerater 2014-2015 wurde installiert.
15-05-2015 22:23:03 Installed AAVUpdateManager.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {0793FFD7-7FB4-4550-9344-751DC17DB7FF} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {1B340516-65A1-4E96-B87A-4557A3EA6FF9} - System32\Tasks\EPSON XP-610 Series Update {E24B71F2-12BE-466D-89DD-F2D365ADC08C} => C:\Windows\system32\spool\DRIVERS\x64\3\E_ITSLQE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {4DE488E5-DBA6-4FD3-862D-ED2F63CC78D4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-04-23] (Piriform Ltd)
Task: {A1BABA24-5125-4916-8E59-50B659448A6F} - System32\Tasks\EPSON XP-610 Series Invitation {E24B71F2-12BE-466D-89DD-F2D365ADC08C} => C:\Windows\system32\spool\DRIVERS\x64\3\E_ITSLQE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {BBF34A7F-90ED-4E73-81D6-937D0F83CC02} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-15] (Adobe Systems Incorporated)
Task: {C41B4DE6-2001-45D9-97ED-0B346F46BABB} - System32\Tasks\{9EC1C3E3-827E-4517-BF86-3A024B326090} => Firefox.exe hxxp://ui.skype.com/ui/0/6.14.0.104/de/abandoninstall?source=lightinstaller&page=tsPlugin
Task: {E65C1C83-DC70-4B2C-AF4C-F90D4C6BDB0D} - System32\Tasks\{33A57059-EFFE-40B5-ABBD-D5D8C8ADC5BD} => E:\RunGame.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\EPSON XP-610 Series Invitation {E24B71F2-12BE-466D-89DD-F2D365ADC08C}.job => C:\Windows\system32\spool\DRIVERS\x64\3\E_ITSLQE.EXE
Task: C:\Windows\Tasks\EPSON XP-610 Series Update {E24B71F2-12BE-466D-89DD-F2D365ADC08C}.job => C:\Windows\system32\spool\DRIVERS\x64\3\E_ITSLQE.EXE:/EXE:{E24B71F2-12BE-466D-89DD-F2D365ADC08C} /F:Update�SYSTEM
�Searches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
==================== Loaded Modules (Whitelisted) ==============
2008-10-24 16:35 - 2008-10-24 16:35 - 00128296 _____ () C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
2013-08-30 20:47 - 2013-08-30 20:47 - 00214528 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2012-10-22 15:41 - 2012-10-22 15:41 - 00749056 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2012-10-22 15:42 - 2012-10-22 15:42 - 03645952 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2015-03-29 12:25 - 2015-03-29 12:25 - 00043480 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2014-03-12 22:32 - 2012-09-07 17:57 - 00559424 _____ () C:\Program Files (x86)\Secure Eraser\SecEraser64.dll
2015-04-08 21:53 - 2015-04-08 21:53 - 00057344 _____ () C:\Program Files\CCleaner\lang\lang-1031.dll
2013-06-17 13:35 - 2013-06-17 13:35 - 00478400 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\dblite.dll
2013-05-08 15:52 - 2013-05-08 15:52 - 01270464 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\kpcengine.2.3.dll
2012-09-13 00:38 - 2012-09-13 00:38 - 02144104 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll
2012-09-13 00:38 - 2012-09-13 00:38 - 07955304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll
2012-09-13 00:38 - 2012-09-13 00:38 - 00341352 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll
2012-09-13 00:38 - 2012-09-13 00:38 - 00028008 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2012-09-13 00:38 - 2012-09-13 00:38 - 00127336 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (Whitelisted) ===============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3720886606-3869830146-954996509-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\RAHN_NEU\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{09535E8B-1EBF-477B-82B2-B89D1E7C7342}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{4A139AF7-106D-4C18-9C5B-34CA58DC6721}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F9174DB3-12CC-4E17-835F-D0C2574E812F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{3148960C-3363-4E75-803B-9884BFAC8355}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{BE473FA0-96B4-405D-855C-B48FB720596F}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (05/18/2015 11:32:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/18/2015 05:58:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/18/2015 03:57:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/18/2015 11:13:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/18/2015 07:01:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/17/2015 09:26:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: POWERPNT.EXE, Version: 12.0.6600.1000, Zeitstempel: 0x4de50c7e
Name des fehlerhaften Moduls: mso.dll, Version: 12.0.6721.5000, Zeitstempel: 0x552d1146
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00c09fa5
ID des fehlerhaften Prozesses: 0xab0
Startzeit der fehlerhaften Anwendung: 0xPOWERPNT.EXE0
Pfad der fehlerhaften Anwendung: POWERPNT.EXE1
Pfad des fehlerhaften Moduls: POWERPNT.EXE2
Berichtskennung: POWERPNT.EXE3
Error: (05/17/2015 06:34:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/17/2015 09:24:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/17/2015 00:45:26 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (05/16/2015 08:43:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
System errors:
=============
Error: (05/18/2015 11:30:44 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
hyglvro
UsbCharger
Error: (05/18/2015 11:30:36 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Error: (05/18/2015 11:30:36 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Error: (05/18/2015 11:06:53 PM) (Source: cdrom) (EventID: 7) (User: )
Description: Fehlerhafter Block bei Gerät \Device\CdRom0.
Error: (05/18/2015 05:57:07 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
hyglvro
UsbCharger
Error: (05/18/2015 05:56:59 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Error: (05/18/2015 05:56:59 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Error: (05/18/2015 03:56:02 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
hyglvro
UsbCharger
Error: (05/18/2015 03:55:53 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Error: (05/18/2015 03:55:53 PM) (Source: sfsync04) (EventID: 1) (User: )
Description:
Microsoft Office Sessions:
=========================
CodeIntegrity Errors:
===================================
Date: 2015-03-11 07:17:34.053
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-11 07:17:34.053
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-11 07:17:34.037
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-11 07:17:34.037
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-11 07:17:34.022
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-11 07:17:34.022
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-10 07:43:13.878
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-10 07:43:13.878
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-10 07:43:13.878
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2015-03-10 07:43:13.846
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\KLELAMX64\klelam.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
==================== Memory info ===========================
Processor: AMD A8-6600K APU with Radeon(tm) HD Graphics
Percentage of memory in use: 24%
Total physical RAM: 7363.93 MB
Available physical RAM: 5573.93 MB
Total Pagefile: 14726.04 MB
Available Pagefile: 12791.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (SYSTEM) (Fixed) (Total:97.56 GB) (Free:24.1 GB) NTFS
Drive d: (DATEN) (Fixed) (Total:833.86 GB) (Free:539.92 GB) NTFS
Drive f: (BACKUP) (Fixed) (Total:111.81 GB) (Free:14.23 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 0D005CA7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=833.9 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: C3ECC3EC)
Partition 1: (Not Active) - (Size=111.8 GB) - (Type=07 NTFS)
==================== End Of Log ============================
- Ergebnis von Gmer:
Code:
Alles auswählen Aufklappen ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-05-18 23:47:15
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000068 TOSHIBA_ rev.MS2O 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\RAHN_NEU\AppData\Local\Temp\pgdcikog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076451401 2 bytes JMP 767ab1ef C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076451419 2 bytes JMP 767ab31a C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076451431 2 bytes JMP 76828f09 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007645144a 2 bytes CALL 76784885 C:\Windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764514dd 2 bytes JMP 76828802 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764514f5 2 bytes JMP 768289d8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007645150d 2 bytes JMP 768286f8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076451525 2 bytes JMP 76828ac2 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007645153d 2 bytes JMP 7679fc78 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076451555 2 bytes JMP 767a68bf C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007645156d 2 bytes JMP 76828fc1 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076451585 2 bytes JMP 76828b22 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007645159d 2 bytes JMP 768286bc C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764515b5 2 bytes JMP 7679fd11 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764515cd 2 bytes JMP 767ab2b0 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764516b2 2 bytes JMP 76828e84 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764516bd 2 bytes JMP 76828651 C:\Windows\syswow64\kernel32.dll
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fe13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076fe1544 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fe18ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000076fe1ad4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076fe1bb4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fe1d35 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fe1e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076fe1f85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 0000000076fe2248 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fe26f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fe2712 8 bytes {JMP 0x10}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fe276f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000076fe27d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fe2b9b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000076fe2be7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fe30bb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 0000000076fe3248 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 33 0000000076fe37c1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 274 0000000076fe38b2 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fe3a15 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fe3fb0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000076fe4061 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 0000000076fe40d5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 0000000076fe4216 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000076fe4254 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 609 0000000076fe44c1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000076fe46ac 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000076fe4773 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000076fe4867 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000076fe4986 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000076fe4ab0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000076fe4b03 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 0000000076fe4d05 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 0000000076fe4f00 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 0000000076fe5007 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 483 0000000076fe51f3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 0000000076fe6006 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 0000000076fe61be 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 0000000076fe63ac 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 0000000076fe63ed 8 bytes [50, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 0000000076fe6404 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 0000000076fe645c 8 bytes [30, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000076fe6c26 8 bytes [20, 6C, F8, 7E, 00, 00, 00, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007702dca0 8 bytes {JMP QWORD [RIP-0x478a2]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007702de20 8 bytes {JMP QWORD [RIP-0x479ca]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007702de50 8 bytes {JMP QWORD [RIP-0x47c98]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702df70 8 bytes {JMP QWORD [RIP-0x47b89]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007702e020 8 bytes {JMP QWORD [RIP-0x47c7a]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e650 8 bytes {JMP QWORD [RIP-0x46b93]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e8a0 8 bytes {JMP QWORD [RIP-0x472a2]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702f100 8 bytes {JMP QWORD [RIP-0x484e0]}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000737213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007372146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000737216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000737219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000737219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\RAHN_NEU\Desktop\Gmer-19357.exe[4976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073721a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
---- Trace I/O - GMER 2.1 ----
Trace ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys >>UNKNOWN [0xfffffa8007bddde0]<< sfsync04.sys storport.sys hal.dll amd_sata.sys fffffa8007bddde0
Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dbf060] fffffa8007dbf060
Trace 3 CLASSPNP.SYS[fffff880019cd43f] -> nt!IofCallDriver -> [0xfffffa8006cfeac0] fffffa8006cfeac0
Trace 5 amd_xata.sys[fffff88000dcdd00] -> nt!IofCallDriver -> \Device\00000068[0xfffffa800767e540] fffffa800767e540
Trace \Driver\amd_sata[0xfffffa8007679220] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007bddde0 fffffa8007bddde0
---- Threads - GMER 2.1 ----
Thread [3940:4064] 00000000772013b5
Thread [3940:4068] 00000000723c7950
Thread [3940:2412] 0000000072f9c59c
Thread [3940:2748] 0000000072f9c59c
Thread [3940:1424] 0000000072f9c59c
Thread [3940:1472] 0000000072f9c59c
Thread [3940:4840] 00000000666c0dc7
Thread [3940:4844] 00000000667736af
Thread [3940:5000] 00000000667736af
Thread [3940:5056] 0000000063acb73e
Thread [3940:2196] 0000000072f9c59c
Thread [3940:3764] 00000000772127e5
Thread [3940:124] 00000000772127e5
Thread [3940:4192] 00000000667736af
Thread [3940:4432] 00000000667736af
Thread [3940:4836] 00000000667736af
Thread [3940:4448] 00000000667736af
Thread [3940:3684] 00000000772127e5
Thread [3940:2776] 00000000772127e5
Thread [3940:2120] 00000000772127e5
Thread [3940:5020] 00000000772127e5
Thread [3940:4556] 00000000772127e5
Thread [3940:1440] 00000000667736af
Thread [3940:2996] 00000000667736af
Thread [3940:3260] 00000000667736af
Thread [3940:3328] 00000000733f27c1
Thread C:\Windows\System32\svchost.exe [4220:2112] 000007feedc19688
---- EOF - GMER 2.1 ----
DANKE für jede Handlungsanweisung!!
v2rahn
Baum-Darstellung