"Keine Rückmeldung": Programme starten langsam und bleiben oft hängen

IT-Laie01 · 10.06.2015, 09:00

Liebes Trojaner-Board-Team!
Ich freue mich, endlich jemanden gefunden zu haben für mein Problem.
Ich habe einen Laptop von HP mit Windows 8.1. Zu Beginn lief der Rechner ziemlich flüssig. Seit einigen Monaten habe ich folgende Probleme:
1. langsamer Start
2. nach dem Start und Hochfahren dauert es ungewöhnlich lange, bevor die Programme starten, manchmal gibt es beim ersten Anklicken gar keine Reaktion
3. nach Programmstart bleiben angeklickte Programme oft hängen- Fehlermeldung: "Keine Rückmeldung!", diese Meldung erscheint neuerdings z. B. bei "paint.net" bei jedem Bearbeitungsschritt
4. gleiche Probleme treten auf, wenn der Rechner aus dem Ruhezustand startet.
5. Firefox startet ebenfalls sehr zögerlich und gibt immer wieder "Keine Rückmeldung" aus

Mein Virenscanner (Kaspersky) und mein Antimalware-Programm (Malwarebytes) haben nichts gefunden. Deshalb habe ich es bis jetzt auf Windows 8.1 geschoben. Durch Zufall bin auf Eure Seite gestoßen.

Vielen Dank im Voraus!
Freundliche Grüße IT-Laie01

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 08:58 on 10/06/2015 (Frank)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Frank (administrator) on LAPTOP on 10-06-2015 09:00:12
Running from C:\Users\Frank\Downloads
Loaded Profiles: Frank &  (Available Profiles: Frank)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Realtek\REALTEK Bluetooth\BTDevMgr.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
Failed to access process -> a2start.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(AppEx Networks Corporation) C:\Program Files\AMD Quick Stream\AMDQuickStream.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Raptr, Inc) C:\Program Files (x86)\Raptr\raptr.exe
(Raptr, Inc) C:\Program Files (x86)\Raptr\raptr_im.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Raptr Inc.) C:\Program Files (x86)\Raptr\raptr_ep64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
Failed to access process -> backgroundTaskHost.exe
Failed to access process -> LogonUI.exe
() C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe
(Google Inc.) C:\Windows\Temp\CR_FFD44.tmp\setup.exe
(Microsoft Corporation) C:\Windows\System32\SrTasks.exe
Failed to access process -> backgroundTaskHost.exe
Failed to access process -> backgroundTaskHost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
Failed to access process -> backgroundTaskHost.exe
() C:\Users\Frank\Downloads\Defogger.exe
(Microsoft Corporation) C:\Windows\System32\backgroundTaskHost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3100440 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8465112 2015-04-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2858664 2015-03-19] (Synaptics Incorporated)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163520 2015-04-09] (IvoSoft)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2014-06-16] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [193568 2014-11-12] (Geek Software GmbH)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Raptr] => C:\Program Files (x86)\Raptr\raptrstub.exe [55568 2015-05-15] (Raptr, Inc)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310064 2014-05-28] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM-x32\...\RunOnce: [GrpConv] => grpconv -o
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [482528 2014-03-31] (AppEx Networks Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [482528 2014-03-31] (AppEx Networks Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2015-02-09]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
Startup: C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-01-15]
ShortcutTarget: Dropbox.lnk -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT14/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.web.de/
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.web.de/
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {409DDD25-F754-4E92-9B6F-20BACCC3A0EF} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002 -> {409DDD25-F754-4E92-9B6F-20BACCC3A0EF} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {409DDD25-F754-4E92-9B6F-20BACCC3A0EF} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-11-22] (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-11-22] (Kaspersky Lab ZAO)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-06-02] (Oracle Corporation)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\OnlineBanking\online_banking_bho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-06-02] (Oracle Corporation)
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322
FF NewTab: chrome://unitedtb/content/newtab/newtab-page.xhtml
FF DefaultSearchEngine: Startpage (SSL)
FF Homepage: hxxp://web.de/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_188.dll [2015-06-02] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-06-02] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1218158.dll [2015-05-07] (Adobe Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-05-13] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-05-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-06-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-06-02] (Oracle Corporation)
FF Plugin-x32: @kaspersky.com/content_blocker -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @kaspersky.com/online_banking -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-01] (Google Inc.)
FF user.js: detected! => C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\user.js [2015-06-02]
FF SearchPlugin: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\searchplugins\startpage-ssl.xml [2015-06-02]
FF Extension: WEB.DE MailCheck - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\mailcheck@web.de [2015-06-09]
FF Extension: WOT - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-06-02]
FF Extension: Adblock Plus - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-06-02]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com
FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions:  - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com
FF Extension: Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2015-02-09]

Chrome: 
=======
CHR Profile: C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-02]
CHR Extension: (Google Drive) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-06-02]
CHR Extension: (YouTube) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-06-02]
CHR Extension: (Google Search) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-02]
CHR Extension: (Kaspersky Protection) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2015-06-02]
CHR Extension: (Bookmark Manager) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-06-04]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-04]
CHR Extension: (Google Wallet) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-02]
CHR Extension: (Gmail) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-02]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U4 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [5155576 2015-05-31] (Emsisoft Ltd)
R2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-11-20] (Advanced Micro Devices, Inc.) [File not signed]
R2 AVP15.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe [233552 2014-04-20] (Kaspersky Lab ZAO)
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [88064 2014-03-05] () [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-09] (Hewlett-Packard Development Company, L.P.)
R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-28] (Softex Inc.) [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294104 2015-04-10] (Realtek Semiconductor)
S2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1363160 2014-11-28] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [765144 2014-11-28] (Secunia)
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [220840 2015-03-19] (Synaptics Incorporated)
R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51712 2014-04-17] (Advanced Micro Devices, Inc.)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-04-03] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17640 2013-10-24] (Advanced Micro Devices, INC.)
S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-23] (Advanced Micro Devices, Inc.)
S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [85704 2014-04-17] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [62152 2014-10-28] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [230088 2014-04-17] (Advanced Micro Devices, Inc. )
R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [229056 2014-10-28] (AppEx Networks Corporation)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-03-12] (Advanced Micro Devices)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R4 epp64; C:\Windows\System32\DRIVERS\epp64.sys [135800 2015-03-24] () [File not signed]
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [457824 2014-02-20] (Kaspersky Lab ZAO)
S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2012-07-27] (Kaspersky Lab)
R3 klflt; C:\Windows\system32\DRIVERS\klflt.sys [142344 2014-11-22] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [243808 2014-04-10] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [771272 2014-11-22] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30304 2014-02-25] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [28768 2014-03-28] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\system32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)
R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [67680 2014-03-19] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [179296 2014-03-26] (Kaspersky Lab ZAO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-09] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2014-11-28] (Secunia)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [294104 2014-11-06] (Realtek Semiconductor Corp.)
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [559832 2014-02-26] (Realtek Semiconductor Corporation)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [788696 2014-12-23] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [376024 2014-12-26] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3468504 2014-05-23] (Realtek Semiconductor Corporation                           )
R3 SmbDrv; C:\Windows\system32\DRIVERS\Smb_driver_AMDASF.sys [30376 2015-03-19] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [31472 2014-06-04] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 GENERICDRV; \??\C:\swsetup\sp68963\amifldrv64.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 mfefire; No ImagePath
U3 MSK80Service; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-10 09:00 - 2015-06-10 09:03 - 00031105 _____ C:\Users\Frank\Downloads\FRST.txt
2015-06-10 08:59 - 2015-06-10 09:00 - 00000000 ____D C:\FRST
2015-06-10 08:59 - 2015-06-10 08:59 - 02108928 _____ (Farbar) C:\Users\Frank\Downloads\FRST64.exe
2015-06-10 08:58 - 2015-06-10 08:58 - 00000472 _____ C:\Users\Frank\Downloads\defogger_disable.log
2015-06-10 08:58 - 2015-06-10 08:58 - 00000000 _____ C:\Users\Frank\defogger_reenable
2015-06-10 08:52 - 2015-06-10 08:52 - 00050477 _____ C:\Users\Frank\Downloads\Defogger.exe
2015-06-10 08:45 - 2015-06-10 08:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Live Add-in
2015-06-03 17:24 - 2015-06-10 08:48 - 01015563 _____ C:\Windows\WindowsUpdate.log
2015-06-02 19:36 - 2015-06-10 08:54 - 00000000 ____D C:\Users\Frank\AppData\Local\ClassicShell
2015-06-02 19:36 - 2015-06-02 19:36 - 00000000 ____D C:\Users\Frank\AppData\Roaming\ClassicShell
2015-06-02 19:36 - 2015-06-02 19:36 - 00000000 ____D C:\ProgramData\ClassicShell
2015-06-02 19:35 - 2015-06-02 19:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell
2015-06-02 19:35 - 2015-06-02 19:35 - 00000000 ____D C:\Program Files\Classic Shell
2015-06-02 19:33 - 2015-06-02 19:33 - 06590656 _____ (IvoSoft) C:\Users\Frank\Downloads\27122_ClassicShellSetup_4_2_1.exe
2015-06-02 19:03 - 2015-06-02 19:03 - 00000000 ____D C:\Users\Frank\Desktop\Alte Firefox-Daten
2015-06-02 19:02 - 2015-06-02 19:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-02 18:40 - 2015-06-02 18:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-06-02 18:33 - 2015-06-02 18:33 - 05009736 _____ (Adobe Systems Inc.) C:\Users\Frank\Downloads\Shockwave_Installer_Slim.exe
2015-06-02 18:14 - 2015-06-02 18:15 - 37328992 _____ (Oracle Corporation) C:\Users\Frank\Downloads\jre-8u45-windows-i586.exe
2015-06-02 18:13 - 2015-06-02 18:13 - 00562784 _____ (Oracle Corporation) C:\Users\Frank\Downloads\jre-8u45-windows-i586-iftw.exe
2015-05-31 16:10 - 2015-05-31 16:10 - 00001488 _____ C:\Users\Frank\Downloads\URLLink(1).acsm
2015-05-31 15:56 - 2015-05-31 15:56 - 00001548 _____ C:\Users\Frank\Downloads\URLLink.acsm
2015-05-31 15:12 - 2015-05-31 15:12 - 00001956 _____ C:\Users\Public\Desktop\Samsung Kies 3.lnk
2015-05-22 08:41 - 2015-05-22 08:41 - 00000000 ___RD C:\Users\Frank\AppData\Roaming\Brother
2015-05-20 10:29 - 2015-06-09 21:22 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-20 10:29 - 2015-05-20 10:29 - 00001085 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-05-20 10:29 - 2015-05-20 10:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2015-05-20 10:29 - 2015-05-20 10:29 - 00000000 ____D C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2015-05-20 10:29 - 2015-04-14 10:30 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-20 10:29 - 2015-04-14 10:30 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-05-20 10:29 - 2015-04-14 10:30 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-05-20 10:20 - 2015-05-20 10:21 - 21546400 _____ (Malwarebytes Corporation ) C:\Users\Frank\Downloads\mbam_premium(1).exe
2015-05-19 22:36 - 2015-05-19 22:36 - 00000000 ____D C:\ProgramData\SRS Labs
2015-05-19 22:35 - 2015-04-14 19:38 - 04664792 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RTKVHD64.sys
2015-05-19 22:35 - 2015-04-14 19:08 - 01736408 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoInstII64.dll
2015-05-19 22:35 - 2015-04-14 16:40 - 01303256 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTCOM64.dll
2015-05-19 22:35 - 2015-04-14 14:35 - 01990874 _____ C:\Windows\system32\Drivers\RTAIODAT.DAT
2015-05-19 22:35 - 2015-04-13 19:14 - 00168816 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkCfg64.dll
2015-05-19 22:35 - 2015-04-09 17:00 - 02846936 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RltkAPO64.dll
2015-05-19 22:35 - 2015-03-19 13:20 - 02907864 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtPgEx64.dll
2015-05-19 22:35 - 2015-03-10 18:04 - 02702040 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTSnMg64.cpl
2015-05-19 22:35 - 2015-02-04 00:38 - 01413776 _____ (Synopsys, Inc.) C:\Windows\system32\SRRPTR64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00454288 _____ (Synopsys, Inc.) C:\Windows\system32\SRAPO64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00369296 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00329360 _____ (Synopsys, Inc.) C:\Windows\SysWOW64\SRCOM.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00329360 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM.dll
2015-05-19 22:35 - 2015-01-19 18:10 - 72113152 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoRes64.dat
2015-05-19 22:35 - 2014-12-11 08:10 - 01104040 _____ (SRS Labs, Inc.) C:\Windows\system32\slcnt64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00943784 _____ (DTS, Inc.) C:\Windows\system32\sl3apo64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00734376 _____ (DTS, Inc.) C:\Windows\system32\sltech64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00250536 _____ (TODO: <Company name>) C:\Windows\system32\slprp64.dll
2015-05-19 22:35 - 2014-12-02 18:42 - 03218800 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkApi64.dll
2015-05-19 22:35 - 2014-11-11 13:44 - 00631000 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtDataProc64.dll
2015-05-19 22:33 - 2015-04-09 15:23 - 01559744 _____ (Conexant Systems Inc.) C:\Windows\system32\CX64APO.dll
2015-05-19 22:26 - 2015-01-15 08:42 - 00881368 _____ (Realtek ) C:\Windows\system32\Drivers\Rt630x64.sys
2015-05-19 22:26 - 2015-01-15 08:42 - 00073800 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2015-05-19 22:25 - 2014-11-06 11:07 - 00294104 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RtsP2Stor.sys
2015-05-19 22:25 - 2014-11-06 10:57 - 00359128 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RtsPStor.sys
2015-05-19 22:25 - 2014-10-20 11:50 - 00083160 _____ (Realtek Semiconductor.) C:\Windows\system32\RtCRX64.dll
2015-05-19 22:25 - 2014-01-27 07:39 - 09890008 _____ (Realtek Semiconductor Corp.) C:\Windows\SysWOW64\RsCRIcon.dll
2015-05-19 21:49 - 2015-05-19 21:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverEasy
2015-05-19 17:25 - 2015-05-19 17:25 - 00000000 ____D C:\Users\Frank\AppData\Local\.elfohilfe
2015-05-19 16:43 - 2015-05-19 16:43 - 00000000 ____D C:\ProgramData\Emsisoft
2015-05-19 16:27 - 2015-06-10 08:56 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2015-05-19 16:27 - 2015-03-24 00:17 - 00135800 ____N C:\Windows\system32\Drivers\epp64.sys
2015-05-19 16:22 - 2015-05-19 16:26 - 160982088 _____ (Emsisoft Ltd. ) C:\Users\Frank\Downloads\EmsisoftAntiMalwareSetup.exe
2015-05-19 11:23 - 2015-05-19 11:23 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\12C22F59.sys
2015-05-16 21:22 - 2015-05-19 11:22 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\245C0FCA.sys
2015-05-16 20:01 - 2015-05-16 20:01 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\669951C8.sys
2015-05-15 14:19 - 2015-05-15 14:20 - 40054888 _____ C:\Users\Frank\Downloads\WEB.DE_Firefox_Setup.exe
2015-05-13 21:47 - 2015-04-24 23:32 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-05-13 21:47 - 2015-03-05 01:09 - 01429504 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-05-13 21:39 - 2015-04-30 22:35 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 21:39 - 2015-04-30 22:35 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-12 21:46 - 2015-03-17 19:26 - 00467776 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2015-05-12 21:46 - 2015-03-09 04:02 - 00057856 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\bthhfenum.sys
2015-05-12 21:45 - 2015-05-01 01:05 - 00429568 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-12 21:45 - 2015-05-01 00:48 - 00358912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-05-12 21:45 - 2015-04-10 02:34 - 02256896 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2015-05-12 21:45 - 2015-04-10 02:11 - 01943040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2015-05-12 21:45 - 2015-03-20 03:56 - 00080384 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ahcache.sys
2015-05-12 21:45 - 2015-03-04 03:32 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Input.Inking.dll
2015-05-12 21:45 - 2015-03-04 03:12 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Input.Inking.dll
2015-05-12 21:44 - 2015-04-21 19:14 - 24971776 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-12 21:44 - 2015-04-21 18:50 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-12 21:44 - 2015-04-21 18:50 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-12 21:44 - 2015-04-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-12 21:44 - 2015-04-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-12 21:44 - 2015-04-21 18:35 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-12 21:44 - 2015-04-21 18:31 - 06025728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-12 21:44 - 2015-04-21 18:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-05-12 21:44 - 2015-04-21 18:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-05-12 21:44 - 2015-04-21 18:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-05-12 21:44 - 2015-04-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-12 21:44 - 2015-04-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-12 21:44 - 2015-04-21 18:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-05-12 21:44 - 2015-04-21 17:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-05-12 21:44 - 2015-04-21 17:49 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-12 21:44 - 2015-04-21 17:49 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-12 21:44 - 2015-04-21 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-12 21:44 - 2015-04-21 17:40 - 14401536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-12 21:44 - 2015-04-21 17:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-05-12 21:44 - 2015-04-21 17:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-05-12 21:44 - 2015-04-21 17:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-05-12 21:44 - 2015-04-21 17:27 - 02352128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-12 21:44 - 2015-04-21 17:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-05-12 21:44 - 2015-04-21 17:26 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-05-12 21:44 - 2015-04-21 17:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-05-12 21:44 - 2015-04-21 17:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-05-12 21:44 - 2015-04-21 17:15 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-12 21:44 - 2015-04-21 17:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-05-12 21:44 - 2015-04-21 16:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-05-12 21:44 - 2015-04-14 00:48 - 04180480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-12 21:44 - 2015-04-10 03:00 - 01996800 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-12 21:44 - 2015-04-10 02:50 - 01387008 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-12 21:44 - 2015-04-10 02:26 - 01560576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-05-12 21:44 - 2015-04-09 00:55 - 00410128 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-12 21:44 - 2015-04-03 02:35 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\PhotoMetadataHandler.dll
2015-05-12 21:44 - 2015-04-03 02:14 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PhotoMetadataHandler.dll
2015-05-12 21:44 - 2015-04-02 00:22 - 02985984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2015-05-12 21:44 - 2015-04-02 00:20 - 04417536 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2015-05-12 21:44 - 2015-04-01 05:45 - 01491456 _____ (Microsoft Corporation) C:\Windows\system32\dbghelp.dll
2015-05-12 21:44 - 2015-04-01 04:31 - 01207296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbghelp.dll
2015-05-12 21:44 - 2015-03-30 07:47 - 00561928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-05-12 21:44 - 2015-03-27 05:27 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-12 21:44 - 2015-03-27 04:50 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-05-12 21:44 - 2015-03-27 04:48 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-12 21:44 - 2015-03-13 06:03 - 00239424 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2015-05-12 21:44 - 2015-03-13 06:03 - 00154432 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2015-05-12 21:44 - 2015-03-13 04:02 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\udfs.sys
2015-05-12 21:44 - 2015-03-13 03:11 - 02162176 _____ (Microsoft Corporation) C:\Windows\system32\SRH.dll
2015-05-12 21:44 - 2015-03-13 02:39 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SRH.dll
2015-05-12 21:44 - 2015-03-13 02:29 - 00410017 _____ C:\Windows\system32\ApnDatabase.xml
2015-05-12 21:44 - 2015-03-11 03:49 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-05-12 21:44 - 2015-03-11 03:09 - 00021504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdbinst.exe
2015-05-12 21:44 - 2015-03-06 05:08 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\wpdshext.dll
2015-05-12 21:44 - 2015-03-06 04:47 - 01696256 _____ (Microsoft Corporation) C:\Windows\system32\wevtsvc.dll
2015-05-12 21:44 - 2015-03-06 04:43 - 01969664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wpdshext.dll
2015-05-12 21:44 - 2015-02-18 01:19 - 00186368 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2015-05-12 21:44 - 2015-01-30 02:53 - 02819584 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll
2015-05-12 21:44 - 2014-11-14 08:58 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsDatabase.dll
2015-05-12 21:43 - 2015-04-21 18:13 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2015-05-12 21:43 - 2015-04-21 18:07 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-05-12 21:43 - 2015-04-21 17:59 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-05-12 21:43 - 2015-04-21 17:52 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-05-12 21:43 - 2015-04-21 17:49 - 00374272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-12 21:43 - 2015-04-21 17:37 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-05-12 21:43 - 2015-04-21 17:32 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-05-12 21:43 - 2015-04-21 17:28 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-05-12 21:43 - 2015-04-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-12 21:43 - 2015-04-21 16:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-10 09:02 - 2014-12-16 17:20 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-10 09:01 - 2015-02-16 19:00 - 00001132 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-10 09:01 - 2014-11-22 17:27 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2739668103-1494456093-2395821988-1002
2015-06-10 09:00 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\sru
2015-06-10 08:58 - 2014-11-22 17:21 - 00000000 ____D C:\Users\Frank
2015-06-10 08:48 - 2013-08-22 17:20 - 00000000 ____D C:\Windows\CbsTemp
2015-06-10 08:46 - 2014-07-11 02:11 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-06-10 08:45 - 2014-11-22 18:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-06-10 08:34 - 2014-11-22 18:23 - 00003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9AB8EA36-8F15-4DC2-9B96-1FAA58826461}
2015-06-10 08:32 - 2015-04-05 23:48 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-06-10 08:32 - 2015-04-05 23:48 - 00000000 ___SD C:\Windows\system32\GWX
2015-06-10 08:26 - 2015-02-09 16:41 - 00000000 ____D C:\Users\Frank\AppData\Roaming\Raptr
2015-06-09 17:05 - 2014-11-24 14:40 - 00003160 _____ C:\Windows\System32\Tasks\HPCeeScheduleForFrank
2015-06-09 17:05 - 2014-11-24 14:40 - 00000346 _____ C:\Windows\Tasks\HPCeeScheduleForFrank.job
2015-06-09 13:47 - 2014-11-23 00:42 - 00007911 _____ C:\Windows\BRRBCOM.INI
2015-06-09 13:43 - 2015-03-12 12:24 - 00411136 ___SH C:\Users\Frank\Downloads\Thumbs.db
2015-06-09 13:33 - 2015-04-20 16:11 - 00000000 ____D C:\Users\Frank\Documents\Youcam
2015-06-09 13:15 - 2015-02-16 19:00 - 00001128 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-09 13:15 - 2014-11-23 01:33 - 00000000 __RDO C:\Users\Frank\OneDrive
2015-06-09 13:15 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness
2015-06-07 15:16 - 2014-07-11 10:54 - 00800954 _____ C:\Windows\system32\perfh007.dat
2015-06-07 15:16 - 2014-07-11 10:54 - 00174458 _____ C:\Windows\system32\perfc007.dat
2015-06-07 15:16 - 2014-03-18 11:53 - 01921090 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-07 15:12 - 2014-11-22 19:24 - 00000000 ____D C:\Users\Frank\Documents\My Digital Editions
2015-06-05 14:33 - 2015-04-19 20:06 - 00000000 ____D C:\Users\Frank\Documents\Frank
2015-06-02 19:03 - 2014-11-22 18:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-02 18:57 - 2014-08-19 19:53 - 01684235 _____ C:\Windows\SysWOW64\rootpa.e2e
2015-06-02 18:55 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-02 18:54 - 2014-08-19 19:42 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-06-02 18:54 - 2013-08-22 15:25 - 01835008 ___SH C:\Windows\system32\config\BBI
2015-06-02 18:40 - 2014-11-23 01:12 - 00000000 ____D C:\Users\Frank\AppData\Local\Google
2015-06-02 18:40 - 2014-11-23 01:12 - 00000000 ____D C:\Program Files (x86)\Google
2015-06-02 18:31 - 2014-11-24 19:22 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 18:28 - 2014-11-24 19:22 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-02 18:27 - 2014-11-24 19:21 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-02 18:19 - 2014-12-16 17:20 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-02 18:19 - 2014-12-01 17:48 - 00000000 ____D C:\Users\Frank\AppData\Local\Adobe
2015-06-02 17:55 - 2014-11-23 00:41 - 00000000 ____D C:\Program Files (x86)\Browny02
2015-06-02 17:55 - 2014-11-23 00:34 - 00000000 ____D C:\ProgramData\Brother
2015-06-02 17:52 - 2014-11-23 00:41 - 00000000 ____D C:\ProgramData\ControlCenter4
2015-06-02 17:52 - 2014-11-23 00:41 - 00000000 ____D C:\Program Files (x86)\ControlCenter4
2015-06-01 10:56 - 2015-02-16 19:00 - 00004104 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-06-01 10:56 - 2015-02-16 19:00 - 00003868 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-31 21:25 - 2014-11-24 09:42 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2015-05-31 15:30 - 2014-11-23 13:53 - 00000000 ____D C:\Users\Frank\Documents\Marika
2015-05-31 14:49 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-05-19 23:29 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\rescache
2015-05-19 22:37 - 2014-08-19 19:45 - 00000000 ___HD C:\Program Files (x86)\Temp
2015-05-19 22:36 - 2015-02-09 17:28 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2015-05-19 22:36 - 2014-08-19 19:45 - 00014444 _____ C:\Windows\system32\Drivers\rtkhdasetting.zip
2015-05-19 22:32 - 2014-07-11 02:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-05-19 22:26 - 2014-08-19 19:44 - 00000000 ____D C:\Program Files (x86)\Realtek
2015-05-19 22:20 - 2014-08-19 19:40 - 00000000 ____D C:\Program Files (x86)\ATI Technologies
2015-05-19 22:20 - 2014-07-11 02:28 - 00000000 ____D C:\ProgramData\Package Cache
2015-05-19 22:15 - 2014-04-05 01:55 - 00000000 ____D C:\SWSetup
2015-05-19 21:49 - 2015-02-09 16:00 - 00000990 _____ C:\Users\Public\Desktop\DriverEasy.lnk
2015-05-19 21:44 - 2015-02-09 16:41 - 00000000 ____D C:\Program Files (x86)\Raptr
2015-05-15 14:22 - 2014-11-22 18:51 - 00001142 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-05-14 17:21 - 2013-08-22 16:44 - 00391944 _____ C:\Windows\system32\FNTCACHE.DAT
2015-05-14 17:20 - 2015-01-14 23:09 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-14 17:20 - 2015-01-14 23:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-05-14 10:03 - 2013-08-22 17:36 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2015-05-14 10:03 - 2013-08-22 15:36 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2015-05-13 21:47 - 2014-11-22 17:33 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-05-13 21:34 - 2014-11-24 20:14 - 00000000 ____D C:\Windows\system32\MRT
2015-05-13 21:25 - 2014-11-24 20:14 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-13 21:14 - 2015-01-14 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-13 21:05 - 2014-03-18 11:38 - 00000000 ____D C:\Program Files\Windows Journal

Some files in TEMP:
====================
C:\Users\Frank\AppData\Local\Temp\{986650EF-0361-428C-99F9-EC334BE3BF0A}-43.0.2357.124_chrome_installer.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-05-31 19:43

==================== End of log ============================

[CODE]Additional
FRST Logfile:

Code:

ATTFilter

scan result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Frank at 2015-06-10 09:04:53
Running from C:\Users\Frank\Downloads
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2739668103-1494456093-2395821988-500 - Administrator - Disabled)
Frank (S-1-5-21-2739668103-1494456093-2395821988-1002 - Administrator - Enabled) => C:\Users\Frank
Gast (S-1-5-21-2739668103-1494456093-2395821988-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2739668103-1494456093-2395821988-1004 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Kaspersky Internet Security (Enabled - Up to date) {179979E8-273D-D14E-0543-2861940E4886}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Kaspersky Internet Security (Enabled - Up to date) {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

123 Free Solitaire v10.0 (HKLM-x32\...\123 Free Solitaire_is1) (Version:  - TreeCardGames)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Digital Editions 3.0 (HKLM-x32\...\Adobe Digital Editions 3.0) (Version: 3.0.1 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.188 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.8.158 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Amazon Kindle) (Version:  - Amazon)
Amazon Kindle (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Amazon Kindle) (Version:  - Amazon)
AMD Catalyst Install Manager (HKLM\...\{B417CA1D-A6EC-6871-BBFC-84CA14FBA0AC}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
AMD Quick Stream (HKLM\...\{E9EED4AE-682B-4501-9574-D09A21717599}_is1) (Version: 3.10.4.0 - AppEx Networks)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Brother MFL-Pro Suite MFC-J470DW (HKLM-x32\...\{7B4C83B6-17C1-4BFD-B86D-4D7AD4498CBB}) (Version: 1.0.4.0 - Brother Industries, Ltd.)
calibre 64bit (HKLM\...\{C5D7991D-5C4F-475D-BF58-89A068A2FF14}) (Version: 2.25.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.7.4023 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.1.5307 - CyberLink Corp.)
Cyberlink PhotoDirector (Version: 5.0.1.5307 - Ihr Firmenname) Hidden
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.7.4016 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.1.3018 - CyberLink Corp.)
CyberLink PowerDirector 12 (Version: 12.0.1.3018 - Ihr Firmenname) Hidden
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.4.4119 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.4.4218 - CyberLink Corp.)
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
DriverEasy 4.9.2 (HKLM\...\DriverEasy_is1) (Version: 4.9.2.0 - Easeware)
Dropbox (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Dropbox) (Version: 3.2.9 - Dropbox, Inc.)
Dropbox (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Dropbox) (Version: 3.2.9 - Dropbox, Inc.)
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 16.0.20150211 - Landesfinanzdirektion Thüringen)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Foxit PhantomPDF (HKLM-x32\...\{00CD7D62-056A-4F0F-9143-44522D44E6DD}) (Version: 6.0.32.507 - Foxit Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.81 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{44FC61F0-2F8A-11E3-8CAE-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Great Mahjong (HKLM-x32\...\GreatMahjong_is1) (Version: 1.0 - Media Contact LLC)
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP 3D DriveGuard (HKLM-x32\...\{13133E99-B0D5-4143-B832-AAD55C62A41C}) (Version: 6.0.19.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{ADE2F6A7-E7BD-4955-BD66-30903B223DDF}) (Version: 2.20.41 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{9D7BFF2A-F810-4E35-BE2C-A6CB4B9202DB}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7745.4851 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.11 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{8C696B4B-6AB1-44BC-9416-96EAC474CABE}) (Version: 7.5.2.12 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{C39A7F0F-89A6-44BB-B1BF-5F96569B5345}) (Version: 1.2.9 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{E8F2076D-1885-4A0F-83D8-77B1F9D384CE}) (Version: 2.5.2 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Inst5675 (Version: 8.01.11 - Softex Inc.) Hidden
Inst5676 (Version: 8.01.11 - Softex Inc.) Hidden
Java 7 Update 75 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217075FF}) (Version: 7.0.750 - Oracle)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java Runtime Environment Packages (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Java Runtime Environment Packages) (Version:  - ) <==== ATTENTION
Java Runtime Environment Packages (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Java Runtime Environment Packages) (Version:  - ) <==== ATTENTION
Kaspersky Internet Security (HKLM-x32\...\InstallWIX_{653C1B5A-3287-47B1-8613-0745D4E771C4}) (Version: 15.0.0.463 - Kaspersky Lab)
Kaspersky Internet Security (x32 Version: 15.0.0.463 - Kaspersky Lab) Hidden
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Malwarebytes Anti-Malware Version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 38.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 38.0.5 (x86 de)) (Version: 38.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 38.0 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\MyFreeCodec) (Version:  - )
MyFreeCodec (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MyFreeCodec) (Version:  - )
Nuance PaperPort 12 (HKLM-x32\...\{869FCC6C-5669-4B0B-827E-2BBAACD88A87}) (Version: 12.1.0006 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
OEM Application Profile (HKLM-x32\...\{8F92E0CF-620B-5C20-F292-59C93567B06D}) (Version: 1.00.0000 - Ihr Firmenname)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 14.00.0000 - Nuance Communications, Inc.)
PDF24 Creator 6.9.1 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version:  - PDF24.org)
Raptr (HKLM-x32\...\Raptr) (Version:  - )
REALTEK Bluetooth Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AB}) (Version: 1.0.0.10 - REALTEK Semiconductor Corp.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.370.71 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.38.115.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7487 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.13.1216 - REALTEK Semiconductor Corp.)
Rossmann Fotowelt Software 4.13 (HKLM-x32\...\Rossmann Fotowelt Software) (Version: 4.13 - ORWO Net)
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.3.14044_16 - Samsung Electronics Co., Ltd.)
Samsung Kies (x32 Version: 2.6.3.14044_16 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.15041.2 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (x32 Version: 3.2.15041.2 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.49.0 - SAMSUNG Electronics Co., Ltd.)
Scansoft PDF Professional (x32 Version:  - ) Hidden
Secunia PSI (3.0.0.10004) (HKLM-x32\...\Secunia PSI) (Version: 3.0.0.10004 - Secunia)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 18.1.30.16 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)

==================== Restore Points =========================

21-04-2015 20:01:40 Installed calibre 64bit
13-05-2015 21:01:42 Windows Update
19-05-2015 22:14:00 Installed sp71089.exe by DriverEasy
31-05-2015 15:10:39 Installed Samsung Kies3
02-06-2015 18:22:19 Removed Java 8 Update 45
10-06-2015 08:27:59 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2013-08-22 15:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0D761F0E-72A1-4DAC-AE5F-2B93F321549D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {185CECEF-5DE2-4E32-B213-40A0337E5CE8} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-05-13] (Microsoft Corporation)
Task: {200C9380-DB0F-4AD8-A9D2-0ACACA707AE1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-04-14] (Hewlett-Packard)
Task: {298A82DD-1670-4891-9EF3-1908AAC5530C} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => schtasks
Task: {2D9D0DF6-5B9F-4CDA-9BB4-64BC3767D540} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-04-14] (Hewlett-Packard)
Task: {379E24A9-92BC-48AA-80E9-1BB340413277} - System32\Tasks\DriverEasy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe [2015-05-06] (Easeware)
Task: {385D7BBC-B4B9-4A26-969C-FA5C5FE613A9} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {3E380FC9-2230-46E1-A524-7FD7DB74CD9A} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2014-05-19] (Hewlett-Packard Development Company, L.P.)
Task: {4F62776E-E829-4BAE-980B-EEDA447ECC0A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-02] (Adobe Systems Incorporated)
Task: {6C327952-E880-4F2E-9A6B-AEA80B32B6C4} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {6C32897D-390B-401B-9F81-34D89DEE414D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-16] (Google Inc.)
Task: {6F1CF763-3FA9-4C70-AFAF-01FA3DB9A7E6} - System32\Tasks\HPCeeScheduleForFrank => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {702C5FEA-5ECF-4FC7-BF0B-D8F7DB4A7BC6} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {A40879E0-A531-4DD9-9529-BAAF2B3C1B2E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-02-19] (Piriform Ltd)
Task: {AB4740E7-E804-42BD-BF92-171D31C8541C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-16] (Google Inc.)
Task: {B1C831A8-2537-4FF6-B63C-E143C8C83F48} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-05-06] (Microsoft Corporation)
Task: {C3066E94-2680-45FB-8D18-A8EE07392662} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {D253E0A4-ED87-4366-9FD1-3453B0BD5519} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\Logon => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {F0B24426-3EB1-4F58-A813-48FAF863F611} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {F63B8F58-F569-4CAA-80D6-F1DC00374B9F} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-06-18] (CyberLink Corp.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DriverEasy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForFrank.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (Whitelisted) ==============

2014-03-28 13:31 - 2014-03-28 13:31 - 02110464 _____ () C:\Program Files\Hewlett-Packard\SimplePass\autheng.dll
2014-03-28 13:27 - 2014-03-28 13:27 - 00021504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\cryptodll.dll
2014-03-28 13:27 - 2014-03-28 13:27 - 00035328 _____ () C:\Program Files\Hewlett-Packard\SimplePass\ssplogon.dll
2014-03-28 13:27 - 2014-03-28 13:27 - 00055296 _____ () C:\Program Files\Hewlett-Packard\SimplePass\RandomPass.dll
2014-03-28 13:48 - 2014-03-28 13:48 - 00367504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\mstrpwd.dll
2014-03-28 13:48 - 2014-03-28 13:48 - 00712080 _____ () C:\Program Files\Hewlett-Packard\SimplePass\GraphicalPwd.dll
2014-11-20 22:23 - 2014-11-20 22:23 - 00127488 _____ () C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2014-08-19 19:49 - 2014-03-05 18:09 - 00088064 _____ () C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe
2014-08-19 20:24 - 2014-04-14 18:59 - 00389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2014-11-23 00:41 - 2005-04-22 06:36 - 00143360 ____R () C:\Windows\system32\BrSNMP64.dll
2014-03-28 13:36 - 2014-03-28 13:36 - 00065024 _____ () C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
2015-02-19 23:40 - 2015-02-19 23:40 - 00057344 _____ () C:\Program Files\CCleaner\lang\lang-1031.dll
2015-06-09 20:02 - 2015-06-09 20:02 - 02212944 _____ () C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe
2015-06-10 08:52 - 2015-06-10 08:52 - 00050477 _____ () C:\Users\Frank\Downloads\Defogger.exe
2015-03-22 19:59 - 2015-03-22 19:59 - 00046080 _____ () C:\Users\Frank\AppData\Local\Packages\49297T.Partl.AtomicClock_jr9bq2af9farr\AC\Microsoft\CLR_v4.0\NativeImages\TileSchedulingTask\088421ace968ddfd578eac2935951d7a\TileSchedulingTask.ni.dll
2015-02-21 19:57 - 2015-02-21 19:57 - 01782272 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_64\Windows.App640a3541#\f1407bb1d381cf5dee299c4e5f0fdf9d\Windows.ApplicationModel.ni.dll
2014-03-06 16:00 - 2014-03-06 16:00 - 01269952 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\kpcengine.2.3.dll
2014-11-23 00:40 - 2009-02-27 17:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2010-11-23 00:56 - 2010-11-23 00:56 - 00087040 _____ () C:\Program Files (x86)\Raptr\_ctypes.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00043008 _____ () C:\Program Files (x86)\Raptr\_socket.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00805376 _____ () C:\Program Files (x86)\Raptr\_ssl.pyd
2014-05-14 01:26 - 2014-05-14 01:26 - 05812736 _____ () C:\Program Files (x86)\Raptr\PyQt4.QtGui.pyd
2014-05-14 01:26 - 2014-05-14 01:26 - 00067584 _____ () C:\Program Files (x86)\Raptr\sip.pyd
2014-05-14 01:26 - 2014-05-14 01:26 - 01662464 _____ () C:\Program Files (x86)\Raptr\PyQt4.QtCore.pyd
2014-05-14 01:26 - 2014-05-14 01:26 - 00494592 _____ () C:\Program Files (x86)\Raptr\PyQt4.QtNetwork.pyd
2010-11-23 00:57 - 2010-11-23 00:57 - 00096256 _____ () C:\Program Files (x86)\Raptr\win32api.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00110592 _____ () C:\Program Files (x86)\Raptr\pywintypes26.dll
2010-11-23 00:56 - 2010-11-23 00:56 - 00010240 _____ () C:\Program Files (x86)\Raptr\select.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00356864 _____ () C:\Program Files (x86)\Raptr\_hashlib.pyd
2010-11-23 00:57 - 2010-11-23 00:57 - 00036352 _____ () C:\Program Files (x86)\Raptr\win32process.pyd
2010-11-23 00:57 - 2010-11-23 00:57 - 00111104 _____ () C:\Program Files (x86)\Raptr\win32file.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00044544 _____ () C:\Program Files (x86)\Raptr\_sqlite3.pyd
2011-02-15 20:17 - 2011-02-15 20:17 - 00417501 _____ () C:\Program Files (x86)\Raptr\sqlite3.dll
2010-11-23 00:57 - 2010-11-23 00:57 - 00167936 _____ () C:\Program Files (x86)\Raptr\win32gui.pyd
2014-05-14 01:26 - 2014-05-14 01:26 - 00313856 _____ () C:\Program Files (x86)\Raptr\PyQt4.QtWebKit.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00127488 _____ () C:\Program Files (x86)\Raptr\pyexpat.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00009216 _____ () C:\Program Files (x86)\Raptr\winsound.pyd
2014-08-14 02:37 - 2014-08-14 02:37 - 00113171 _____ () C:\Program Files (x86)\Raptr\libvlc.dll
2014-08-14 02:37 - 2014-08-14 02:37 - 02396691 _____ () C:\Program Files (x86)\Raptr\libvlccore.dll
2013-11-21 02:05 - 2013-11-21 02:05 - 00256000 _____ () C:\Program Files (x86)\Raptr\amd_ags.dll
2010-11-23 00:56 - 2010-11-23 00:56 - 00583680 _____ () C:\Program Files (x86)\Raptr\unicodedata.pyd
2015-05-15 04:21 - 2015-05-15 04:21 - 02540288 _____ () C:\Program Files (x86)\Raptr\ltc_host_ex.DLL
2010-11-23 00:56 - 2010-11-23 00:56 - 00354304 _____ () C:\Program Files (x86)\Raptr\pythoncom26.dll
2010-11-23 00:57 - 2010-11-23 00:57 - 00263168 _____ () C:\Program Files (x86)\Raptr\win32com.shell.shell.pyd
2010-11-23 00:56 - 2010-11-23 00:56 - 00324608 _____ () C:\Program Files (x86)\Raptr\PIL._imaging.pyd
2010-11-23 00:57 - 2010-11-23 00:57 - 00141312 _____ () C:\Program Files (x86)\Raptr\gobject._gobject.pyd
2014-06-18 02:56 - 2014-06-18 02:56 - 02717595 _____ () C:\Program Files (x86)\Raptr\heliotrope._purple.pyd
2011-02-15 20:17 - 2011-02-15 20:17 - 01213633 _____ () C:\Program Files (x86)\Raptr\libxml2-2.dll
2010-11-23 01:06 - 2010-11-23 01:06 - 00055808 _____ () C:\Program Files (x86)\Raptr\zlib1.dll
2013-05-10 01:52 - 2013-05-10 01:52 - 00495680 _____ () C:\Program Files (x86)\Raptr\plugins\libaim.dll
2013-05-10 01:52 - 2013-05-10 01:52 - 01183699 _____ () C:\Program Files (x86)\Raptr\liboscar.dll
2013-05-10 01:52 - 2013-05-10 01:52 - 00483306 _____ () C:\Program Files (x86)\Raptr\plugins\libicq.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 00655356 _____ () C:\Program Files (x86)\Raptr\plugins\libirc.dll
2013-05-03 20:56 - 2013-05-03 20:56 - 01306387 _____ () C:\Program Files (x86)\Raptr\plugins\libmsn.dll
2013-05-03 20:56 - 2013-05-03 20:56 - 00565461 _____ () C:\Program Files (x86)\Raptr\plugins\libxmpp.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 01640221 _____ () C:\Program Files (x86)\Raptr\libjabber.dll
2013-05-03 20:56 - 2013-05-03 20:56 - 00506276 _____ () C:\Program Files (x86)\Raptr\plugins\libyahoo.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 01053730 _____ () C:\Program Files (x86)\Raptr\libymsg.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 00497782 _____ () C:\Program Files (x86)\Raptr\plugins\libyahoojp.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 00603326 _____ () C:\Program Files (x86)\Raptr\plugins\ssl-nss.dll
2013-05-03 20:57 - 2013-05-03 20:57 - 00474199 _____ () C:\Program Files (x86)\Raptr\plugins\ssl.dll
2014-04-20 02:42 - 2014-04-20 02:42 - 00468672 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com\npcontentblocker.dll
2014-04-20 02:42 - 2014-11-22 19:04 - 00642344 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com\npvkplugin.dll
2014-04-20 02:42 - 2014-04-20 02:42 - 00347328 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com\nponlinebanking.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Frank\OneDrive:ms-properties

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "BrHelp"
HKLM\...\StartupApproved\Run32: => "ControlCenter4"
HKLM\...\StartupApproved\Run32: => "IndexSearch"
HKLM\...\StartupApproved\Run32: => "PDFPrint"
HKLM\...\StartupApproved\Run32: => "PDFHook"
HKLM\...\StartupApproved\Run32: => "KiesTrayAgent"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\StartupApproved\StartupFolder: => "Dropbox.lnk"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\StartupApproved\Run: => "ISUSPM"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\StartupApproved\StartupFolder: => "Dropbox.lnk"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\StartupApproved\Run: => "ISUSPM"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{7E482BF7-65A1-481B-8197-F5CDFA830871}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{98BB1F84-D45E-4E7F-9994-9748F1BA0DC6}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9CCB628F-DC5B-4573-924C-9391048552D6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{459C2851-2A5E-4306-B7E9-1B9FBD01E1D8}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{44D11CC1-6CA9-4BE0-ADDC-84AA293320C2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{2B1A5ADC-AB40-4CDB-8FC1-126703E9F750}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{A86FACCB-5CCC-4276-9A75-4D1C1E50936B}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{74479321-1364-404C-8A0B-BF5BEFA44D11}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{B3C755E3-F739-4264-8565-8B077EA8ABF2}] => (Allow) C:\Program Files (x86)\Brother\Brmfl13b\FAXRX.EXE
FirewallRules: [{8DB353F1-B4BF-4678-9A0B-57F723AC8404}] => (Allow) LPort=54925
FirewallRules: [{7F9BD20F-C288-49AF-A053-23EF00B9F86A}] => (Allow) C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{2B6D24C0-AAFC-499F-A0ED-7DA878A784B6}] => (Allow) C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{AE7C6722-3D35-4470-8646-C208B85E0717}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPSOCKSVC.exe
FirewallRules: [{7C6296C4-92F9-47E7-A36D-D50A24C725CC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{FD94DA4D-90A9-4FEE-860E-5008281643B1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4E02AC90-444D-48E1-B1CA-5E8CAF80C012}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{4CA8D081-1215-4724-8A9B-41AFC2B00D32}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{CBC6BB7F-560F-443C-A9FD-ABA55EC83AFE}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{4E77507E-7D83-453C-8581-67075B1B69D9}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{3B0F430A-3A66-481D-AD8D-03E4011E3790}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{9D02D493-C20B-4F2F-8116-20645A2AD26E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/09/2015 08:21:51 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (06/09/2015 06:10:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: LogonUI.exe, Version: 6.3.9600.17415, Zeitstempel: 0x5450541b
Name des fehlerhaften Moduls: OmniPassCredProv.dll_unloaded, Version: 8.0.1.11, Zeitstempel: 0x5335c168
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000011c0f
ID des fehlerhaften Prozesses: 0x2c51c
Startzeit der fehlerhaften Anwendung: 0xLogonUI.exe0
Pfad der fehlerhaften Anwendung: LogonUI.exe1
Pfad des fehlerhaften Moduls: LogonUI.exe2
Berichtskennung: LogonUI.exe3
Vollständiger Name des fehlerhaften Pakets: LogonUI.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: LogonUI.exe5

Error: (06/09/2015 05:41:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wmplayer.exe, Version 12.0.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 11424

Startzeit: 01d0a2c8cad0c10e

Endzeit: 1947

Anwendungspfad: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Berichts-ID: eb746343-0ebd-11e5-828d-8cdcd47b22bd

Vollständiger Name des fehlerhaften Pakets: 

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Error: (06/09/2015 01:54:47 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 1e498

Startzeit: 01d0a2aa55ad5b67

Endzeit: 4294967295

Anwendungspfad: C:\Windows\syswow64\backgroundTaskHost.exe

Berichts-ID: 4a8adb1f-0e9e-11e5-828d-8cdcd47b22bd

Vollständiger Name des fehlerhaften Pakets: Microsoft.MicrosoftMahjong_2.4.1412.2202_x86__8wekyb3d8bbwe

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: MicrosoftMahjong

Error: (06/09/2015 00:58:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 30313

Error: (06/09/2015 00:58:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 30313

Error: (06/09/2015 00:58:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/09/2015 00:58:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15063

Error: (06/09/2015 00:58:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15063

Error: (06/09/2015 00:58:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (06/10/2015 08:36:42 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80246013 fehlgeschlagen: Office Live add-in 1.5

Error: (06/10/2015 08:36:37 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80246013 fehlgeschlagen: Microsoft Office File Validation Add-in

Error: (06/03/2015 05:30:27 PM) (Source: KLIF) (EventID: 0) (User: )
Description: Сonnection is not established

Error: (06/03/2015 05:30:27 PM) (Source: KLIF) (EventID: 0) (User: )
Description: Сonnection is not established

Error: (06/02/2015 07:01:49 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Secunia PSI Agent" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/02/2015 06:54:42 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Superfetch" wurde mit folgendem Fehler beendet: 
%%1062

Error: (06/02/2015 06:53:39 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP)
Description: {D63B10C5-BB46-4990-A94F-E40B9D520160}

Error: (05/31/2015 09:25:19 PM) (Source: Schannel) (EventID: 4114) (User: LAPTOP)
Description: Das vom Remoteserver erhaltene Zertifikat wurde von einer nicht vertrauenswürdigen Zertifizierungsstelle ausgestellt. Aus diesem Grund können keine der im Zertifikat enthalten Daten verifiziert werden. Fehler bei der SSL-Verbindungsanforderung. Die angehängten Daten enthalten das Serverzertifikat.

Error: (05/31/2015 09:25:19 PM) (Source: Schannel) (EventID: 4120) (User: LAPTOP)
Description: Es wurde eine schwerwiegende Warnung generiert und an den Remoteendpunkt gesendet. Dies kann dazu führen, dass die Verbindung beendet wird. Die schwerwiegende Warnung hat folgenden für das TLS-Protokoll definierten Code: 48. Der Windows-SChannel-Fehlerstatus lautet: 552.

Error: (05/31/2015 09:14:14 PM) (Source: Schannel) (EventID: 4114) (User: LAPTOP)
Description: Das vom Remoteserver erhaltene Zertifikat wurde von einer nicht vertrauenswürdigen Zertifizierungsstelle ausgestellt. Aus diesem Grund können keine der im Zertifikat enthalten Daten verifiziert werden. Fehler bei der SSL-Verbindungsanforderung. Die angehängten Daten enthalten das Serverzertifikat.


Microsoft Office:
=========================
Error: (03/14/2015 08:05:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:05:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 60 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:03:13 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:02:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 191 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/08/2015 08:28:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 5 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/08/2015 08:28:21 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 4840 seconds with 540 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:03:33 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:03:12 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:02:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:01:38 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 104 seconds with 60 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2015-05-22 17:52:35.280
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.662
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.405
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.131
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.824
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.508
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.506
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.223
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:30.943
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:30.682
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.


==================== Memory info =========================== 

Processor: AMD A8-6410 APU with AMD Radeon R5 Graphics 
Percentage of memory in use: 44%
Total physical RAM: 7103.44 MB
Available physical RAM: 3935.21 MB
Total Pagefile: 8319.44 MB
Available Pagefile: 4599.96 MB
Total Virtual: 131072 MB
Available Virtual: 131071.8 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:909.5 GB) (Free:815.09 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:20.99 GB) (Free:2.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 1119D06D)

Partition: GPT Partition Type.

==================== End of log ============================

--- --- ---

IT-Laie01 · 10.06.2015, 09:07

Code:

ATTFilter

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-06-10 09:20:00
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000027 TOSHIBA_MQ01ABD100 rev.AX1P2C 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\Frank\AppData\Local\Temp\uwldapow.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                                                                                              fffff96000231900 15 bytes [00, 57, F4, 01, 40, 8F, 6E, ...]
.text   C:\Windows\System32\win32k.sys!W32pServiceTable + 16                                                                                                                                                         fffff96000231910 11 bytes [00, 41, FC, FF, 00, 79, C7, ...]

---- User code sections - GMER 2.1 ----

.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                                   00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                                   00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!SendInput                                                                                                                                  00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                               00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                               00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                                00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                               00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                               00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                                00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                                           00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\System32\dwm.exe[78324] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                           00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                     00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                         00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                     00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                           00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                      00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                             00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                        00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                           00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                       00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                         00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                         00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                              00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                   00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                  00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                   00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                      00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                      00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                        00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                            00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                       00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                       00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                           00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                      00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                            00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                            00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                       00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                      00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                       00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                       00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                      00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                           00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                         00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                             00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                             00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                             00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                   00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                             00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                  00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                     00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                          00007ffc181d015b 8 bytes [70, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                          00007ffc181d1438 8 bytes [40, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                  00007ffc181d15e6 8 bytes [30, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                 00007ffc181d1877 8 bytes [20, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                00007ffc181d1a2d 8 bytes [10, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                   00007ffc181d1c35 8 bytes [00, 6C, 9C, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                        00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                      00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                            00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                              00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                            00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                        00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                        00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                              00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                        00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                    00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                               00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                              00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                          00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                            00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[80520] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595

Code:

ATTFilter

.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                                       00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                                       00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceA                                                                                                                               00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceW                                                                                                                               00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!SendInput                                                                                                                                      00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                                   00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                                   00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                                    00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                                   00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                                   00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                                    00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\SYSTEM32\msi.dll!MsiSetInternalUI                                                                                                                                  00007ffc0b721b10 6 bytes {JMP QWORD [RIP+0x88e520]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\SYSTEM32\msi.dll!MsiInstallProductA                                                                                                                                00007ffc0b7ec470 6 bytes {JMP QWORD [RIP+0x473bc0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\SYSTEM32\msi.dll!MsiInstallProductW                                                                                                                                00007ffc0b7ec710 6 bytes {JMP QWORD [RIP+0x493920]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA                                                                                                                            00007ffc0ffcd420 6 bytes {JMP QWORD [RIP+0x142c10]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW                                                                                                                            00007ffc0ffd6480 6 bytes {JMP QWORD [RIP+0x159bb0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                                         00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x65b590]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                                                    00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x5fa900]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WS2_32.dll!listen                                                                                                                                         00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x629db0]}
.text   C:\Windows\Explorer.EXE[20732] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                                                     00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x609050]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                          00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                          00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!SendInput                                                                                                         00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                      00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                      00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!mouse_event                                                                                                       00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                      00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                      00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\USER32.dll!keybd_event                                                                                                       00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                  00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files\Classic Shell\ClassicStartMenu.exe[126180] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                  00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                 00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                 00007ffc15718e46 3 bytes CALL 0
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!SendInput                                                                                                                00007ffc16541240 6 bytes JMP 43fbc4a0
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                             00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                             00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!mouse_event                                                                                                              00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                             00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                             00007ffc16566190 6 bytes JMP 40633a80
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\USER32.dll!keybd_event                                                                                                              00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                         00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[87328] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                         00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x432290]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                            00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                            00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!SendInput                                                                                                                           00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                        00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                        00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                         00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                        00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                        00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                         00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                                    00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\system32\taskhostex.exe[40792] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                    00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                               00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                               00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!SendInput                                                                                                                              00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                           00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                           00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                            00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                           00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                           00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                            00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                                       00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\system32\DllHost.exe[67636] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                       00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                              00007ffc16980070 6 bytes {JMP QWORD [RIP+0x1cffc0]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                              00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!SendInput                                                                                                                             00007ffc16541240 6 bytes {JMP QWORD [RIP+0x55edf0]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                          00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x5dcc40]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                          00007ffc16545720 6 bytes {JMP QWORD [RIP+0x59a910]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                           00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x516130]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                          00007ffc16565920 6 bytes {JMP QWORD [RIP+0x59a710]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                          00007ffc16566190 6 bytes {JMP QWORD [RIP+0x559ea0]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                           00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x4b6a10]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceA                                                                                                                      00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceW                                                                                                                      00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                                00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x55b590]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                                           00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x4fa900]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\WS2_32.dll!listen                                                                                                                                00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x529db0]}
.text   C:\Windows\System32\skydrive.exe[15220] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                                            00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x509050]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                             00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                             00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!SendInput                                                                                                            00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                         00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                         00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!mouse_event                                                                                                          00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                         00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                         00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\USER32.dll!keybd_event                                                                                                          00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                     00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[125036] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                     00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x432290]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                              00007ffc16980070 6 bytes {JMP QWORD [RIP+0x1cffc0]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                              00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!SendInput                                                                                                             00007ffc16541240 6 bytes {JMP QWORD [RIP+0x55edf0]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                          00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x5dcc40]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                          00007ffc16545720 6 bytes {JMP QWORD [RIP+0x59a910]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!mouse_event                                                                                                           00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x516130]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                          00007ffc16565920 6 bytes {JMP QWORD [RIP+0x59a710]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                          00007ffc16566190 6 bytes {JMP QWORD [RIP+0x559ea0]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\USER32.dll!keybd_event                                                                                                           00007ffc165c9620 6 bytes JMP 43f11010
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                      00007ffc1588dd10 6 bytes JMP 40
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                      00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x432290]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x55b590]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                           00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x4fa900]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\WS2_32.dll!listen                                                                                                                00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x529db0]}
.text   C:\Program Files\Logitech\SetPointP\SetPoint.exe[35492] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                            00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x509050]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                              00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                              00007ffc15718e46 3 bytes CALL 320043
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!SendInput                                                                                                             00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                          00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                          00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!mouse_event                                                                                                           00007ffc16549f00 6 bytes JMP 0
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                          00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                          00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\USER32.dll!keybd_event                                                                                                           00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\SYSTEM32\WINSPOOL.DRV!AddPrintProvidorA                                                                                                   00007ffc0ffcd420 6 bytes {JMP QWORD [RIP+0x82c10]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\SYSTEM32\WINSPOOL.DRV!AddPrintProvidorW                                                                                                   00007ffc0ffd6480 6 bytes {JMP QWORD [RIP+0x99bb0]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                      00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[85548] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                      00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                         00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                         00007ffc15718e46 3 bytes CALL 6c006f
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!SendInput                                                                                                        00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                     00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                     00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!mouse_event                                                                                                      00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                     00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                     00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\USER32.dll!keybd_event                                                                                                      00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\SYSTEM32\WINSPOOL.DRV!AddPrintProvidorA                                                                                              00007ffc0ffcd420 6 bytes {JMP QWORD [RIP+0x82c10]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\SYSTEM32\WINSPOOL.DRV!AddPrintProvidorW                                                                                              00007ffc0ffd6480 6 bytes {JMP QWORD [RIP+0x99bb0]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                 00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files\AMD Quick Stream\AMDQuickStream.exe[117296] C:\Windows\system32\ADVAPI32.dll!CreateServiceW

Code:

ATTFilter

.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                              00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                                  00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                              00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                                    00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                               00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                      00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                                 00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                                    00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                                00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                         00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                                  00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                                  00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                       00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                            00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                           00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                            00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                               00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                               00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                                 00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                     00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                                00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                                00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                                    00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                               00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                     00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                     00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                                00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                               00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                                00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                                00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                               00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                                    00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                                  00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                      00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                      00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                      00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                            00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                      00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                           00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                              00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                                   00007ffc181d015b 8 bytes [70, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                                   00007ffc181d1438 8 bytes [40, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                           00007ffc181d15e6 8 bytes [30, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                          00007ffc181d1877 8 bytes [20, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                         00007ffc181d1a2d 8 bytes [10, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                            00007ffc181d1c35 8 bytes [00, 6C, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                                 00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                               00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                     00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                   00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                       00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                       00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                     00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                     00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                                 00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                                 00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                       00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                 00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                             00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                         00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                        00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                       00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                   00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                     00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Secunia\PSI\psi_tray.exe[156328] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                                00000000774a2bd3 8 bytes [DC, 6A, D6, 7E, 00, 00, 00, ...]
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                     00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                     00007ffc15718e46 3 bytes CALL 0
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!SendInput                                                                                                    00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                 00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                 00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!mouse_event                                                                                                  00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                 00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                 00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\USER32.dll!keybd_event                                                                                                  00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                             00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[25620] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                             00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                   00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!SendInput                                                                                  00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!PostMessageW                                                                               00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!SendMessageW                                                                               00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!mouse_event                                                                                00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!PostMessageA                                                                               00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!SendMessageA                                                                               00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\USER32.dll!keybd_event                                                                                00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                           00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe[89336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                           00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                          00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                              00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                          00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                                00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                           00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                  00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                             00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                                00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                            00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                     00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                              00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                              00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                   00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                        00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                       00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                        00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                           00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                           00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                             00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                 00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                            00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                            00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                                00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                           00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                 00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                 00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                            00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                           00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                            00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                            00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                           00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                                00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                              00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                  00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                  00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                  00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                        00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                  00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                       00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                          00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                               00007ffc181d015b 8 bytes [70, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                               00007ffc181d1438 8 bytes [40, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                       00007ffc181d15e6 8 bytes [30, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                      00007ffc181d1877 8 bytes [20, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                     00007ffc181d1a2d 8 bytes [10, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                        00007ffc181d1c35 8 bytes [00, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                             00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                           00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                 00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                               00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                   00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                   00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                 00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                 00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                             00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                             00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                   00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                             00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                         00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                     00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                    00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                   00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                               00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                 00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[80324] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                            00000000774a2bd3 8 bytes [DC, 6A, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                         00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                             00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                         00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                               00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                          00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                 00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                            00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                               00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                           00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                    00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                             00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                             00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                  00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                       00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                      00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                       00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                          00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                          00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                            00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                           00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                           00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                               00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                          00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                           00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                          00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                           00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                           00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                          00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                               00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                             00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                 00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                 00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                 00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                       00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                 00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                      00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                         00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                              00007ffc181d015b 8 bytes [70, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                              00007ffc181d1438 8 bytes [40, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                      00007ffc181d15e6 8 bytes [30, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                     00007ffc181d1877 8 bytes [20, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                    00007ffc181d1a2d 8 bytes [10, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                       00007ffc181d1c35 8 bytes [00, 6C, B3, 7E, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                            00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                          00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                              00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                  00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                  00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                            00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                            00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                  00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                            00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                        00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                    00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                   00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                  00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                              00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[200048] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595

IT-Laie01 · 10.06.2015, 09:10

Code:

ATTFilter

.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW                                                                                         00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                         00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!SendInput                                                                                                        00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                     00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                     00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!mouse_event                                                                                                      00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                     00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                     00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\USER32.dll!keybd_event                                                                                                      00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                 00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                 00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ws2_32.dll!WSALookupServiceBeginW                                                                                           00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x65b590]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ws2_32.dll!connect + 1                                                                                                      00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x5fa900]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ws2_32.dll!listen                                                                                                           00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x629db0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3756] C:\Windows\system32\ws2_32.dll!WSAConnect                                                                                                       00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x609050]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                             00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                 00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                             00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                   00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                              00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                     00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                   00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                               00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                        00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                 00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                 00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                      00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                           00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                          00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                           00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                              00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                              00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                    00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                               00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                               00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                   00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                              00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                    00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                    00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                               00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                              00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                               00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                               00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                              00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                   00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                 00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                     00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                     00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                     00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                           00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                     00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                          00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                             00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                  00007ffc181d015b 8 bytes [70, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                  00007ffc181d1438 8 bytes [40, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                          00007ffc181d15e6 8 bytes [30, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                         00007ffc181d1877 8 bytes [20, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                        00007ffc181d1a2d 8 bytes [10, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                           00007ffc181d1c35 8 bytes [00, 6C, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                              00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                    00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                  00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                      00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                    00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                    00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                      00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                            00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                        00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                       00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                      00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                  00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                    00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[113716] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                               00000000774a2bd3 8 bytes [DC, 6A, D4, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                   00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                   00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!SendInput                                                                                                                  00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                               00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                               00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                               00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                               00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                           00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                           00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                     00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x65b590]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                                00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x5fa900]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\WS2_32.dll!listen                                                                                                                     00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x629db0]}
.text   C:\Program Files (x86)\Raptr\raptr_ep64.exe[33744] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                                 00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x609050]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\KERNEL32.DLL!CreateProcessInternalW                                                                                                       00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                                       00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceA                                                                                                               00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\SYSTEM32\advapi32.dll!CreateServiceW                                                                                                               00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!SendInput                                                                                                                      00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                   00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                   00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                    00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                   00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                   00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Windows\System32\SettingSyncHost.exe[37232] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                    00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW                                                                                        00007ffc16980070 6 bytes {JMP QWORD [RIP+0x14ffc0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198                                                                                        00007ffc15718e46 3 bytes [C4, 71, 27]
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!SendInput                                                                                                       00007ffc16541240 6 bytes {JMP QWORD [RIP+0x4dedf0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                    00007ffc165433f0 6 bytes {JMP QWORD [RIP+0x55cc40]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                    00007ffc16545720 6 bytes {JMP QWORD [RIP+0x51a910]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!mouse_event                                                                                                     00007ffc16549f00 6 bytes {JMP QWORD [RIP+0x496130]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                    00007ffc16565920 6 bytes {JMP QWORD [RIP+0x51a710]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                    00007ffc16566190 6 bytes {JMP QWORD [RIP+0x4d9ea0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\USER32.dll!keybd_event                                                                                                     00007ffc165c9620 6 bytes {JMP QWORD [RIP+0x436a10]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                00007ffc1588dd10 6 bytes {JMP QWORD [RIP+0x152320]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                00007ffc1588dda0 6 bytes {JMP QWORD [RIP+0x422290]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ws2_32.dll!WSALookupServiceBeginW                                                                                          00007ffc164e4aa0 6 bytes {JMP QWORD [RIP+0x65b590]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ws2_32.dll!connect + 1                                                                                                     00007ffc164e5731 5 bytes {JMP QWORD [RIP+0x5fa900]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ws2_32.dll!listen                                                                                                          00007ffc164f6280 6 bytes {JMP QWORD [RIP+0x629db0]}
.text   C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[28604] C:\Windows\system32\ws2_32.dll!WSAConnect                                                                                                      00007ffc164f6fe0 6 bytes {JMP QWORD [RIP+0x609050]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                    00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                      00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                 00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                        00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                   00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                      00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                  00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                           00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                    00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                    00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                         00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                              00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                             00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                              00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                 00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                 00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                   00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                       00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                  00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                  00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                      00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                 00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                       00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                       00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                  00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                 00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                  00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                  00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                 00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                      00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                    00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                        00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                        00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                        00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                              00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                        00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                             00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                     00007ffc181d015b 8 bytes [70, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                     00007ffc181d1438 8 bytes [40, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                             00007ffc181d15e6 8 bytes [30, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                            00007ffc181d1877 8 bytes [20, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                           00007ffc181d1a2d 8 bytes [10, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                              00007ffc181d1c35 8 bytes [00, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                   00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                 00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                       00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                     00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                         00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                         00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                       00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                       00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                   00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                   00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                         00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                   00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                               00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                           00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                          00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                         00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                     00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                       00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe[101176] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                  00000000774a2bd3 8 bytes [DC, 6A, F8, 7F, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49      00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23            00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9        00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71       00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16      00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308  00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529    00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{7D12F395-4038-4AE4-9B22-EF7F9CBA7578}\43.0.2357.124_43.0.2357.81_chrome_updater.exe[49652]

Code:

ATTFilter

.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                                        00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                                            00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                                        00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                                              00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                                         00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                                00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                                           00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                                              00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                                          00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                                   00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                                            00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                                            00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                                 00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                                      00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                                     00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                                      00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                                         00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                                         00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                                           00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                               00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                                          00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                                          00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                                              00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                                         00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                               00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                               00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                                          00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                                         00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                                          00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                                          00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                                         00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                                              00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                                            00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                                00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                                00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                                00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                                      00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                                00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                                     00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                                        00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                                             00007ffc181d015b 8 bytes [70, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                                             00007ffc181d1438 8 bytes [40, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                                     00007ffc181d15e6 8 bytes [30, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                                    00007ffc181d1877 8 bytes [20, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                                   00007ffc181d1a2d 8 bytes [10, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                                      00007ffc181d1c35 8 bytes [00, 6C, 2D, FF, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                                           00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                                         00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                               00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                             00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                                 00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                 00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                               00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                               00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                                           00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                                           00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                                 00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                           00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                                       00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                                   00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                                  00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                                 00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                             00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                               00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_FFD44.tmp\setup.exe[81320] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                                          00000000774a2bd3 8 bytes [DC, 6A, 2D, FF, 00, 00, 00, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                          00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                          00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                          00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                      00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                  00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                 00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308            00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529              00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Program Files (x86)\Google\Update\Install\{A54C3021-1E9F-46AD-86A1-5C9B073A588F}\43.0.2357.124_chrome_installer.exe[155380] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                         00000000774a2bd3 8 bytes [DC, 6A, F8, 7F, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                                        00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                                            00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                                        00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                                              00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                                         00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                                00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                                           00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                                              00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                                          00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                                   00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                                            00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                                            00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                                 00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                                      00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                                     00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                                      00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                                         00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                                         00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                                           00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                               00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                                          00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                                          00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                                              00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                                         00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                               00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                               00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                                          00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                                         00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                                          00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                                          00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                                         00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                                              00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                                            00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                                00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                                00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                                00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                                      00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                                00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                                     00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                                        00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                                             00007ffc181d015b 8 bytes [70, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                                             00007ffc181d1438 8 bytes [40, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                                     00007ffc181d15e6 8 bytes [30, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                                    00007ffc181d1877 8 bytes [20, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                                   00007ffc181d1a2d 8 bytes [10, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                                      00007ffc181d1c35 8 bytes [00, 6C, F6, FE, 00, 00, 00, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                                           00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                                         00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                               00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                             00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                                 00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                 00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                               00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                               00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                                           00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                                           00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                                 00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                           00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                                       00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                                   00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                                  00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                                 00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                             00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                               00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Windows\TEMP\CR_B4A01.tmp\setup.exe[10384] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                                          00000000774a2bd3 8 bytes [DC, 6A, F6, FE, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132                                                                                                       00007ffc181c4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316                                                                                                           00007ffc181c4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710                                                                                                       00007ffc181c5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479                                                                                             00007ffc181c53ff 8 bytes {JMP 0xffffffffffffffee}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911                                                                                                        00007ffc181c579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420                                                                                                               00007ffc181c5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657                                                                                                          00007ffc181c5ef1 8 bytes {JMP 0xffffffffffffff9e}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78                                                                             00007ffc181c5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399                                                                                                         00007ffc181c60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977                                                                                  00007ffc181c64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310                                                                                                           00007ffc181c6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491                                                                                                           00007ffc181c66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359                                                                                                00007ffc181c8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67                                                                                                     00007ffc181c8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864                                                                                                    00007ffc181c8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143                                                                                                     00007ffc181c8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510                                                                                                        00007ffc181c90ae 8 bytes {JMP 0xffffffffffffff96}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715                                                                                                        00007ffc181c917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772                                                                                                          00007ffc181c9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685                                                                                                              00007ffc181c9fcd 8 bytes {JMP 0xffffffffffffffaf}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352                                                                                                         00007ffc181caae0 8 bytes {JMP 0xffffffffffffffcd}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488                                                                                                         00007ffc181cab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 3
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565                                                                                                             00007ffc181cb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78                                                                                                        00007ffc181cb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311                                                                                                              00007ffc181cc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528                                                                                                              00007ffc181cc5b0 8 bytes {JMP 0xffffffffffffffc7}
.text   ...                                                                                                                                                                                                          * 2
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579                                                                                         00007ffc181cd0d3 8 bytes {JMP 0xffffffffffffffef}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47                                                                                        00007ffc181cd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495                                                                                                         00007ffc181cd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43                                                                                                         00007ffc181cd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456                                                                                                        00007ffc181cd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180                                                                                                             00007ffc181cd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596                                                                                                           00007ffc181cdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424                                                                                                               00007ffc181cdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771                                                                                                               00007ffc181ce073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948                                                                                                               00007ffc181ce124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48                                                                                                     00007ffc181ce160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756                                                                                                               00007ffc181ceb74 8 bytes {JMP 0xffffffffffffffd0}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371                                                                                                    00007ffc181cfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556                                                                                                       00007ffc181d009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171                                                                                                            00007ffc181d015b 8 bytes [70, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744                                                                                            00007ffc181d1438 8 bytes [40, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214                                                                                                    00007ffc181d15e6 8 bytes [30, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567                                                                                                   00007ffc181d1877 8 bytes [20, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429                                                                                                  00007ffc181d1a2d 8 bytes [10, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213                                                                                                     00007ffc181d1c35 8 bytes [00, 6C, F8, 7F, 00, 00, 00, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                                          00007ffc18241290 8 bytes {JMP QWORD [RIP-0x6fe5e]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                                        00007ffc18241410 8 bytes {JMP QWORD [RIP-0x6fe30]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                              00007ffc18241440 8 bytes {JMP QWORD [RIP-0x712eb]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                            00007ffc18241560 8 bytes {JMP QWORD [RIP-0x70c1e]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                                00007ffc18241610 8 bytes {JMP QWORD [RIP-0x71122]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                00007ffc18241cd0 8 bytes {JMP QWORD [RIP-0x700a1]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                              00007ffc18241fd0 8 bytes {JMP QWORD [RIP-0x705a9]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                              00007ffc18242850 8 bytes {JMP QWORD [RIP-0x70fdf]}
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438                                                                                                          00000000774a13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387                                                                                                          00000000774a1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                                00000000774a1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                          00000000774a1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                                      00000000774a16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9                                                                                                  00000000774a16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71                                                                                                 00000000774a1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   ...                                                                                                                                                                                                          * 7
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                                00000000774a25d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                            00000000774a2714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529                                                                                              00000000774a2961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text   C:\Users\Frank\Downloads\Gmer-19357.exe[20088] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595                                                                                                         00000000774a2bd3 8 bytes [DC, 6A, F8, 7F, 00, 00, 00, ...]

---- Threads - GMER 2.1 ----

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [7872:7956]                                                                                                                                               00007ffc166c5aa0
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [7872:8184]                                                                                                                                               00007ffc158f0b70
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [7872:7276]                                                                                                                                               00007ffc15f812c0
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [7872:102792]                                                                                                                                             00007ffc15f812c0
Thread  C:\Windows\system32\csrss.exe [164644:95016]                                                                                                                                                                 fffff960008f62d0

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                                                                                        unknown MBR code

---- EOF - GMER 2.1 ----

Warlord711 · 10.06.2015, 11:33

Hallo IT-Laie01

Mein Name ist Timo und ich werde Dir bei deinem Problem behilflich sein.

Bitte arbeite alle Schritte der Reihe nach ab.
Hier findest du die Anleitung für Hilfesuchende
Lese die Anleitungen sorgfältig. Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
Nur Scans durchführen zu denen Du von einem Helfer aufgefordert wirst.
Bitte kein Crossposting ( posten in mehreren Foren).
Installiere oder Deinstalliere während der Bereinigung keine Software ausser Du wurdest dazu aufgefordert.
Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.
Poste die Logfiles direkt in deinen Thread. Nicht anhängen ausser ich fordere Dich dazu auf.

Hinweis:
Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist immer der sicherste Weg.

Wir arbeiten hier alle freiwillig und meist auch nur in unserer Freizeit. Daher kann es bei Antworten zu Verzögerungen kommen.
Solltest du innerhalb 48 Std keine Antwort von mir erhalten, dann schreib mit eine PM
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis ich oder jemand vom Team sagt, dass Du clean bist.

Führe sämtliche Tools mit administrativen Rechten aus, Vista, Win7,Win8 User mit Rechtsklick "als Administrator starten".

Lade Dir bitte von hier

Revo Uninstaller (alternativ portable Revo Uninstaller) herunter.

Installiere und starte das Programm. (Bebilderte Anleitung zu Revo Uninstaller)
Klicke auf Optionen und wähle als Sprache Deutsch.
Suche im Uninstallerfeld nach den Programmen:

Java Runtime Environment Packages
Java 7 Update 75
Wähle die Programme nacheinander aus und klicke jedes Mal auf Uninstall.
Wähle anschließend den Modus "Moderat" aus.
Reste löschen:
Klicke auf dann auf und dann auf .

Ausserdem sehe ich Emsisoft + Kaspersky auf dem Rechner:

(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe

Allerdings zu Emsisoft keinen Installations-Eintrag.

Was ist da aktuell ?

Downloade Dir bitte

AdwCleaner auf deinen Desktop.

Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
Starte die AdwCleaner.exe mit einem Doppelklick.
Stimme den Nutzungsbedingungen zu.
Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
- "Tracing" Schlüssel löschen
- Winsock Einstellungen zurücksetzen
- Proxy Einstellungen zurücksetzen
- Internet Explorer Richtlinien zurücksetzen
- Chrome Richtlinien zurücksetzen
- Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
Drücke eine beliebige Taste, um das Tool zu starten.
Je nach System kann der Scan eine Weile dauern.
Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.

Downloade Dir bitte

Malwarebytes Anti-Malware

Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
Starte Malwarebytes' Anti-Malware (MBAM).
Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.

Und bitte neue FRST Logs. Haken setzen bei addition.txt dann auf Scan klicken

IT-Laie01 · 11.06.2015, 10:34

Hallo Timo!

Danke für deine schnelle Antwort!
Emsisoft war eine Testversion, die ich vor Beginn der Scans deinstalliert habe, allerdings wohl unvollständig. Sorry! Kaspersky ist aktuell. Anbei die gewünschten Logfiles.

Gruß IT-Laie01

Code:

ATTFilter

# AdwCleaner v4.206 - Bericht erstellt 11/06/2015 um 10:26:58
# Aktualisiert 01/06/2015 von Xplode
# Datenbank : 2015-06-09.1 [Server]
# Betriebssystem : Windows 8.1  (x64)
# Benutzername : Frank - LAPTOP
# Gestarted von : C:\Users\Frank\Downloads\AdwCleaner_4.206.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****

Ordner Gelöscht : C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Datei Gelöscht : C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\user.js

***** [ Geplante Tasks ] *****

Task Gelöscht : DriverEasy Scheduled Scan

***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Schlüssel Gelöscht : HKCU\Software\OCS

***** [ Internetbrowser ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v38.0.5 (x86 de)

[p9mddmfq.default-1433264625322\prefs.js] - Zeile Gelöscht : user_pref("browser.newtab.url", "chrome://unitedtb/content/newtab/newtab-page.xhtml");

-\\ Google Chrome v43.0.2357.124


*************************

AdwCleaner[R0].txt - [2055 Bytes] - [11/06/2015 10:19:53]
AdwCleaner[S0].txt - [1930 Bytes] - [11/06/2015 10:26:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1989  Bytes] ##########

Code:

ATTFilter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 8.1 x64
Ran by Frank on 11.06.2015 at 10:40:06,04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\users\public\desktop\drivereasy.lnk



~~~ Folders

Successfully deleted: [Folder] C:\Program Files (x86)\myfree codec
Successfully deleted: [Folder] C:\ProgramData\microsoft\windows\start menu\programs\drivereasy



~~~ FireFox




~~~ Chrome


[C:\Users\Frank\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Frank\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Frank\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Frank\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11.06.2015 at 10:44:47,21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Code:

ATTFilter

 Malwarebytes Anti-Malware 
www.malwarebytes.org

Suchlauf Datum: 11.06.2015
Suchlauf-Zeit: 10:49:12
Logdatei: mbam.txt
Administrator: Ja

Version: 2.01.6.1022
Malware Datenbank: v2015.06.11.01
Rootkit Datenbank: v2015.06.02.01
Lizenz: Premium
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 8.1
CPU: x64
Dateisystem: NTFS
Benutzer: Frank

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 364612
Verstrichene Zeit: 29 Min, 45 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(Keine schädliche Elemente gefunden)

Module: 0
(Keine schädliche Elemente gefunden)

Registrierungsschlüssel: 0
(Keine schädliche Elemente gefunden)

Registrierungswerte: 0
(Keine schädliche Elemente gefunden)

Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)

Ordner: 0
(Keine schädliche Elemente gefunden)

Dateien: 0
(Keine schädliche Elemente gefunden)

Physische Sektoren: 0
(Keine schädliche Elemente gefunden)


(end)

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Frank (administrator) on LAPTOP on 11-06-2015 11:23:49
Running from C:\Users\Frank\Downloads
Loaded Profiles: Frank (Available Profiles: Frank)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3100440 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8465112 2015-04-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2858664 2015-03-19] (Synaptics Incorporated)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163520 2015-04-09] (IvoSoft)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2014-06-16] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [193568 2014-11-12] (Geek Software GmbH)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Raptr] => C:\Program Files (x86)\Raptr\raptrstub.exe [55568 2015-05-15] (Raptr, Inc)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310064 2014-05-28] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [482528 2014-03-31] (AppEx Networks Corporation)
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2015-02-09]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
Startup: C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-01-15]
ShortcutTarget: Dropbox.lnk -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT14/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.uk.msn.com/HPNOT14/4
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.web.de/
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT14/4
SearchScopes: HKLM-x32 -> {409DDD25-F754-4E92-9B6F-20BACCC3A0EF} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002 -> {409DDD25-F754-4E92-9B6F-20BACCC3A0EF} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-11-22] (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll [2014-11-22] (Kaspersky Lab ZAO)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-06-02] (Oracle Corporation)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\OnlineBanking\online_banking_bho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-06-02] (Oracle Corporation)
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll [2014-04-20] (Kaspersky Lab ZAO)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322
FF NewTab: chrome://unitedtb/content/newtab/newtab-page.xhtml
FF DefaultSearchEngine: Startpage (SSL)
FF Homepage: hxxp://web.de/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_188.dll [2015-06-02] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-06-02] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1218158.dll [2015-05-07] (Adobe Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-05-13] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-05-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-06-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-06-02] (Oracle Corporation)
FF Plugin-x32: @kaspersky.com/content_blocker -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @kaspersky.com/online_banking -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-11-22] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-01] (Google Inc.)
FF SearchPlugin: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\searchplugins\startpage-ssl.xml [2015-06-02]
FF Extension: WEB.DE MailCheck - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\mailcheck@web.de [2015-06-09]
FF Extension: WOT - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-06-02]
FF Extension: Adblock Plus - C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\p9mddmfq.default-1433264625322\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-06-02]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com
FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions:  - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com
FF Extension: Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-11-22]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2015-02-09]

Chrome: 
=======
CHR Profile: C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-02]
CHR Extension: (Google Drive) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-06-02]
CHR Extension: (YouTube) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-06-02]
CHR Extension: (Google Search) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-02]
CHR Extension: (Kaspersky Protection) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2015-06-02]
CHR Extension: (Bookmark Manager) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-06-04]
CHR Extension: (Google Wallet) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-02]
CHR Extension: (Gmail) - C:\Users\Frank\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-02]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-11-20] (Advanced Micro Devices, Inc.) [File not signed]
R2 AVP15.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe [233552 2014-04-20] (Kaspersky Lab ZAO)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [88064 2014-03-05] () [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-09] (Hewlett-Packard Development Company, L.P.)
R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-28] (Softex Inc.) [File not signed]
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294104 2015-04-10] (Realtek Semiconductor)
S2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1363160 2014-11-28] (Secunia)
S2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [765144 2014-11-28] (Secunia)
S2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
S2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [220840 2015-03-19] (Synaptics Incorporated)
S2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51712 2014-04-17] (Advanced Micro Devices, Inc.)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-04-03] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17640 2013-10-24] (Advanced Micro Devices, INC.)
S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-23] (Advanced Micro Devices, Inc.)
S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [85704 2014-04-17] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [62152 2014-10-28] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [230088 2014-04-17] (Advanced Micro Devices, Inc. )
R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [229056 2014-10-28] (AppEx Networks Corporation)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-03-12] (Advanced Micro Devices)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [457824 2014-02-20] (Kaspersky Lab ZAO)
S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2012-07-27] (Kaspersky Lab)
R3 klflt; C:\Windows\system32\DRIVERS\klflt.sys [142344 2014-11-22] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [243808 2014-04-10] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [771272 2014-11-22] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30304 2014-02-25] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [28768 2014-03-28] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\system32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)
R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [67680 2014-03-19] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [179296 2014-03-26] (Kaspersky Lab ZAO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2014-11-28] (Secunia)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [294104 2014-11-06] (Realtek Semiconductor Corp.)
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [559832 2014-02-26] (Realtek Semiconductor Corporation)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [788696 2014-12-23] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [376024 2014-12-26] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3468504 2014-05-23] (Realtek Semiconductor Corporation                           )
R3 SmbDrv; C:\Windows\system32\DRIVERS\Smb_driver_AMDASF.sys [30376 2015-03-19] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [31472 2014-06-04] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 GENERICDRV; \??\C:\swsetup\sp68963\amifldrv64.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 mfefire; No ImagePath
U3 MSK80Service; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-11 10:44 - 2015-06-11 10:44 - 00001305 _____ C:\Users\Frank\Desktop\JRT.txt
2015-06-11 10:40 - 2015-06-11 10:40 - 00000207 _____ C:\Windows\tweaking.com-regbackup-LAPTOP-Windows-8.1-(64-bit).dat
2015-06-11 10:40 - 2015-06-11 10:40 - 00000000 ____D C:\RegBackup
2015-06-11 10:38 - 2015-06-11 10:38 - 02943663 _____ (Thisisu) C:\Users\Frank\Downloads\JRT.exe
2015-06-11 10:19 - 2015-06-11 10:27 - 00000000 ____D C:\AdwCleaner
2015-06-11 10:17 - 2015-06-11 10:18 - 02231296 _____ C:\Users\Frank\Downloads\AdwCleaner_4.206.exe
2015-06-11 10:07 - 2015-06-02 18:28 - 00271968 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2015-06-11 10:07 - 2015-06-02 18:28 - 00191072 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2015-06-11 10:07 - 2015-06-02 18:28 - 00190560 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2015-06-11 10:03 - 2015-06-11 10:03 - 00001251 _____ C:\Users\Frank\Desktop\Revo Uninstaller.lnk
2015-06-11 10:03 - 2015-06-11 10:03 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2015-06-11 10:01 - 2015-06-11 10:01 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Frank\Downloads\revosetup95.exe
2015-06-10 10:25 - 2015-06-10 10:25 - 00000000 ____D C:\Users\Frank\AppData\Local\GWX
2015-06-10 09:25 - 2015-06-11 10:29 - 00000232 _____ C:\Windows\setupact.log
2015-06-10 09:25 - 2015-06-10 09:25 - 00330536 _____ C:\Windows\Minidump\061015-53125-01.dmp
2015-06-10 09:25 - 2015-06-10 09:25 - 00000000 _____ C:\Windows\setuperr.log
2015-06-10 09:24 - 2015-06-10 09:24 - 913248866 _____ C:\Windows\MEMORY.DMP
2015-06-10 09:24 - 2015-06-10 09:24 - 00007016 _____ C:\Windows\PFRO.log
2015-06-10 09:10 - 2015-06-10 09:11 - 00380416 _____ C:\Users\Frank\Downloads\Gmer-19357.exe
2015-06-10 09:04 - 2015-06-10 09:06 - 00047873 _____ C:\Users\Frank\Downloads\Addition.txt
2015-06-10 09:00 - 2015-06-11 11:23 - 00025632 _____ C:\Users\Frank\Downloads\FRST.txt
2015-06-10 08:59 - 2015-06-11 11:24 - 00000000 ____D C:\FRST
2015-06-10 08:59 - 2015-06-10 08:59 - 02108928 _____ (Farbar) C:\Users\Frank\Downloads\FRST64.exe
2015-06-10 08:58 - 2015-06-10 08:58 - 00000472 _____ C:\Users\Frank\Downloads\defogger_disable.log
2015-06-10 08:58 - 2015-06-10 08:58 - 00000000 _____ C:\Users\Frank\defogger_reenable
2015-06-10 08:52 - 2015-06-10 08:52 - 00050477 _____ C:\Users\Frank\Downloads\Defogger.exe
2015-06-10 08:45 - 2015-06-10 08:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Live Add-in
2015-06-03 17:24 - 2015-06-11 10:31 - 01680475 _____ C:\Windows\WindowsUpdate.log
2015-06-02 19:36 - 2015-06-11 10:12 - 00000000 ____D C:\Users\Frank\AppData\Local\ClassicShell
2015-06-02 19:36 - 2015-06-02 19:36 - 00000000 ____D C:\Users\Frank\AppData\Roaming\ClassicShell
2015-06-02 19:36 - 2015-06-02 19:36 - 00000000 ____D C:\ProgramData\ClassicShell
2015-06-02 19:35 - 2015-06-02 19:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell
2015-06-02 19:35 - 2015-06-02 19:35 - 00000000 ____D C:\Program Files\Classic Shell
2015-06-02 19:33 - 2015-06-02 19:33 - 06590656 _____ (IvoSoft) C:\Users\Frank\Downloads\27122_ClassicShellSetup_4_2_1.exe
2015-06-02 19:03 - 2015-06-02 19:03 - 00000000 ____D C:\Users\Frank\Desktop\Alte Firefox-Daten
2015-06-02 19:02 - 2015-06-10 09:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-02 18:40 - 2015-06-02 18:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-06-02 18:33 - 2015-06-02 18:33 - 05009736 _____ (Adobe Systems Inc.) C:\Users\Frank\Downloads\Shockwave_Installer_Slim.exe
2015-06-02 18:14 - 2015-06-02 18:15 - 37328992 _____ (Oracle Corporation) C:\Users\Frank\Downloads\jre-8u45-windows-i586.exe
2015-06-02 18:13 - 2015-06-02 18:13 - 00562784 _____ (Oracle Corporation) C:\Users\Frank\Downloads\jre-8u45-windows-i586-iftw.exe
2015-05-31 16:10 - 2015-05-31 16:10 - 00001488 _____ C:\Users\Frank\Downloads\URLLink(1).acsm
2015-05-31 15:56 - 2015-05-31 15:56 - 00001548 _____ C:\Users\Frank\Downloads\URLLink.acsm
2015-05-31 15:12 - 2015-05-31 15:12 - 00001956 _____ C:\Users\Public\Desktop\Samsung Kies 3.lnk
2015-05-22 08:41 - 2015-05-22 08:41 - 00000000 ___RD C:\Users\Frank\AppData\Roaming\Brother
2015-05-20 10:29 - 2015-06-11 10:48 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-20 10:29 - 2015-05-20 10:29 - 00001085 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-05-20 10:29 - 2015-05-20 10:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2015-05-20 10:29 - 2015-05-20 10:29 - 00000000 ____D C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2015-05-20 10:29 - 2015-04-14 10:30 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-20 10:29 - 2015-04-14 10:30 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-05-20 10:29 - 2015-04-14 10:30 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-05-20 10:20 - 2015-05-20 10:21 - 21546400 _____ (Malwarebytes Corporation ) C:\Users\Frank\Downloads\mbam_premium(1).exe
2015-05-19 22:36 - 2015-05-19 22:36 - 00000000 ____D C:\ProgramData\SRS Labs
2015-05-19 22:35 - 2015-04-14 19:38 - 04664792 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RTKVHD64.sys
2015-05-19 22:35 - 2015-04-14 19:08 - 01736408 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoInstII64.dll
2015-05-19 22:35 - 2015-04-14 16:40 - 01303256 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTCOM64.dll
2015-05-19 22:35 - 2015-04-14 14:35 - 01990874 _____ C:\Windows\system32\Drivers\RTAIODAT.DAT
2015-05-19 22:35 - 2015-04-13 19:14 - 00168816 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkCfg64.dll
2015-05-19 22:35 - 2015-04-09 17:00 - 02846936 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RltkAPO64.dll
2015-05-19 22:35 - 2015-03-19 13:20 - 02907864 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtPgEx64.dll
2015-05-19 22:35 - 2015-03-10 18:04 - 02702040 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTSnMg64.cpl
2015-05-19 22:35 - 2015-02-04 00:38 - 01413776 _____ (Synopsys, Inc.) C:\Windows\system32\SRRPTR64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00454288 _____ (Synopsys, Inc.) C:\Windows\system32\SRAPO64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00369296 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM64.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00329360 _____ (Synopsys, Inc.) C:\Windows\SysWOW64\SRCOM.dll
2015-05-19 22:35 - 2015-02-04 00:38 - 00329360 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM.dll
2015-05-19 22:35 - 2015-01-19 18:10 - 72113152 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoRes64.dat
2015-05-19 22:35 - 2014-12-11 08:10 - 01104040 _____ (SRS Labs, Inc.) C:\Windows\system32\slcnt64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00943784 _____ (DTS, Inc.) C:\Windows\system32\sl3apo64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00734376 _____ (DTS, Inc.) C:\Windows\system32\sltech64.dll
2015-05-19 22:35 - 2014-12-11 08:10 - 00250536 _____ (TODO: <Company name>) C:\Windows\system32\slprp64.dll
2015-05-19 22:35 - 2014-12-02 18:42 - 03218800 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkApi64.dll
2015-05-19 22:35 - 2014-11-11 13:44 - 00631000 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtDataProc64.dll
2015-05-19 22:33 - 2015-04-09 15:23 - 01559744 _____ (Conexant Systems Inc.) C:\Windows\system32\CX64APO.dll
2015-05-19 22:26 - 2015-01-15 08:42 - 00881368 _____ (Realtek ) C:\Windows\system32\Drivers\Rt630x64.sys
2015-05-19 22:26 - 2015-01-15 08:42 - 00073800 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2015-05-19 22:25 - 2014-11-06 11:07 - 00294104 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RtsP2Stor.sys
2015-05-19 22:25 - 2014-11-06 10:57 - 00359128 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RtsPStor.sys
2015-05-19 22:25 - 2014-10-20 11:50 - 00083160 _____ (Realtek Semiconductor.) C:\Windows\system32\RtCRX64.dll
2015-05-19 22:25 - 2014-01-27 07:39 - 09890008 _____ (Realtek Semiconductor Corp.) C:\Windows\SysWOW64\RsCRIcon.dll
2015-05-19 17:25 - 2015-05-19 17:25 - 00000000 ____D C:\Users\Frank\AppData\Local\.elfohilfe
2015-05-19 16:43 - 2015-05-19 16:43 - 00000000 ____D C:\ProgramData\Emsisoft
2015-05-19 16:27 - 2015-06-10 09:24 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2015-05-19 16:22 - 2015-05-19 16:26 - 160982088 _____ (Emsisoft Ltd. ) C:\Users\Frank\Downloads\EmsisoftAntiMalwareSetup.exe
2015-05-19 11:23 - 2015-05-19 11:23 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\12C22F59.sys
2015-05-16 21:22 - 2015-05-19 11:22 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\245C0FCA.sys
2015-05-16 20:01 - 2015-05-16 20:01 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\669951C8.sys
2015-05-15 14:19 - 2015-05-15 14:20 - 40054888 _____ C:\Users\Frank\Downloads\WEB.DE_Firefox_Setup.exe
2015-05-13 21:47 - 2015-04-24 23:32 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-05-13 21:47 - 2015-03-05 01:09 - 01429504 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-05-13 21:39 - 2015-04-30 22:35 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 21:39 - 2015-04-30 22:35 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-12 21:46 - 2015-03-17 19:26 - 00467776 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2015-05-12 21:46 - 2015-03-09 04:02 - 00057856 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\bthhfenum.sys
2015-05-12 21:45 - 2015-05-01 01:05 - 00429568 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-12 21:45 - 2015-05-01 00:48 - 00358912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-05-12 21:45 - 2015-04-10 02:34 - 02256896 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2015-05-12 21:45 - 2015-04-10 02:11 - 01943040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2015-05-12 21:45 - 2015-03-20 03:56 - 00080384 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ahcache.sys
2015-05-12 21:45 - 2015-03-04 03:32 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Input.Inking.dll
2015-05-12 21:45 - 2015-03-04 03:12 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Input.Inking.dll
2015-05-12 21:44 - 2015-04-21 19:14 - 24971776 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-12 21:44 - 2015-04-21 18:50 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-12 21:44 - 2015-04-21 18:50 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-12 21:44 - 2015-04-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-12 21:44 - 2015-04-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-12 21:44 - 2015-04-21 18:35 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-12 21:44 - 2015-04-21 18:31 - 06025728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-12 21:44 - 2015-04-21 18:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-05-12 21:44 - 2015-04-21 18:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-05-12 21:44 - 2015-04-21 18:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-05-12 21:44 - 2015-04-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-12 21:44 - 2015-04-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-12 21:44 - 2015-04-21 18:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-05-12 21:44 - 2015-04-21 17:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-05-12 21:44 - 2015-04-21 17:49 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-12 21:44 - 2015-04-21 17:49 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-12 21:44 - 2015-04-21 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-12 21:44 - 2015-04-21 17:40 - 14401536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-12 21:44 - 2015-04-21 17:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-05-12 21:44 - 2015-04-21 17:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-05-12 21:44 - 2015-04-21 17:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-05-12 21:44 - 2015-04-21 17:27 - 02352128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-12 21:44 - 2015-04-21 17:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-05-12 21:44 - 2015-04-21 17:26 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-05-12 21:44 - 2015-04-21 17:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-05-12 21:44 - 2015-04-21 17:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-05-12 21:44 - 2015-04-21 17:15 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-12 21:44 - 2015-04-21 17:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-05-12 21:44 - 2015-04-21 16:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-05-12 21:44 - 2015-04-14 00:48 - 04180480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-12 21:44 - 2015-04-10 03:00 - 01996800 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-12 21:44 - 2015-04-10 02:50 - 01387008 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-12 21:44 - 2015-04-10 02:26 - 01560576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-05-12 21:44 - 2015-04-09 00:55 - 00410128 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-12 21:44 - 2015-04-03 02:35 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\PhotoMetadataHandler.dll
2015-05-12 21:44 - 2015-04-03 02:14 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PhotoMetadataHandler.dll
2015-05-12 21:44 - 2015-04-02 00:22 - 02985984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2015-05-12 21:44 - 2015-04-02 00:20 - 04417536 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2015-05-12 21:44 - 2015-04-01 05:45 - 01491456 _____ (Microsoft Corporation) C:\Windows\system32\dbghelp.dll
2015-05-12 21:44 - 2015-04-01 04:31 - 01207296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbghelp.dll
2015-05-12 21:44 - 2015-03-30 07:47 - 00561928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-05-12 21:44 - 2015-03-27 05:27 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-12 21:44 - 2015-03-27 04:50 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-05-12 21:44 - 2015-03-27 04:48 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-12 21:44 - 2015-03-13 06:03 - 00239424 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2015-05-12 21:44 - 2015-03-13 06:03 - 00154432 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2015-05-12 21:44 - 2015-03-13 04:02 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\udfs.sys
2015-05-12 21:44 - 2015-03-13 03:11 - 02162176 _____ (Microsoft Corporation) C:\Windows\system32\SRH.dll
2015-05-12 21:44 - 2015-03-13 02:39 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SRH.dll
2015-05-12 21:44 - 2015-03-13 02:29 - 00410017 _____ C:\Windows\system32\ApnDatabase.xml
2015-05-12 21:44 - 2015-03-11 03:49 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-05-12 21:44 - 2015-03-11 03:09 - 00021504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdbinst.exe
2015-05-12 21:44 - 2015-03-06 05:08 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\wpdshext.dll
2015-05-12 21:44 - 2015-03-06 04:47 - 01696256 _____ (Microsoft Corporation) C:\Windows\system32\wevtsvc.dll
2015-05-12 21:44 - 2015-03-06 04:43 - 01969664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wpdshext.dll
2015-05-12 21:44 - 2015-02-18 01:19 - 00186368 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2015-05-12 21:44 - 2015-01-30 02:53 - 02819584 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll
2015-05-12 21:44 - 2014-11-14 08:58 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsDatabase.dll
2015-05-12 21:43 - 2015-04-21 18:13 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2015-05-12 21:43 - 2015-04-21 18:07 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-05-12 21:43 - 2015-04-21 17:59 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-05-12 21:43 - 2015-04-21 17:52 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-05-12 21:43 - 2015-04-21 17:49 - 00374272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-12 21:43 - 2015-04-21 17:37 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-05-12 21:43 - 2015-04-21 17:32 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-05-12 21:43 - 2015-04-21 17:28 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-05-12 21:43 - 2015-04-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-12 21:43 - 2015-04-21 16:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-11 11:22 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness
2015-06-11 11:01 - 2015-02-16 19:00 - 00001132 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-11 11:01 - 2015-02-16 19:00 - 00001128 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-11 11:01 - 2014-12-16 17:20 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-11 11:00 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\sru
2015-06-11 10:46 - 2014-11-22 17:27 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2739668103-1494456093-2395821988-1002
2015-06-11 10:45 - 2014-11-22 18:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-06-11 10:40 - 2014-08-19 19:53 - 01747372 _____ C:\Windows\SysWOW64\rootpa.e2e
2015-06-11 10:32 - 2015-04-20 16:11 - 00000000 ____D C:\Users\Frank\Documents\Youcam
2015-06-11 10:31 - 2015-02-09 16:41 - 00000000 ____D C:\Users\Frank\AppData\Roaming\Raptr
2015-06-11 10:30 - 2014-11-23 01:33 - 00000000 ___DO C:\Users\Frank\OneDrive
2015-06-11 10:29 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-11 10:28 - 2014-11-22 17:21 - 00000000 ____D C:\Users\Frank
2015-06-11 10:28 - 2014-08-19 19:42 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-06-11 10:28 - 2013-08-22 15:25 - 01835008 ___SH C:\Windows\system32\config\BBI
2015-06-11 10:08 - 2014-11-24 19:21 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-11 10:03 - 2013-08-22 17:20 - 00000000 ____D C:\Windows\CbsTemp
2015-06-11 10:02 - 2015-03-12 12:24 - 00433664 ___SH C:\Users\Frank\Downloads\Thumbs.db
2015-06-11 09:58 - 2014-11-22 18:23 - 00003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9AB8EA36-8F15-4DC2-9B96-1FAA58826461}
2015-06-10 09:25 - 2014-11-25 20:03 - 00000000 ____D C:\Windows\Minidump
2015-06-10 09:24 - 2014-11-22 18:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-10 09:12 - 2014-11-23 00:42 - 00007911 _____ C:\Windows\BRRBCOM.INI
2015-06-10 08:46 - 2014-07-11 02:11 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-06-10 08:32 - 2015-04-05 23:48 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-06-10 08:32 - 2015-04-05 23:48 - 00000000 ___SD C:\Windows\system32\GWX
2015-06-09 17:05 - 2014-11-24 14:40 - 00003160 _____ C:\Windows\System32\Tasks\HPCeeScheduleForFrank
2015-06-09 17:05 - 2014-11-24 14:40 - 00000346 _____ C:\Windows\Tasks\HPCeeScheduleForFrank.job
2015-06-07 15:16 - 2014-07-11 10:54 - 00800954 _____ C:\Windows\system32\perfh007.dat
2015-06-07 15:16 - 2014-07-11 10:54 - 00174458 _____ C:\Windows\system32\perfc007.dat
2015-06-07 15:16 - 2014-03-18 11:53 - 01921090 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-07 15:12 - 2014-11-22 19:24 - 00000000 ____D C:\Users\Frank\Documents\My Digital Editions
2015-06-05 14:33 - 2015-04-19 20:06 - 00000000 ____D C:\Users\Frank\Documents\Frank
2015-06-02 18:40 - 2014-11-23 01:12 - 00000000 ____D C:\Users\Frank\AppData\Local\Google
2015-06-02 18:40 - 2014-11-23 01:12 - 00000000 ____D C:\Program Files (x86)\Google
2015-06-02 18:31 - 2014-11-24 19:22 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 18:28 - 2014-11-24 19:22 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-02 18:19 - 2014-12-16 17:20 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-02 18:19 - 2014-12-01 17:48 - 00000000 ____D C:\Users\Frank\AppData\Local\Adobe
2015-06-02 17:55 - 2014-11-23 00:41 - 00000000 ____D C:\Program Files (x86)\Browny02
2015-06-02 17:55 - 2014-11-23 00:34 - 00000000 ____D C:\ProgramData\Brother
2015-06-02 17:52 - 2014-11-23 00:41 - 00000000 ____D C:\ProgramData\ControlCenter4
2015-06-02 17:52 - 2014-11-23 00:41 - 00000000 ____D C:\Program Files (x86)\ControlCenter4
2015-06-01 10:56 - 2015-02-16 19:00 - 00004104 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-06-01 10:56 - 2015-02-16 19:00 - 00003868 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-31 21:25 - 2014-11-24 09:42 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2015-05-31 15:30 - 2014-11-23 13:53 - 00000000 ____D C:\Users\Frank\Documents\Marika
2015-05-31 14:49 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-05-19 23:29 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\rescache
2015-05-19 22:37 - 2014-08-19 19:45 - 00000000 ___HD C:\Program Files (x86)\Temp
2015-05-19 22:36 - 2015-02-09 17:28 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2015-05-19 22:36 - 2014-08-19 19:45 - 00014444 _____ C:\Windows\system32\Drivers\rtkhdasetting.zip
2015-05-19 22:32 - 2014-07-11 02:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-05-19 22:26 - 2014-08-19 19:44 - 00000000 ____D C:\Program Files (x86)\Realtek
2015-05-19 22:20 - 2014-08-19 19:40 - 00000000 ____D C:\Program Files (x86)\ATI Technologies
2015-05-19 22:20 - 2014-07-11 02:28 - 00000000 ____D C:\ProgramData\Package Cache
2015-05-19 22:15 - 2014-04-05 01:55 - 00000000 ____D C:\SWSetup
2015-05-19 21:44 - 2015-02-09 16:41 - 00000000 ____D C:\Program Files (x86)\Raptr
2015-05-15 14:22 - 2014-11-22 18:51 - 00001142 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-05-14 17:21 - 2013-08-22 16:44 - 00391944 _____ C:\Windows\system32\FNTCACHE.DAT
2015-05-14 17:20 - 2015-01-14 23:09 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-14 17:20 - 2015-01-14 23:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-05-14 10:03 - 2013-08-22 17:36 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2015-05-14 10:03 - 2013-08-22 15:36 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2015-05-13 21:47 - 2014-11-22 17:33 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-05-13 21:34 - 2014-11-24 20:14 - 00000000 ____D C:\Windows\system32\MRT
2015-05-13 21:25 - 2014-11-24 20:14 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-13 21:14 - 2015-01-14 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-13 21:05 - 2014-03-18 11:38 - 00000000 ____D C:\Program Files\Windows Journal

Some files in TEMP:
====================
C:\Users\Frank\AppData\Local\Temp\Quarantine.exe
C:\Users\Frank\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-11 09:55

==================== End of log ============================

[CODE]Additional
FRST Logfile:

Code:

ATTFilter

scan result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Frank at 2015-06-11 11:25:30
Running from C:\Users\Frank\Downloads
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2739668103-1494456093-2395821988-500 - Administrator - Disabled)
Frank (S-1-5-21-2739668103-1494456093-2395821988-1002 - Administrator - Enabled) => C:\Users\Frank
Gast (S-1-5-21-2739668103-1494456093-2395821988-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2739668103-1494456093-2395821988-1004 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Kaspersky Internet Security (Enabled - Up to date) {179979E8-273D-D14E-0543-2861940E4886}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Kaspersky Internet Security (Enabled - Up to date) {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

123 Free Solitaire v10.0 (HKLM-x32\...\123 Free Solitaire_is1) (Version:  - TreeCardGames)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Digital Editions 3.0 (HKLM-x32\...\Adobe Digital Editions 3.0) (Version: 3.0.1 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.188 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.8.158 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Amazon Kindle) (Version:  - Amazon)
AMD Catalyst Install Manager (HKLM\...\{B417CA1D-A6EC-6871-BBFC-84CA14FBA0AC}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
AMD Quick Stream (HKLM\...\{E9EED4AE-682B-4501-9574-D09A21717599}_is1) (Version: 3.10.4.0 - AppEx Networks)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Brother MFL-Pro Suite MFC-J470DW (HKLM-x32\...\{7B4C83B6-17C1-4BFD-B86D-4D7AD4498CBB}) (Version: 1.0.4.0 - Brother Industries, Ltd.)
calibre 64bit (HKLM\...\{C5D7991D-5C4F-475D-BF58-89A068A2FF14}) (Version: 2.25.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.7.4023 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.1.5307 - CyberLink Corp.)
Cyberlink PhotoDirector (Version: 5.0.1.5307 - Ihr Firmenname) Hidden
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.7.4016 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.1.3018 - CyberLink Corp.)
CyberLink PowerDirector 12 (Version: 12.0.1.3018 - Ihr Firmenname) Hidden
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.4.4119 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.4.4218 - CyberLink Corp.)
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
DriverEasy 4.9.2 (HKLM\...\DriverEasy_is1) (Version: 4.9.2.0 - Easeware)
Dropbox (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\Dropbox) (Version: 3.2.9 - Dropbox, Inc.)
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 16.0.20150211 - Landesfinanzdirektion Thüringen)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Foxit PhantomPDF (HKLM-x32\...\{00CD7D62-056A-4F0F-9143-44522D44E6DD}) (Version: 6.0.32.507 - Foxit Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.124 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{44FC61F0-2F8A-11E3-8CAE-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Great Mahjong (HKLM-x32\...\GreatMahjong_is1) (Version: 1.0 - Media Contact LLC)
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP 3D DriveGuard (HKLM-x32\...\{13133E99-B0D5-4143-B832-AAD55C62A41C}) (Version: 6.0.19.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{ADE2F6A7-E7BD-4955-BD66-30903B223DDF}) (Version: 2.20.41 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{9D7BFF2A-F810-4E35-BE2C-A6CB4B9202DB}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7745.4851 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.11 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{8C696B4B-6AB1-44BC-9416-96EAC474CABE}) (Version: 7.5.2.12 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{C39A7F0F-89A6-44BB-B1BF-5F96569B5345}) (Version: 1.2.9 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{E8F2076D-1885-4A0F-83D8-77B1F9D384CE}) (Version: 2.5.2 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Inst5675 (Version: 8.01.11 - Softex Inc.) Hidden
Inst5676 (Version: 8.01.11 - Softex Inc.) Hidden
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Kaspersky Internet Security (HKLM-x32\...\InstallWIX_{653C1B5A-3287-47B1-8613-0745D4E771C4}) (Version: 15.0.0.463 - Kaspersky Lab)
Kaspersky Internet Security (x32 Version: 15.0.0.463 - Kaspersky Lab) Hidden
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Malwarebytes Anti-Malware Version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 38.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 38.0.5 (x86 de)) (Version: 38.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 38.0 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\MyFreeCodec) (Version:  - )
Nuance PaperPort 12 (HKLM-x32\...\{869FCC6C-5669-4B0B-827E-2BBAACD88A87}) (Version: 12.1.0006 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
OEM Application Profile (HKLM-x32\...\{8F92E0CF-620B-5C20-F292-59C93567B06D}) (Version: 1.00.0000 - Ihr Firmenname)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 14.00.0000 - Nuance Communications, Inc.)
PDF24 Creator 6.9.1 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version:  - PDF24.org)
Raptr (HKLM-x32\...\Raptr) (Version:  - )
REALTEK Bluetooth Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AB}) (Version: 1.0.0.10 - REALTEK Semiconductor Corp.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.370.71 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.38.115.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7487 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.13.1216 - REALTEK Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rossmann Fotowelt Software 4.13 (HKLM-x32\...\Rossmann Fotowelt Software) (Version: 4.13 - ORWO Net)
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.3.14044_16 - Samsung Electronics Co., Ltd.)
Samsung Kies (x32 Version: 2.6.3.14044_16 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.15041.2 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (x32 Version: 3.2.15041.2 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.49.0 - SAMSUNG Electronics Co., Ltd.)
Scansoft PDF Professional (x32 Version:  - ) Hidden
Secunia PSI (3.0.0.10004) (HKLM-x32\...\Secunia PSI) (Version: 3.0.0.10004 - Secunia)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 18.1.30.16 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2739668103-1494456093-2395821988-1002_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Frank\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)

==================== Restore Points =========================

13-05-2015 21:01:42 Windows Update
19-05-2015 22:14:00 Installed sp71089.exe by DriverEasy
31-05-2015 15:10:39 Installed Samsung Kies3
02-06-2015 18:22:19 Removed Java 8 Update 45
10-06-2015 08:27:59 Windows Update
11-06-2015 10:05:01 Revo Uninstaller's restore point - Java 7 Update 75
11-06-2015 10:06:24 Removed Java 7 Update 75

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2013-08-22 15:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0D761F0E-72A1-4DAC-AE5F-2B93F321549D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {14D631F9-0C27-4BF1-AADB-E0E1FA6DF6B1} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => schtasks
Task: {185CECEF-5DE2-4E32-B213-40A0337E5CE8} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-05-13] (Microsoft Corporation)
Task: {200C9380-DB0F-4AD8-A9D2-0ACACA707AE1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-04-14] (Hewlett-Packard)
Task: {2D9D0DF6-5B9F-4CDA-9BB4-64BC3767D540} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2015-04-14] (Hewlett-Packard)
Task: {385D7BBC-B4B9-4A26-969C-FA5C5FE613A9} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {3E380FC9-2230-46E1-A524-7FD7DB74CD9A} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2014-05-19] (Hewlett-Packard Development Company, L.P.)
Task: {401296BF-723D-425B-8F3A-183D21C55376} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {4F62776E-E829-4BAE-980B-EEDA447ECC0A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-02] (Adobe Systems Incorporated)
Task: {6C32897D-390B-401B-9F81-34D89DEE414D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-16] (Google Inc.)
Task: {6F1CF763-3FA9-4C70-AFAF-01FA3DB9A7E6} - System32\Tasks\HPCeeScheduleForFrank => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {702C5FEA-5ECF-4FC7-BF0B-D8F7DB4A7BC6} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {7577BB20-A780-48C1-B049-15AB86BAF61F} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\Logon => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {A40879E0-A531-4DD9-9529-BAAF2B3C1B2E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-02-19] (Piriform Ltd)
Task: {AB4740E7-E804-42BD-BF92-171D31C8541C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-16] (Google Inc.)
Task: {B1C831A8-2537-4FF6-B63C-E143C8C83F48} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-05-06] (Microsoft Corporation)
Task: {C3066E94-2680-45FB-8D18-A8EE07392662} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2014-01-13] (Hewlett-Packard Company)
Task: {F0B24426-3EB1-4F58-A813-48FAF863F611} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {F63B8F58-F569-4CAA-80D6-F1DC00374B9F} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-06-18] (CyberLink Corp.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForFrank.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (Whitelisted) ==============

2014-11-23 00:41 - 2005-04-22 06:36 - 00143360 ____R () C:\Windows\system32\BrSNMP64.dll
2015-02-19 23:40 - 2015-02-19 23:40 - 00057344 _____ () C:\Program Files\CCleaner\lang\lang-1031.dll
2014-04-20 02:42 - 2014-04-20 02:42 - 00468672 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com\npcontentblocker.dll
2014-04-20 02:42 - 2014-11-22 19:04 - 00642344 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com\npvkplugin.dll
2014-04-20 02:42 - 2014-04-20 02:42 - 00347328 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com\nponlinebanking.dll
2014-03-06 16:00 - 2014-03-06 16:00 - 01269952 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\kpcengine.2.3.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Frank\OneDrive:ms-properties

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "BrHelp"
HKLM\...\StartupApproved\Run32: => "ControlCenter4"
HKLM\...\StartupApproved\Run32: => "IndexSearch"
HKLM\...\StartupApproved\Run32: => "PDFPrint"
HKLM\...\StartupApproved\Run32: => "PDFHook"
HKLM\...\StartupApproved\Run32: => "KiesTrayAgent"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\StartupApproved\StartupFolder: => "Dropbox.lnk"
HKU\S-1-5-21-2739668103-1494456093-2395821988-1002\...\StartupApproved\Run: => "ISUSPM"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{7E482BF7-65A1-481B-8197-F5CDFA830871}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{98BB1F84-D45E-4E7F-9994-9748F1BA0DC6}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9CCB628F-DC5B-4573-924C-9391048552D6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{459C2851-2A5E-4306-B7E9-1B9FBD01E1D8}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{44D11CC1-6CA9-4BE0-ADDC-84AA293320C2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{2B1A5ADC-AB40-4CDB-8FC1-126703E9F750}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{A86FACCB-5CCC-4276-9A75-4D1C1E50936B}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{74479321-1364-404C-8A0B-BF5BEFA44D11}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{B3C755E3-F739-4264-8565-8B077EA8ABF2}] => (Allow) C:\Program Files (x86)\Brother\Brmfl13b\FAXRX.EXE
FirewallRules: [{8DB353F1-B4BF-4678-9A0B-57F723AC8404}] => (Allow) LPort=54925
FirewallRules: [{7F9BD20F-C288-49AF-A053-23EF00B9F86A}] => (Allow) C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{2B6D24C0-AAFC-499F-A0ED-7DA878A784B6}] => (Allow) C:\Users\Frank\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{AE7C6722-3D35-4470-8646-C208B85E0717}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPSOCKSVC.exe
FirewallRules: [{7C6296C4-92F9-47E7-A36D-D50A24C725CC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{FD94DA4D-90A9-4FEE-860E-5008281643B1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4E02AC90-444D-48E1-B1CA-5E8CAF80C012}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{4CA8D081-1215-4724-8A9B-41AFC2B00D32}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{CBC6BB7F-560F-443C-A9FD-ABA55EC83AFE}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{4E77507E-7D83-453C-8581-67075B1B69D9}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{3B0F430A-3A66-481D-AD8D-03E4011E3790}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{31F64837-2932-44B8-A8A4-124E45DA5902}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/11/2015 10:40:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: plugin-container.exe, Version: 38.0.5.5623, Zeitstempel: 0x5563c49a
Name des fehlerhaften Moduls: mozalloc.dll, Version: 38.0.5.5623, Zeitstempel: 0x5563b229
Ausnahmecode: 0x80000003
Fehleroffset: 0x00001aa1
ID des fehlerhaften Prozesses: 0x19cc
Startzeit der fehlerhaften Anwendung: 0xplugin-container.exe0
Pfad der fehlerhaften Anwendung: plugin-container.exe1
Pfad des fehlerhaften Moduls: plugin-container.exe2
Berichtskennung: plugin-container.exe3
Vollständiger Name des fehlerhaften Pakets: plugin-container.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: plugin-container.exe5

Error: (06/11/2015 10:34:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: PSIA.exe, Version: 3.0.0.10004, Zeitstempel: 0x54784a82
Name des fehlerhaften Moduls: PSIA.exe, Version: 3.0.0.10004, Zeitstempel: 0x54784a82
Ausnahmecode: 0xc0000409
Fehleroffset: 0x00093524
ID des fehlerhaften Prozesses: 0x948
Startzeit der fehlerhaften Anwendung: 0xPSIA.exe0
Pfad der fehlerhaften Anwendung: PSIA.exe1
Pfad des fehlerhaften Moduls: PSIA.exe2
Berichtskennung: PSIA.exe3
Vollständiger Name des fehlerhaften Pakets: PSIA.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: PSIA.exe5

Error: (06/11/2015 09:54:56 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 84484015

Error: (06/11/2015 09:54:56 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 84484015

Error: (06/11/2015 09:54:56 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/10/2015 09:30:12 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: PSIA.exe, Version: 3.0.0.10004, Zeitstempel: 0x54784a82
Name des fehlerhaften Moduls: PSIA.exe, Version: 3.0.0.10004, Zeitstempel: 0x54784a82
Ausnahmecode: 0xc0000409
Fehleroffset: 0x00093524
ID des fehlerhaften Prozesses: 0x940
Startzeit der fehlerhaften Anwendung: 0xPSIA.exe0
Pfad der fehlerhaften Anwendung: PSIA.exe1
Pfad des fehlerhaften Moduls: PSIA.exe2
Berichtskennung: PSIA.exe3
Vollständiger Name des fehlerhaften Pakets: PSIA.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: PSIA.exe5

Error: (06/09/2015 08:21:51 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (06/09/2015 06:10:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: LogonUI.exe, Version: 6.3.9600.17415, Zeitstempel: 0x5450541b
Name des fehlerhaften Moduls: OmniPassCredProv.dll_unloaded, Version: 8.0.1.11, Zeitstempel: 0x5335c168
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000011c0f
ID des fehlerhaften Prozesses: 0x2c51c
Startzeit der fehlerhaften Anwendung: 0xLogonUI.exe0
Pfad der fehlerhaften Anwendung: LogonUI.exe1
Pfad des fehlerhaften Moduls: LogonUI.exe2
Berichtskennung: LogonUI.exe3
Vollständiger Name des fehlerhaften Pakets: LogonUI.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: LogonUI.exe5

Error: (06/09/2015 05:41:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wmplayer.exe, Version 12.0.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 11424

Startzeit: 01d0a2c8cad0c10e

Endzeit: 1947

Anwendungspfad: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Berichts-ID: eb746343-0ebd-11e5-828d-8cdcd47b22bd

Vollständiger Name des fehlerhaften Pakets: 

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Error: (06/09/2015 01:54:47 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm backgroundTaskHost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 1e498

Startzeit: 01d0a2aa55ad5b67

Endzeit: 4294967295

Anwendungspfad: C:\Windows\syswow64\backgroundTaskHost.exe

Berichts-ID: 4a8adb1f-0e9e-11e5-828d-8cdcd47b22bd

Vollständiger Name des fehlerhaften Pakets: Microsoft.MicrosoftMahjong_2.4.1412.2202_x86__8wekyb3d8bbwe

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: MicrosoftMahjong


System errors:
=============
Error: (06/11/2015 10:40:56 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Windows Media Player-Netzwerkfreigabedienst" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts.

Error: (06/11/2015 10:40:56 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "HP Support Assistant Service" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 60000 Millisekunden durchgeführt: Neustart des Diensts.

Error: (06/11/2015 10:40:55 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "BrYNSvc" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:55 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "HP Software Framework Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:54 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Secunia Update Agent" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "SynTPEnh Caller Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "SAMSUNG Mobile Connectivity Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Cyberlink RichVideo64 Service(CRVS)" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "PDFProFiltSrvPP" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (06/11/2015 10:40:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "HPWMISVC" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.


Microsoft Office:
=========================
Error: (03/14/2015 08:05:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:05:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 60 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:03:13 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/14/2015 08:02:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6718.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 191 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/08/2015 08:28:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 5 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/08/2015 08:28:21 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 4840 seconds with 540 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:03:33 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:03:12 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:02:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/22/2015 05:01:38 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6715.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 104 seconds with 60 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2015-05-22 17:52:35.280
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.662
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.405
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:32.131
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.824
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.508
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.506
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:31.223
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:30.943
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-05-22 17:52:30.682
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.


==================== Memory info =========================== 

Processor: AMD A8-6410 APU with AMD Radeon R5 Graphics 
Percentage of memory in use: 29%
Total physical RAM: 7103.44 MB
Available physical RAM: 5020.53 MB
Total Pagefile: 14271.44 MB
Available Pagefile: 11822.82 MB
Total Virtual: 131072 MB
Available Virtual: 131071.83 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:909.5 GB) (Free:806.56 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:20.99 GB) (Free:2.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 1119D06D)

Partition: GPT Partition Type.

==================== End of log ============================

--- --- ---

Warlord711 · 11.06.2015, 11:24

Hinweis: Registry Cleaner

Ich sehe, dass du sogenannte Registry Cleaner installiert hast.
In deinem Fall CCleaner.

Wir raten von der Verwendung jeglicher Art von Registry Cleaner ab.

Der Grund ist ganz einfach:
Die Registry ist das Hirn des Systems. Funktioniert das Hirn nicht, funktioniert der Rest nicht mehr wirklich.
Man sollte nicht unnötigerweise an der Registry rumbasteln. Schon ein kleiner Fehler kann gravierende Folgen haben und auch Programme machen manchmal Fehler.
Zerstörst du die Registry, zerstörst du Windows.

Zudem ist der Nutzen zur Performancesteigerung umstritten und meist kaum im wahrnehmbaren Bereich.

Ich würde dir empfehlen, Registry Cleaner nicht weiterhin zu verwenden und über

Start --> Systemsteuerung --> Software (bei Windows XP)
Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Win 7)

zu deinstallieren.

Gegen die anderen Funktionen von CCleaner ist nix einzuwenden, aber der Registry Clean Part ist ... auf den solltest du verzichten.
Wen Registry Cleaner/Tuner/Verbrecher aktiv waren, ist die Systemstabilität meistens eh hin.

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

ATTFilter

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
emptytemp:

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).

Starte nun FRST erneut und klicke den Entfernen Button.
Das Tool erstellt eine Fixlog.txt.
Poste mir deren Inhalt.

Downloade Dir bitte

SecurityCheck und:

Speichere es auf dem Desktop.
Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

ESET Scan dauert länger:

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

IT-Laie01 · 11.06.2015, 17:08

Hallo Timo!

für den Tipp mit dem CC-Cleaner! Ist deinstalliert. Anbei wieder die gewünschten logfiles.

Gruß IT-Laie01

Code:

ATTFilter

Fix result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Frank at 2015-06-11 15:51:09 Run:1
Running from C:\Users\Frank\Desktop
Loaded Profiles: Frank (Available Profiles: Frank)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
emptytemp:
*****************

"HKLM\SOFTWARE\Policies\Google" => key removed successfully
EmptyTemp: => 907.4 MB temporary data Removed.


The system needed a reboot.. 

==== End of Fixlog 15:51:18 ====

Code:

ATTFilter

 Results of screen317's Security Check version 1.002  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
Kaspersky Internet Security   
Windows Defender              
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Secunia PSI (3.0.0.10004)   
 Java 8 Update 45  
 Adobe Flash Player 	17.0.0.188  
 Mozilla Firefox (38.0.5) 
 Google Chrome (43.0.2357.124) 
 Google Chrome (43.0.2357.81) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Kaspersky Lab Kaspersky Internet Security 15.0.0 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.0 avpui.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log``````````````````````

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=02c01c8c5db5bd469aa2a63cd4075960
# end=init
# utc_time=2015-06-11 02:17:32
# local_time=2015-06-11 04:17:32 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# osver=6.2.9200 NT 
Update Init
Update Download
Update Finalize
Updated modules version: 24284
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=02c01c8c5db5bd469aa2a63cd4075960
# end=updated
# utc_time=2015-06-11 02:20:42
# local_time=2015-06-11 04:20:42 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# osver=6.2.9200 NT 
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=02c01c8c5db5bd469aa2a63cd4075960
# engine=24284
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-06-11 03:42:44
# local_time=2015-06-11 05:42:44 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.2.9200 NT 
# compatibility_mode_1='Kaspersky Internet Security'
# compatibility_mode=1296 16777213 100 100 6225 38110046 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 5112226 11119756 0 0
# scanned=323677
# found=0
# cleaned=0
# scan_time=4921
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=02c01c8c5db5bd469aa2a63cd4075960
# end=init
# utc_time=2015-06-11 03:57:07
# local_time=2015-06-11 05:57:07 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# osver=6.2.9200 NT

Warlord711 · 11.06.2015, 17:44

Also die Logs sind sauber !

Wie siehts denn mit dem Verhalten von Windows aus ?
Immer noch "Keine Rückmeldung" usw ?

IT-Laie01 · 11.06.2015, 18:26

Hallo Timo!

Jetzt sieht es gut aus! Die Programme starten wieder flüssig, habe gerade 4 Stück gleichzeitig gestartet, das ging ziemlich fix. Ich kann auch problemlos zwischen ihnen hin-und herschalten.
Bisher habe ich noch nicht wieder "Keine Rückmeldung" erhalten. Auch paint.net arbeitet wieder ohne Verzögerung.
Deine Bemühungen waren erfolgreich!
Vielen Dank dafür!
Freundliche Grüße IT-Laie01

Warlord711 · 12.06.2015, 10:10

Die Reihenfolge ist hier entscheidend.

Falls Defogger benutzt wurde: Defogger nochmal starten und auf re-enable klicken.
Falls Combofix benutzt wurde: (Alternativ in uninstall.exe umbenennen und starten)
- Windowstaste + R > Combofix /Uninstall (eingeben) > OK
- Alternative: Combofix.exe in uninstall.exe umbenennen und starten
- Combofix wird jetzt starten, sich evtl updaten und dann alle Reste von sich selbst entfernen.
Downloade Dir bitte auf jeden Fall DelFix auf deinen Desktop:
- Schließe alle offenen Programme.
- Starte die delfix.exe mit einem Doppelklick.
- Setze vor jede Funktion ein Häkchen.
- Klicke auf Start.
- Hinweis: DelFix entfernt u. a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst.
- Starte deinen Rechner abschließend neu.
Sollten jetzt noch Programme aus unserer Bereinigung übrig sein kannst du sie bedenkenlos löschen.

Abschließend habe ich noch ein paar Tipps zur Absicherung deines Systems.

Ändere regelmäßig alle deine Passwörter, jetzt, nach der Bereinigung ist ein idealer Zeitpunkt dafür

verwende für jede Anwendung und jeden Account ein anderes Passwort
ändere regelmäßig dein Passwort, vor allem bei Onlinebanking oder deinem Emailpostfach ist dieses sehr wichtig
speichere keine Passwörter auf deinem PC, gib diese nicht an dritte weiter
ein sicheres Passwort besteht aus mindestens 8 Zeichen und beinhaltet Groß- und Kleinbuchstaben, Zahlen und Sonderzeichen
benutze keine Zahlen- oder Buchstabenkombinationen, ( zB 12345678, qwertzui) auch keine Zahlen oder Buchstabenmuster
verwende keine Passwörter die einen Bezug zu dir, deinem Wohnort, Familienmitglied oder Haustier (Geburtsdatum, Postleitzahl, Adresse, Name) haben

Ich kann gar nicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.

Bitte überprüfe ob dein System Windows Updates automatisch herunter lädt
Windows Updates
- Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
- Windows Vista / 7 / 8 : Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren
Gehe sicher das die automatischen Updates aktiviert sind.
Software Updates
Installierte Software kann ebenfalls Sicherheitslücken haben, welche Malware nutzen kann, um dein System zu infizieren.
Um deine Installierte Software up to date zu halten, empfehle ich dir Secunia Online Software.

Anti-Viren-Programm und zusätzlicher Schutz

Gehe sicher, dass du immer nur eine Anti-Viren Software installiert hast und dass diese auch up to date ist!
MalwareBytes Anti Malware
Dies ist eines der besten Anti-Malware Tools auf dem Markt. Es ist ein On- Demand Scan Tool welches viele aktuelle Malware erkennt und auch entfernt.
Update das Tool und lass es einmal in der Woche laufen. Die Kaufversion bietet zudem noch einen Hintergrundwächter.
Ein Tutorial zur Verwendung findest Du hier.
AdwCleaner
Dieses Tool erkennt eine Vielzahl von Werbeprogrammen (Adware) und unerwünschten Programmen (PUPs).
Starte das Tool einmal die Woche und lass es laufen. Sollte eine neue Version verfügbar sein, so wird dies angezeigt und du kannst dir die neueste Version direkt auf den Desktop downloaden.
SpywareBlaster
Eine kurze Einführung findest du Hier
WOT (Web of trust)
Dieses AddOn warnt dich, bevor Du eine als schädlich gemeldete Seite besuchst.

Alternative Browser
Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
Mozilla Firefox

Hinweis: Für diesen Browser habe ich hier ein paar nützliche Add Ons
NoScript
Dieses AddOn blockt JavaScript, Java and Flash und andere Plugins. Sie werden nur dann ausgeführt, wenn Du es bestätigst.
AdblockPlus
Dieses AddOn blockt die meisten Werbung von selbst. Ein Rechtsklick auf den Banner um diesen zu AdBlockPlus hinzu zu fügen reicht und dieser wird nicht mehr geladen.
Es spart außerdem Downloadkapazität.

Performance

Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC
Halte dich fern von Registry Cleanern.
Diese Schaden deinem System mehr als dass sie helfen. Hier ein englischer Link:
Miekemoes Blogspot ( MVP )

Was du vermeiden solltest:

Klicke nicht auf alles, nur weil es dich dazu auffordert und schön bunt ist.
Verwende keine P2P oder Filesharing Software (Emule, uTorrent,..)
Lass die Finger von Cracks, Keygens, Serials oder anderer illegaler Software.
Öffne keine Anhänge von dir nicht bekannten Emails. Achte vor allem auf die Dateiendung wie z.B. deinFoto.jpg.exe.
Lade keine Software von Softonic oder Chip herunter, da diese Installer oft mit Adware oder unerünschter Software versehen sind!

Nun bleibt mir nur noch dir viel Spaß beim sicheren Surfen zu wünschen... ... und vielleicht möchtest du ja das Trojaner-Board unterstützen oder Lob, Kritik und Wünsche loswerden?

Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so dass ich dieses Thema aus meinen Abos löschen kann.

IT-Laie01 · 13.06.2015, 10:05

Vielen Dank für Deine Hilfe, Timo!

Mein Laptop läuft wieder problemlos, Deine Tipps werde ich umsetzen!

Viele Grüße

Frank

11.06.2015, 17:44	#8
Warlord711 /// TB-Ausbilder	"Keine Rückmeldung": Programme starten langsam und bleiben oft hängen Also die Logs sind sauber ! Wie siehts denn mit dem Verhalten von Windows aus ? Immer noch "Keine Rückmeldung" usw ? __________________ Lerne, zurück zu schlagen und unterstütze uns! TB Akademie \| Spende \| Lob & Kritik

"Keine Rückmeldung": Programme starten langsam und bleiben oft hängen

Log-Analyse und Auswertung: "Keine Rückmeldung": Programme starten langsam und bleiben oft hängen