50% CPU usage wenn idle...

cmdr · 12.12.2016, 15:01

Malwarebytes hatte Bitcoin-Miner gefunden und angeblich gelöscht (die Logs habe ich nicht mehr), ich habe immer noch über 50% CPU usage, auch im idle-Zustand.

Ich glaube, ich müsste mal wirklich saubermachen, es ist kein Zustand mehr.

Vielen Dank im Voraus für die Hilfe!

cosinus · 12.12.2016, 15:06

Zitat:

(die Logs habe ich nicht mehr)

Im Verlauf von MBAM richtig nachsehen und Logs posten...

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit.
Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten.
Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

cmdr · 12.12.2016, 22:29

das ist der durchlauf, bei dem bitcoinminer gefunden wurden.

Code:

ATTFilter

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/10/12 00:27:50 +0200</date>
<logfile>mbam-log-2016-10-12 (00-27-50).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.02.16.06</malware-database>
<rootkit-database>v2016.02.08.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>SATAN</hostname>
<ip>192.168.0.12</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>m</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>409106</objects>
<time>886</time>
<processes>7</processes>
<modules>13</modules>
<keys>1</keys>
<values>3</values>
<datas>0</datas>
<folders>0</folders>
<files>25</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<process><path>C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>1924</pid><hash>e581d38e2f6aae88f77b2c5560a47888</hash></process>
<process><path>C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>1764</pid><hash>1551e27fd9c0d4622153fe83a361916f</hash></process>
<process><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.BitCoinMiner</vendor><action>delete-on-reboot</action><pid>2388</pid><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></process>
<process><path>C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>3356</pid><hash>c4a23d24a4f5c57111629ae7b2526799</hash></process>
<process><path>C:\Users\Teng\AppData\Roaming\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><pid>2644</pid><hash>67ffca97ddbc82b4b99dcf3bbd46c33d</hash></process>
<process><path>C:\Users\Teng\AppData\Local\Temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>delete-on-reboot</action><pid>1696</pid><hash>293ddb86f5a47bbb047f4a02956f7d83</hash></process>
<process><path>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><pid>1776</pid><hash>0e582140089160d65afa948e946fc937</hash></process>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e87e174a33660f275be37e3afd06946c</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>acba79e8a6f3e2549ea0efc9669d966a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>016573ee8b0e2412ce70eccc5aa9bf41</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1c4af66b16835fd7dd61f8c0a261a65a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>4a1c98c98c0d023470ce5d5bba49ed13</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0561e57c38616bcb4af4c0f8ca398e72</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>7aecb3ae51484ee8211d3286ed16748c</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>6df919489504d06662dceccc31d2da26</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a0c66df4732675c12c127642e51e837d</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\select.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a5c10b56c6d3e94d0e303c7ca55e5da3</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>363067fa079287afac92dade5ba8b64a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0363144d2772043291ad407811f2bd43</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_socket.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>f76f0d5467322214a995199f9e6504fc</hash></module>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Time</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>e581d38e2f6aae88f77b2c5560a47888</hash></key>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>iehighutil</valuename><vendor>Trojan.BitCoinMiner</vendor><action>success</action><valuedata>&quot;C:\Temporary\iehighutil.exe&quot;</valuedata><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>{DB49928F-3F27-5CE5-C191-37ECBFB20947}</valuename><vendor>Trojan.ZbotR.Gen</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe</valuedata><hash>7ee841208e0b0432196bd3bb758e52ae</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>FlashBit</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</valuedata><hash>0e582140089160d65afa948e946fc937</hash></value>
<file><path>C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e581d38e2f6aae88f77b2c5560a47888</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1551e27fd9c0d4622153fe83a361916f</hash></file>
<file><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.BitCoinMiner</vendor><action>delete-on-reboot</action><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>c4a23d24a4f5c57111629ae7b2526799</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><hash>67ffca97ddbc82b4b99dcf3bbd46c33d</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\c5ba51c8822b2ebb730d18f8bab93d8a.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>5d09a8b99dfc3ef837064c6cd52e04fc</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\d4ce4f36e508153bf25ab6a8dcde7f0d.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>d096e57c39609d9990ad5365b053d030</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e87e174a33660f275be37e3afd06946c</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>acba79e8a6f3e2549ea0efc9669d966a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>016573ee8b0e2412ce70eccc5aa9bf41</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1c4af66b16835fd7dd61f8c0a261a65a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>4a1c98c98c0d023470ce5d5bba49ed13</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0561e57c38616bcb4af4c0f8ca398e72</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>7aecb3ae51484ee8211d3286ed16748c</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>6df919489504d06662dceccc31d2da26</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a0c66df4732675c12c127642e51e837d</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\select.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a5c10b56c6d3e94d0e303c7ca55e5da3</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>363067fa079287afac92dade5ba8b64a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0363144d2772043291ad407811f2bd43</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_socket.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>f76f0d5467322214a995199f9e6504fc</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\library.zip</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>92d4f9683762a1950639ad0b91725ba5</hash></file>
<file><path>C:\Users\m\AppData\Local\temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>success</action><hash>de8874eda9f057df3e4578d451b32bd5</hash></file>
<file><path>C:\Users\Teng\AppData\Local\Temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>delete-on-reboot</action><hash>293ddb86f5a47bbb047f4a02956f7d83</hash></file>
<file><path>C:\Users\m\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.com.url</path><vendor>Trojan.Agent.E</vendor><action>success</action><hash>74f2f8694c4de452287875e1f70dc838</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><hash>0e582140089160d65afa948e946fc937</hash></file>
</items>
</mbam-log>

bei diesem letzten lauf wurde nichts mehr gefunden, trotzdem ist der rechner immer noch extrem langsam...

Code:

ATTFilter

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/10/12 00:27:50 +0200</date>
<logfile>mbam-log-2016-10-12 (00-27-50).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.02.16.06</malware-database>
<rootkit-database>v2016.02.08.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>SATAN</hostname>
<ip>192.168.0.12</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>m</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>409106</objects>
<time>886</time>
<processes>7</processes>
<modules>13</modules>
<keys>1</keys>
<values>3</values>
<datas>0</datas>
<folders>0</folders>
<files>25</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<process><path>C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>1924</pid><hash>e581d38e2f6aae88f77b2c5560a47888</hash></process>
<process><path>C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>1764</pid><hash>1551e27fd9c0d4622153fe83a361916f</hash></process>
<process><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.BitCoinMiner</vendor><action>delete-on-reboot</action><pid>2388</pid><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></process>
<process><path>C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><pid>3356</pid><hash>c4a23d24a4f5c57111629ae7b2526799</hash></process>
<process><path>C:\Users\Teng\AppData\Roaming\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><pid>2644</pid><hash>67ffca97ddbc82b4b99dcf3bbd46c33d</hash></process>
<process><path>C:\Users\Teng\AppData\Local\Temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>delete-on-reboot</action><pid>1696</pid><hash>293ddb86f5a47bbb047f4a02956f7d83</hash></process>
<process><path>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><pid>1776</pid><hash>0e582140089160d65afa948e946fc937</hash></process>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e87e174a33660f275be37e3afd06946c</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>acba79e8a6f3e2549ea0efc9669d966a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>016573ee8b0e2412ce70eccc5aa9bf41</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1c4af66b16835fd7dd61f8c0a261a65a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>4a1c98c98c0d023470ce5d5bba49ed13</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0561e57c38616bcb4af4c0f8ca398e72</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>7aecb3ae51484ee8211d3286ed16748c</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>6df919489504d06662dceccc31d2da26</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a0c66df4732675c12c127642e51e837d</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\select.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a5c10b56c6d3e94d0e303c7ca55e5da3</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>363067fa079287afac92dade5ba8b64a</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0363144d2772043291ad407811f2bd43</hash></module>
<module><path>C:\ProgramData\Microsoft\Windows\Time\_socket.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>f76f0d5467322214a995199f9e6504fc</hash></module>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Time</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>e581d38e2f6aae88f77b2c5560a47888</hash></key>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>iehighutil</valuename><vendor>Trojan.BitCoinMiner</vendor><action>success</action><valuedata>&quot;C:\Temporary\iehighutil.exe&quot;</valuedata><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>{DB49928F-3F27-5CE5-C191-37ECBFB20947}</valuename><vendor>Trojan.ZbotR.Gen</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe</valuedata><hash>7ee841208e0b0432196bd3bb758e52ae</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>FlashBit</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</valuedata><hash>0e582140089160d65afa948e946fc937</hash></value>
<file><path>C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e581d38e2f6aae88f77b2c5560a47888</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1551e27fd9c0d4622153fe83a361916f</hash></file>
<file><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.BitCoinMiner</vendor><action>delete-on-reboot</action><hash>ca9c7fe27f1a270ff0b40db229d87090</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>c4a23d24a4f5c57111629ae7b2526799</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><hash>67ffca97ddbc82b4b99dcf3bbd46c33d</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\c5ba51c8822b2ebb730d18f8bab93d8a.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>5d09a8b99dfc3ef837064c6cd52e04fc</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\d4ce4f36e508153bf25ab6a8dcde7f0d.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>d096e57c39609d9990ad5365b053d030</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>e87e174a33660f275be37e3afd06946c</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>acba79e8a6f3e2549ea0efc9669d966a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>016573ee8b0e2412ce70eccc5aa9bf41</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>1c4af66b16835fd7dd61f8c0a261a65a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>4a1c98c98c0d023470ce5d5bba49ed13</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0561e57c38616bcb4af4c0f8ca398e72</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>7aecb3ae51484ee8211d3286ed16748c</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>6df919489504d06662dceccc31d2da26</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a0c66df4732675c12c127642e51e837d</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\select.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>a5c10b56c6d3e94d0e303c7ca55e5da3</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>363067fa079287afac92dade5ba8b64a</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>0363144d2772043291ad407811f2bd43</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_socket.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>delete-on-reboot</action><hash>f76f0d5467322214a995199f9e6504fc</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\library.zip</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>92d4f9683762a1950639ad0b91725ba5</hash></file>
<file><path>C:\Users\m\AppData\Local\temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>success</action><hash>de8874eda9f057df3e4578d451b32bd5</hash></file>
<file><path>C:\Users\Teng\AppData\Local\Temp\chrome.exe</path><vendor>Trojan.PasswordStealer</vendor><action>delete-on-reboot</action><hash>293ddb86f5a47bbb047f4a02956f7d83</hash></file>
<file><path>C:\Users\m\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.com.url</path><vendor>Trojan.Agent.E</vendor><action>success</action><hash>74f2f8694c4de452287875e1f70dc838</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\EthMine\svchost.exe</path><vendor>Trojan.Agent</vendor><action>delete-on-reboot</action><hash>0e582140089160d65afa948e946fc937</hash></file>
</items>
</mbam-log>

eine zusätzliche info vielleicht noch: ich habe ein offizielles windows 7 drauf, allerdings konnte ich schon sehr lange nicht mehr updaten, weil ich das damals irgendwie über ne alte xp-installation drüber installiert habe. frag mich bitte nicht, wie ich das gemacht habe, ich wollte einfach irgendwie die alten platten noch miteingebaut haben. seitdem macht er sperenzchen, was das update von windows und flash angeht...

cosinus · 13.12.2016, 10:00

Was soll denn das als XML....

....poste das bitte in TXT damit man das einfacher lesen kann

cmdr · 13.12.2016, 19:02

besser? hab die dateien in txt-dateien umgewandelt. oder was meintest du?

Code:

ATTFilter

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/10/20 15:45:49 +0200</date>
<logfile>mbam-log-2014-10-20 (15-45-49).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.3.1025</version>
<malware-database>v2014.09.19.05</malware-database>
<rootkit-database>v2014.09.18.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>m</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>368441</objects>
<time>626</time>
<processes>2</processes>
<modules>0</modules>
<keys>1</keys>
<values>3</values>
<datas>0</datas>
<folders>0</folders>
<files>23</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<process><path>C:\Temporary\ieutil.exe</path><vendor>PUP.BitCoinMiner</vendor><action>delete-on-reboot</action><pid>24716</pid><hash>661b3bb45c1f86b0b6ccb23da35ed030</hash></process>
<process><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.Agent.MNR</vendor><action>delete-on-reboot</action><pid>18064</pid><hash>11705d927506e55139bba5b755af817f</hash></process>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Time</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>6c155e914b30d3630e0db9a64fb553ad</hash></key>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>{DB49928F-3F27-5CE5-C191-37ECBFB20947}</valuename><vendor>Trojan.Kryptik</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe</valuedata><hash>86fb826d700bfb3b6f9dbd399769ed13</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON</path><valuename>shell</valuename><vendor>Hijack.Shell.Gen</vendor><action>success</action><valuedata>C:\Users\Teng\AppData\Roaming\EelguyPf\f1YRdTk.exe,explorer.exe</valuedata><hash>4f3227c8e29988ae0e9a7762bc47aa56</hash></value>
<value><path>HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>iehighutil</valuename><vendor>Trojan.Agent.MNR</vendor><action>success</action><valuedata>&quot;C:\Temporary\iehighutil.exe&quot;</valuedata><hash>11705d927506e55139bba5b755af817f</hash></value>
<file><path>C:\Temporary\ieutil.exe</path><vendor>PUP.BitCoinMiner</vendor><action>success</action><hash>661b3bb45c1f86b0b6ccb23da35ed030</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe</path><vendor>Trojan.Kryptik</vendor><action>success</action><hash>86fb826d700bfb3b6f9dbd399769ed13</hash></file>
<file><path>C:\Users\Teng\AppData\Roaming\Imge\noce.exe</path><vendor>Trojan.VBKrypt</vendor><action>success</action><hash>6f122ec16d0edd59e0c1fcbcbb45de22</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>6c155e914b30d3630e0db9a64fb553ad</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>6c15618eb0cb241243d956093dc7b947</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>d5acdf102952ec4aee2f77e8659f4ab6</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\c5ba51c8822b2ebb730d18f8bab93d8a.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>9fe2bf30a3d8221461bdb1ae7391946c</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\d4ce4f36e508153bf25ab6a8dcde7f0d.elf</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>a6db3fb0c1baef476faf2d329e6639c7</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>532ee50ae09bd16572add78846be6d93</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>99e8fef16e0d58defb24cb94a95b37c9</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>99e8bc332f4ce55124fb5609897b7a86</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>dfa28d62e299f44296895c033fc58f71</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>98e933bcc0bb40f6d44be9761fe5b848</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>ceb324cb18632b0b72ad8cd3f41028d8</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>453c12ddb7c4e254e73807585aaa10f0</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>ccb508e794e7ac8a46d93629b2527b85</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>2e53e50a3e3df2441f00d48b7a8a8d73</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\select.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>473a707f0d6e2a0c1a05e47b30d455ab</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>2c5542ad5f1c9f971b04114e976da25e</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>513019d66813bb7b8e91abb4d430c33d</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\_socket.pyd</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>f78a757a4f2c0f271d024619a75dfb05</hash></file>
<file><path>C:\ProgramData\Microsoft\Windows\Time\library.zip</path><vendor>Trojan.BtcMiner.TS</vendor><action>success</action><hash>463b6788ef8cef475cc40b543aca5fa1</hash></file>
<file><path>C:\Temporary\iehighutil.exe</path><vendor>Trojan.Agent.MNR</vendor><action>delete-on-reboot</action><hash>11705d927506e55139bba5b755af817f</hash></file>
</items>
</mbam-log>

Code:

ATTFilter

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/12/04 20:04:33 +0100</date>
<logfile>mbam-log-2016-12-04 (20-00-02).xml</logfile>
<isadmin>no</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.12.04.08</malware-database>
<rootkit-database>v2016.11.20.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>SATAN</hostname>
<ip>192.168.0.12</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>Teng</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>235540</objects>
<time>502</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
</items>
</mbam-log>

cosinus · 13.12.2016, 19:42

Noch dassselbe posten bringt da rein garnix. Du sollst aus Malwarebytes heraus TXT und nicht XML wählen!

cmdr · 13.12.2016, 20:18

ah, jetzt

also hier noch mal von oktober.

Code:

ATTFilter

 Malwarebytes Anti-Malware 
www.malwarebytes.org

Scan Date: 20.10.2014
Scan Time: 15:45
Logfile: 20.10.2014.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.09.19.05
Rootkit Database: v2014.09.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: m

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 368441
Time Elapsed: 10 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.BitCoinMiner, C:\Temporary\ieutil.exe, 24716, Delete-on-Reboot, [661b3bb45c1f86b0b6ccb23da35ed030]
Trojan.Agent.MNR, C:\Temporary\iehighutil.exe, 18064, Delete-on-Reboot, [11705d927506e55139bba5b755af817f]

Modules: 0
(No malicious items detected)

Registry Keys: 1
Trojan.BtcMiner.TS, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Time, Quarantined, [6c155e914b30d3630e0db9a64fb553ad], 

Registry Values: 3
Trojan.Kryptik, HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{DB49928F-3F27-5CE5-C191-37ECBFB20947}, C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe, Quarantined, [86fb826d700bfb3b6f9dbd399769ed13]
Hijack.Shell.Gen, HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|shell, C:\Users\Teng\AppData\Roaming\EelguyPf\f1YRdTk.exe,explorer.exe, Quarantined, [4f3227c8e29988ae0e9a7762bc47aa56]
Trojan.Agent.MNR, HKU\S-1-5-21-896307261-3574068607-3140626432-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|iehighutil, "C:\Temporary\iehighutil.exe", Quarantined, [11705d927506e55139bba5b755af817f]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 23
PUP.BitCoinMiner, C:\Temporary\ieutil.exe, Quarantined, [661b3bb45c1f86b0b6ccb23da35ed030], 
Trojan.Kryptik, C:\Users\Teng\AppData\Roaming\Ivyl\onaq.exe, Quarantined, [86fb826d700bfb3b6f9dbd399769ed13], 
Trojan.VBKrypt, C:\Users\Teng\AppData\Roaming\Imge\noce.exe, Quarantined, [6f122ec16d0edd59e0c1fcbcbb45de22], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\Time-svc.exe, Quarantined, [6c155e914b30d3630e0db9a64fb553ad], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\WindowsTime.exe, Quarantined, [6c15618eb0cb241243d956093dc7b947], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\TimeServer.exe, Quarantined, [d5acdf102952ec4aee2f77e8659f4ab6], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\c5ba51c8822b2ebb730d18f8bab93d8a.elf, Quarantined, [9fe2bf30a3d8221461bdb1ae7391946c], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\d4ce4f36e508153bf25ab6a8dcde7f0d.elf, Quarantined, [a6db3fb0c1baef476faf2d329e6639c7], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.core.multiarray.pyd, Quarantined, [532ee50ae09bd16572add78846be6d93], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.core.scalarmath.pyd, Quarantined, [99e8fef16e0d58defb24cb94a95b37c9], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.core.umath.pyd, Quarantined, [99e8bc332f4ce55124fb5609897b7a86], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.core._dotblas.pyd, Quarantined, [dfa28d62e299f44296895c033fc58f71], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.fft.fftpack_lite.pyd, Quarantined, [98e933bcc0bb40f6d44be9761fe5b848], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.lib._compiled_base.pyd, Quarantined, [ceb324cb18632b0b72ad8cd3f41028d8], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.linalg.lapack_lite.pyd, Quarantined, [453c12ddb7c4e254e73807585aaa10f0], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\numpy.random.mtrand.pyd, Quarantined, [ccb508e794e7ac8a46d93629b2527b85], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\pyopencl._cl.pyd, Quarantined, [2e53e50a3e3df2441f00d48b7a8a8d73], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\select.pyd, Quarantined, [473a707f0d6e2a0c1a05e47b30d455ab], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\_ctypes.pyd, Quarantined, [2c5542ad5f1c9f971b04114e976da25e], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\_hashlib.pyd, Quarantined, [513019d66813bb7b8e91abb4d430c33d], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\_socket.pyd, Quarantined, [f78a757a4f2c0f271d024619a75dfb05], 
Trojan.BtcMiner.TS, C:\ProgramData\Microsoft\Windows\Time\library.zip, Quarantined, [463b6788ef8cef475cc40b543aca5fa1], 
Trojan.Agent.MNR, C:\Temporary\iehighutil.exe, Delete-on-Reboot, [11705d927506e55139bba5b755af817f], 

Physical Sectors: 0
(No malicious items detected)


(end)

und hier von dezember.

Code:

ATTFilter

 Malwarebytes Anti-Malware 
www.malwarebytes.org

Scan Date: 04.12.2016
Scan Time: 20:04
Logfile: 04.12.2016.txt
Administrator: No

Version: 2.2.1.1043
Malware Database: v2016.12.04.08
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Teng

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 235540
Time Elapsed: 8 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

cosinus · 13.12.2016, 20:27

Scan mit Farbar's Recovery Scan Tool (FRST)

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:

FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

Starte jetzt FRST.
Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit.
Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten.
Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

cmdr · 13.12.2016, 23:38

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by Teng (ATTENTION: The user is not administrator) on SATAN (13-12-2016 23:31:45)
Running from G:\Needful Things\Trojaner Board
Loaded Profiles: m & Teng (Available Profiles: m & Teng)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> lsm.exe
Failed to access process -> winlogon.exe
Failed to access process -> svchost.exe
Failed to access process -> nvvsvc.exe
Failed to access process -> nvscpapisvr.exe
Failed to access process -> svchost.exe
Failed to access process -> atiesrxx.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> atieclxx.exe
Failed to access process -> nvxdsync.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> FCUpdateService.exe
Failed to access process -> GfExperienceService.exe
Failed to access process -> NvNetworkService.exe
Failed to access process -> NvStreamService.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> NvStreamNetworkService.exe
Failed to access process -> svchost.exe
Failed to access process -> NvStreamUserAgent.exe
Failed to access process -> conhost.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(DT Soft Ltd) C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
() C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
(Gemalto N.V.) C:\Users\Teng\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe
(www.bid-o-matic.org) C:\Program Files (x86)\Biet-O-Matic\Biet-O-Matic.exe
(Apple Computer, Inc.) C:\Program Files (x86)\QuickTime\qttask.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\SCSI Host\scsihost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
Failed to access process -> wmpnetwk.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Failed to access process -> svchost.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winamp.exe
(Malwarebytes) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-10-01] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-03-22] (Apple Computer, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [SCSI Host] => C:\Program Files (x86)\SCSI Host\scsihost.exe [1521664 2016-04-18] ()
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-14] (Microsoft Corporation)
HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\m\AppData\Local\Temp\IXP000.TMP\" <===== ATTENTION
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [4910912 2011-08-02] (DT Soft Ltd)
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Steam] => "C:\Program Files (x86)\Steam\Steam.exe" -silent
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Rainlendar2] => C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe [4411488 2014-03-16] ()
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [SanDiskSecureAccess_Manager.exe] => C:\Users\Teng\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [27311232 2011-06-29] (Gemalto N.V.)
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [koxgzz.exe] => \koxgzz.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Mark.of.the.Ninja.Special.Edition-SKIDROW.exe] => Mark.of.the.Ninja.Special.Edition-SKIDROW.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: K - K:\LaunchU3.exe -a
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {0bc57b94-ddb3-11e2-8036-001d60863ea4} - N:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {28d2cd41-447c-11e3-a4f4-001d60863ea4} - J:\autorun.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {b9d494f1-5692-11e1-be88-001d60863ea4} - L:\LaunchU3.exe -a
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Biet-O-Matic.lnk [2011-10-28]
ShortcutTarget: Biet-O-Matic.lnk -> C:\Program Files (x86)\Biet-O-Matic\Biet-O-Matic.exe (www.bid-o-matic.org)
BootExecute: autocheck autochk * OODBS

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.2
Tcpip\..\Interfaces\{1D1813E2-57DB-459F-9DBE-2087AB259659}: [NameServer] 69.164.196.21,5.134.115.112
Tcpip\..\Interfaces\{1D1813E2-57DB-459F-9DBE-2087AB259659}: [DhcpNameServer] 192.168.0.1 192.168.0.2
Tcpip\..\Interfaces\{7B365E17-81AA-4E61-BE18-136661F4713A}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-896307261-3574068607-3140626432-1001] ATTENTION => Default URLSearchHook is missing
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll [2014-10-22] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-22] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-10-22] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-22] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-08-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default [2016-12-13]
FF user.js: detected! => C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\user.js [2014-09-28]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\avlwyghh.default -> Google Deutschland
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\avlwyghh.default -> Google Deutschland
FF Keyword.URL: Mozilla\Firefox\Profiles\avlwyghh.default -> 	  hxxp://www.google.de/search?sourceid=navclient&hl=de&q=
FF NetworkProxy: Mozilla\Firefox\Profiles\avlwyghh.default -> autoconfig_url", "chrome://viewtubes/content/viewtubes_false.pac"
FF NetworkProxy: Mozilla\Firefox\Profiles\avlwyghh.default -> type", 2
FF Extension: (Disconnect) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\2.0@disconnect.me.xpi [2016-04-29]
FF Extension: (ClipConverter) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\clipconverter@clipconverter.cc.xpi [2016-04-09]
FF Extension: (German Dictionary) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\de-DE@dictionaries.addons.mozilla.org [2016-12-04]
FF Extension: (Ghostery) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\firefox@ghostery.com.xpi [2016-11-29]
FF Extension: (HTTPS Everywhere) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\https-everywhere-eff@eff.org.xpi [2016-12-03]
FF Extension: (Facebook Ticker Removal) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\info@technologymob.com.xpi [2016-04-29]
FF Extension: (Self-Destructing Cookies) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi [2016-11-02]
FF Extension: (Beef Taco (Targeted Advertising Cookie Opt-Out)) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\john@velvetcache.org.xpi [2016-04-29]
FF Extension: (uBlock Origin) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\uBlock0@raymondhill.net.xpi [2016-11-29]
FF Extension: (uMatrix) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\uMatrix@raymondhill.net.xpi [2016-11-02]
FF Extension: (LittleFox) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{29852C08-1E91-4889-A6BF-C77F91D6A8F3}.xpi [2016-10-19]
FF Extension: (Flashblock) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-01-04]
FF Extension: (MicroFox) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{403304EE-066A-4a2a-8F41-F12028480A0A}.xpi [2016-10-19]
FF Extension: (Cookie Monster) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{45d8ff86-d909-11db-9705-005056c00008} [2016-11-28]
FF Extension: (Save Button for Pinterest) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{677a8f98-fd64-40b0-a883-b8c95d0cbf17}.xpi [2016-12-13]
FF Extension: (NoScript) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-12-03]
FF Extension: (BetterPrivacy) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-11-02]
FF Extension: (Tab Mix Plus) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2016-10-31]
FF Extension: (Greasemonkey) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2016-08-20]
FF Extension: (Adblock Edge) - C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2016-04-27]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\darklyrics.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\discogs.xml [2015-09-16]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\duckduckgo-de.xml [2015-05-18]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\duckduckgo.xml [2012-02-20]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\ebay-deutschland.xml [2015-05-03]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\encyclopaedia-metallum---google.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\encyclopaedia-metallum-bands.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\gamefaqs.xml [2014-06-01]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\gametrailerscom.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\google-blog-search.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\google-deutschland.xml [2015-09-02]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\google-maps-deutschland---sat.xml [2013-10-07]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\ign.xml [2014-06-01]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\imdb.xml [2014-12-08]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\lastfm---artists.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\popsikecom.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\rap-genius.xml [2014-07-07]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\urban-dictionary.xml [2013-11-26]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\wikipedia-en---search.xml [2014-06-01]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\youtube-video-search.xml [2014-12-20]
FF SearchPlugin: C:\Users\Teng\AppData\Roaming\Mozilla\Firefox\Profiles\avlwyghh.default\searchplugins\youtube.xml [2014-12-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_250.dll [2014-10-22] ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-10-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-10-22] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_250.dll [2014-10-22] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-08-26] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-10-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-10-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-10-01] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-10-01] (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244392 2015-04-10] (Foxit Software Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163712 2016-10-01] (NVIDIA Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-10-01] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3632576 2016-10-01] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-10-01] (NVIDIA Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-10-26] (DT Soft Ltd)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-10-01] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56376 2016-10-01] (NVIDIA Corporation)
S3 PRESONUS_AUDIOBOX_USB; C:\Windows\System32\Drivers\psabusbu.sys [462968 2009-12-04] (Ploytec GmbH)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz135; \??\C:\Program Files (x86)\CPUID\PC Wizard 2012\pcwiz_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-13 20:15 - 2016-12-13 20:15 - 00000000 ____D C:\New folder
2016-12-12 23:21 - 2016-12-12 23:21 - 00001136 _____ C:\Users\Teng\Desktop\PC Konfiguration.txt
2016-12-12 22:34 - 2016-12-12 22:34 - 00000000 ____D C:\566551856fee234bbde9c7606c559e
2016-12-06 20:48 - 2016-12-06 20:48 - 00000000 ____D C:\Users\Teng\AppData\LocalLow\Knuckle Cracker
2016-12-06 20:46 - 2016-12-06 20:48 - 00000000 ____D C:\Users\m\AppData\Roaming\ParticleFleet
2016-12-06 20:30 - 2016-12-06 20:30 - 00000000 ____D C:\Users\Teng\AppData\Roaming\CreeperWorld3
2016-11-23 10:28 - 2016-12-04 18:56 - 00000000 ____D C:\Users\Teng\AppData\Roaming\Audacity
2016-11-23 10:28 - 2016-11-23 10:28 - 00001024 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2016-11-23 10:28 - 2016-11-23 10:28 - 00001012 _____ C:\Users\Public\Desktop\Audacity.lnk
2016-11-23 10:28 - 2016-11-23 10:28 - 00000000 ____D C:\Users\Teng\AppData\Local\Audacity
2016-11-23 10:28 - 2016-11-23 10:28 - 00000000 ____D C:\Program Files (x86)\Audacity
2016-11-21 10:50 - 2016-11-21 10:50 - 00059403 _____ C:\Users\Teng\Desktop\Tickets Killerz 3.pdf
2016-11-18 18:57 - 2016-12-12 22:22 - 00000000 ____D C:\Users\Teng\AppData\LocalLow\Mozilla
2016-11-18 14:26 - 2016-12-13 22:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-13 23:31 - 2014-10-16 12:28 - 00000000 ____D C:\FRST
2016-12-13 23:31 - 2011-10-28 10:43 - 00000000 ____D C:\Program Files (x86)\Biet-O-Matic
2016-12-13 20:15 - 2012-04-25 20:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-12 22:38 - 2009-07-14 05:45 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-12 22:38 - 2009-07-14 05:45 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-12 22:16 - 2009-07-14 06:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-12 22:16 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-12-12 22:10 - 2016-10-12 14:48 - 00000000 ____D C:\ProgramData\NVIDIA
2016-12-12 22:10 - 2011-10-26 17:54 - 00000000 ____D C:\Users\Teng\.rainlendar2
2016-12-12 22:10 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-12 12:05 - 2014-09-12 01:28 - 00000000 ____D C:\Users\Teng\AppData\Roaming\F21A5342-74C1-4E8D-BAC3-006C36D75143
2016-12-12 11:32 - 2011-10-27 23:11 - 00000000 ____D C:\Users\Teng\AppData\Roaming\vlc
2016-12-08 22:10 - 2012-02-08 00:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KnuckleCracker
2016-12-04 19:58 - 2015-05-15 15:31 - 00000000 ____D C:\Users\Teng\AppData\Local\CrashDumps
2016-12-04 19:47 - 2011-10-28 15:59 - 00000000 ____D C:\Users\Teng\AppData\Roaming\FileZilla
2016-11-13 00:25 - 2011-10-24 13:41 - 00000000 ____D C:\Program Files (x86)\Rainlendar2

==================== Files in the root of some directories =======

2013-11-05 11:40 - 2016-05-02 16:47 - 0000288 _____ () C:\Users\Teng\AppData\Roaming\.backup.dm
2011-11-13 11:24 - 2011-11-13 11:24 - 0027617 _____ () C:\Users\Teng\AppData\Roaming\phpdesigner.xml
2005-04-08 03:16 - 2011-11-11 22:18 - 0108357 ____H () C:\Users\Teng\AppData\Roaming\Tenglog.dat
2012-01-24 21:24 - 2012-01-24 22:02 - 0004608 _____ () C:\Users\Teng\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-27 03:57 - 2013-01-27 03:57 - 0001470 _____ () C:\Users\Teng\AppData\Local\RecConfig.xml

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD. The user is not administrator

==================== End of FRST.txt ============================

--- --- ---

--- --- ---

[CODE]Additional
FRST Logfile:

FRST Logfile:

Code:

ATTFilter

scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Teng (13-12-2016 23:37:01)
Running from G:\Needful Things\Trojaner Board
Windows 7 Professional Service Pack 1 (X64) (2011-10-23 17:17:32)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-896307261-3574068607-3140626432-500 - Administrator - Disabled)
Guest (S-1-5-21-896307261-3574068607-3140626432-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-896307261-3574068607-3140626432-1002 - Limited - Enabled)
m (S-1-5-21-896307261-3574068607-3140626432-1001 - Administrator - Enabled) => C:\Users\m
Teng (S-1-5-21-896307261-3574068607-3140626432-1004 - Limited - Enabled) => C:\Users\Teng

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.2.8870 - Adobe Systems Inc.)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 13 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 13.0.0.250 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Amnesia: A Machine for Pigs (HKLM-x32\...\Amnesia: A Machine for Pigs_is1) (Version:  - )
Ansel (Version: 373.06 - NVIDIA Corporation) Hidden
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.10 - Michael Tippach)
Audacity 2.1.2 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.2 - Audacity Team)
Auslogics DiskDefrag (HKLM-x32\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 5.4.0.0 - Auslogics Labs Pty Ltd)
Avidemux 2.5 (HKLM-x32\...\Avidemux 2.5 (64-bit)) (Version: 2.5.6.7716 - )
Biet-O-Matic v2.14.8 (HKLM-x32\...\Biet-O-Matic v2.14.8) (Version: 2.14.8 - BOM Development Team)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Broken Sword 2.5 (HKLM-x32\...\Broken Sword 2.5_is1) (Version:  - mindFactory)
Bullzip PDF Printer 7.2.0.1304 (HKLM\...\Bullzip PDF Printer_is1) (Version: 7.2.0.1304 - Bullzip)
calibre (HKLM-x32\...\{D47B7229-AC24-4D79-96AB-880649FFC892}) (Version: 2.19.0 - Kovid Goyal)
Canon iP2700 series Printer Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.05 - Piriform)
CDisplay 1.8 (HKLM-x32\...\CDisplay_is1) (Version:  - dvd8n)
Command & Conquer Generals (HKLM-x32\...\InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}) (Version: 0.50.0000 - Electronic Arts)
Command & Conquer Generals (x32 Version: 0.50.0000 - Electronic Arts) Hidden
Creeper World (HKLM-x32\...\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1) (Version: 0182 - UNKNOWN)
Creeper World (x32 Version: 0182 - UNKNOWN) Hidden
Creeper World 2 (HKLM-x32\...\CreeperWorld2.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1) (Version: 3.63.0 - UNKNOWN)
Creeper World 2 (x32 Version: 3.63.0 - UNKNOWN) Hidden
Dacia Media Nav Toolbox (HKLM-x32\...\Dacia Media Nav Toolbox) (Version: 3.18.4.502485 - NNG Llc.)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.41.3.0173 - DT Soft Ltd)
Desura (HKLM-x32\...\Desura) (Version: 100.53 - Desura)
Dungeon Keeper 2 (HKLM-x32\...\GOGPACKDUNGEONKEEPER2_is1) (Version: 2.0.0.32 - GOG.com)
Dying Light (HKLM-x32\...\RHlpbmdMaWdodA==_is1) (Version: 1 - )
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 16.2.24.20150630 - Landesfinanzdirektion Thüringen)
Fallout 4 (HKLM-x32\...\Fallout 4_is1) (Version:  - )
FileZilla Client 3.22.2.2 (HKLM-x32\...\FileZilla Client) (Version: 3.22.2.2 - Tim Kosse)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 3.3.76.410 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.1.5.425 - Foxit Software Inc.)
Free Audio Converter version 5.0.61.805 (HKLM-x32\...\Free Audio Converter_is1) (Version: 5.0.61.805 - DVDVideoSoft Ltd.)
Freespace (HKLM-x32\...\GOGPACKFREESPACE_is1) (Version: 2.0.0.7 - GOG.com)
GOG.com Dungeon Keeper 2 (HKLM\...\{b6462b67-caf5-4a74-99df-cc2811bd1957}.sdb) (Version:  - )
GOG.com Freespace (HKLM\...\{cade436f-07c5-47f2-b1f3-10be3bd121da}.sdb) (Version:  - )
GPL Ghostscript Lite 9.04 (HKLM-x32\...\GPL Ghostscript Lite_is1) (Version:  - )
Guitar Pro 5.0 (HKLM-x32\...\Guitar Pro 5_is1) (Version:  - Arobas Music)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.30 - Irfan Skiljan)
Java 8 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java(TM) 6 Update 29 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.290 - Oracle)
Java(TM) 7 Update 2 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217002FF}) (Version: 7.0.20 - Oracle)
Last.fm Scrobbler 2.1.37 (HKLM-x32\...\LastFM_is1) (Version:  - Last.fm)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}) (Version: 1.2.0241 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{e6e75766-da0f-4ba2-9788-6ea593ce702d}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 12.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 12.0 (x86 en-US)) (Version: 12.0 - Mozilla)
Mozilla Firefox 50.0.2 (x86 en-US) (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Mozilla Firefox 50.0.2 (x86 en-US)) (Version: 50.0.2 - Mozilla)
Naviextras Toolbox Prerequesities (HKLM-x32\...\{537575D6-3B96-474C-BD8F-DFF667363DBD}) (Version: 1.0.0 - NNG Llc.)
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 373.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 373.06 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.11.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.11.4.0 - NVIDIA Corporation)
NVIDIA Graphics Driver 373.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 373.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.15 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.15 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
One Unit Whole Blood (HKLM-x32\...\One Unit Whole Blood_is1) (Version:  - GOG.com)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Pathway Professional - Film Analysis (HKLM-x32\...\{9AA9F79E-3EFA-415F-99E9-E18529A0AFF4}) (Version: 31897 - Bildungshaus Schulbuchverlage Westermann Schroedel Diesterweg Schöningh Winklers GmbH)
PDFTK Builder 3.5.3 (HKLM-x32\...\PDFTK Builder_is1) (Version:  - )
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Phase 5 HTML-Editor (HKLM-x32\...\{20B1B020-DEAE-48D1-9960-D4C3185D758B}) (Version: 5.6.2.3 - Systemberatung Schommer)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.140.248 - Google, Inc.)
Pidgin (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Pidgin) (Version: 2.10.1 - )
QuickTime (HKLM-x32\...\QuickTime) (Version:  - )
Rainlendar2 (remove only) (HKLM-x32\...\Rainlendar2) (Version:  - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6482 - Realtek Semiconductor Corp.)
RemoteControl for Winamp (HKLM-x32\...\RemoteControl for Winamp1.00) (Version: 1.00 - Martin Schlodinski)
SABnzbd 0.7.14 (HKLM-x32\...\SABnzbd) (Version: 0.7.14 - The SABnzbd Team)
SanDiskSecureAccess_Manager.exe (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\@@__UNKNOWN__@@SanDiskSecureAccess_Manager.exe) (Version: 1.1.19269 - Gemalto N.V.)
Scrolls (HKLM-x32\...\{F7F74F7F-C458-4B7C-A6F4-80A28ED7AF0B}) (Version: 1.0.2.0 - Mojang)
SHIELD Streaming (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.11.4.0 - NVIDIA Corporation) Hidden
Sins of a Solar Empire Rebellion (c) Stardock version 1 (HKLM-x32\...\Sins of a Solar Empire Rebellion (c) Stardock_is1) (Version: 1 - )
Smart Organizing Monitor (HKLM-x32\...\{AD66DDE3-33AC-4F26-9EC6-A37454423C4F}) (Version: 1.00.0000 - RICOH)
Stronghold HD (HKLM-x32\...\GOGPACKSTRONGHOLDHD_is1) (Version: 2.0.0.3 - GOG.com)
Ulead GIF Animator Lite Edition 1.0 (HKLM-x32\...\Ulead GIF Animator Lite Edition 1.0) (Version:  - )
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
Winamp (HKLM-x32\...\Winamp) (Version: 5.623  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Z (HKLM-x32\...\1207664893_is1) (Version: 2.3.0.8 - GOG.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-01-30 01:40 - 2010-01-30 01:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2016-11-01 19:10 - 2016-11-01 19:10 - 00052400 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2014-03-16 18:42 - 2014-03-16 18:42 - 04411488 _____ () C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
2012-05-16 20:12 - 2012-05-16 20:12 - 00179200 _____ () C:\Program Files (x86)\Rainlendar2\lua52.dll
2014-03-14 11:24 - 2014-03-14 11:24 - 00324608 _____ () C:\Program Files (x86)\Rainlendar2\libical.dll
2014-03-16 18:42 - 2014-03-16 18:42 - 00082528 _____ () C:\Program Files (x86)\Rainlendar2\plugins\iCalendarPlugin.dll
2014-03-14 11:24 - 2014-03-14 11:24 - 00080384 _____ () C:\Program Files (x86)\Rainlendar2\libicalss.dll
2014-03-16 18:44 - 2014-03-16 18:44 - 00346208 _____ () C:\Program Files (x86)\Rainlendar2\plugins\GoogleCalendarPlugin.dll
2012-06-17 14:21 - 2012-06-17 14:21 - 00015360 _____ () C:\Program Files (x86)\Rainlendar2\lfs.dll
2016-05-03 00:21 - 2016-04-18 12:16 - 01521664 _____ () C:\Program Files (x86)\SCSI Host\scsihost.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [494]
AlternateDataStreams: C:\Users\Public\Desktop\Amnesia: A Machine for Pigs.lnk [1458]
AlternateDataStreams: C:\Users\Teng\Cookies:X7IeMuZWMtAtWneF5qqjxy4jMIO6Z [2364]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\microsoft.com -> hxxps://update.microsoft.com
IE trusted site: HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\microsoft.com -> hxxp://update.microsoft.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-10-16 20:43 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Teng\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 69.164.196.21 - 5.134.115.112
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Users^m^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk => C:\Windows\pss\OpenOffice.org 3.3.lnk.Startup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: DAEMON Tools Lite => "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
MSCONFIG\startupreg: NeroFilterCheck => C:\Windows\system32\NeroCheck.exe
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\Steam.exe" -silent

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{D818B8A3-C591-408D-97DD-FCFE031ED0AF}] => %ProgramFiles% (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F9965F4C-7EEF-489F-AA2F-3462F02CF282}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{18519143-8B84-444A-8413-4D03E2337838}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{C97F3F47-31DD-4D5D-B94B-9E32E841B225}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{5EC81B49-7716-4536-A6E9-257972400C4C}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{D802A2B1-4140-4B87-BA4C-5E7E18F949D1}] => %ProgramFiles% (x86)\Last.fm\LastFM.exe
FirewallRules: [{F336331D-32B8-4C1E-BE2E-56E427457430}] => %ProgramFiles% (x86)\Rainlendar2\Rainlendar2.exe
FirewallRules: [{902F5112-8525-404C-AFEE-72E0285218C2}] => %ProgramFiles% (x86)\SABnzbd\SABnzbd.exe
FirewallRules: [{7E030C8B-B048-4B9E-B7B1-3DF466C2B546}] => %ProgramFiles% (x86)\Biet-O-Matic\Biet-O-Matic.exe
FirewallRules: [{C2B1EE59-B6EA-4333-9256-8EC7DFE92C69}] => %ProgramFiles% (x86)\Biet-O-Matic\BOMUpdate.exe
FirewallRules: [{1D8B1F05-475E-4EFE-BA92-99D42CE238F0}] => %ProgramFiles% (x86)\Biet-O-Matic\BOM Logging Config Tool.exe
FirewallRules: [TCP Query User{42E16501-95EE-40C3-A415-7598C2CAA9A7}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [UDP Query User{536C437E-A628-4805-920E-55BCED5ED45B}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [{1464E782-28E2-48E0-A707-D9ABDA655C06}] => %ProgramFiles% (x86)\FileZilla FTP Client\filezilla.exe
FirewallRules: [{CA3A851B-6575-4719-867D-5FEEE905CA00}] => %ProgramFiles% (x86)\Biet-O-Matic\Biet-O-Matic.exe
FirewallRules: [{DE3BDCCB-9CAF-4877-B7E3-C48904A69B8F}] => %ProgramFiles% (x86)\Biet-O-Matic\BOM Logging Config Tool.exe
FirewallRules: [{78857152-4C79-4CDA-8F4E-00853F56ACFF}] => %ProgramFiles% (x86)\Biet-O-Matic\BOMUpdate.exe
FirewallRules: [{6EC31C6D-D7D8-46D0-BDB9-3A40D627D65F}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{3DD30B62-D3B2-4EAB-A08F-D944348A8162}] => %ProgramFiles% (x86)\ImgBurn\ImgBurn.exe
FirewallRules: [{6D2C788A-4B01-4871-B090-02A4985A1AF2}] => %ProgramFiles% (x86)\YouTube Download\FreeYouTubeDownload.exe
FirewallRules: [{DF665DB2-E823-4F06-8E75-05D9546D6DE7}] => G:\Needful Things\Mediathek\Starten_Windows.exe
FirewallRules: [{D80925EB-D229-4BD3-87D4-15C983996C6F}] => G:\Needful Things\Mediathek\Starten_Windows.exe
FirewallRules: [{8208ADE5-F3CB-410E-A785-8D58822D9158}] => %ProgramFiles% (x86)\Desura\desura.exe
FirewallRules: [{52D7F7C6-734C-4A2A-88E9-647D44B529DF}] => %ProgramFiles% (x86)\Desura\desura.exe
FirewallRules: [{965346D4-725E-44B1-A544-C90E53A15BEA}] => G:\Needful Things\jxpiinstall.exe
FirewallRules: [{BE204C14-F2F0-4BA7-9D59-5F8DF3E5F771}] => %SystemDrive%\Users\Teng\AppData\Roaming\Microsoft\Windows\Pidgin\pidgin.exe
FirewallRules: [{255A9E4E-7A1F-4A57-84B9-02806A08ADA4}] => %SystemDrive%\Users\Teng\AppData\Roaming\Microsoft\Windows\Pidgin\pidgin.exe
FirewallRules: [TCP Query User{A86C2083-EA78-4487-BCAE-83E3A9512E74}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [UDP Query User{68DCB21D-40B2-4003-95CA-5236D2F0B6BC}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [{E589C869-FFF5-45C7-A1A7-BEA808AB9FDD}] => C:\ProgramData\Battle.net\Agent\Agent.524\Agent.exe
FirewallRules: [{1C7D2188-1B52-4837-ACC7-1F1F97927967}] => C:\ProgramData\Battle.net\Agent\Agent.524\Agent.exe
FirewallRules: [{DAB60054-3165-4F35-9C84-3AA1D837EB14}] => C:\Program Files (x86)\Sins of a Solar Empire\Sins of a Solar Empire.exe
FirewallRules: [{44D8A06E-670D-46A9-9B6D-374199FD3DD4}] => C:\Program Files (x86)\Sins of a Solar Empire\Sins of a Solar Empire.exe
FirewallRules: [TCP Query User{9189F5A1-B40E-40B9-BD78-94CDC23FA4BF}C:\program files (x86)\java\jre7\bin\javaw.exe] => C:\program files (x86)\java\jre7\bin\javaw.exe
FirewallRules: [UDP Query User{3320C074-19E9-4205-8893-9243649887D8}C:\program files (x86)\java\jre7\bin\javaw.exe] => C:\program files (x86)\java\jre7\bin\javaw.exe
FirewallRules: [{8F9209E9-1ABE-4AF8-9FD6-5A9AC56FB396}] => %ProgramFiles% (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{46CD6534-BA66-42D4-94FC-EE9A5910E420}] => %ProgramFiles% (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe
FirewallRules: [{FD5239EF-7079-45C0-8070-9AE26A29160E}] => G:\Needful Things\Hearthstone-Setup-enUS.exe
FirewallRules: [{EA57DA4A-9939-4D18-835E-23203A0264F7}] => G:\Needful Things\Hearthstone-Setup-enUS.exe
FirewallRules: [{A31EFED0-4871-42BF-B90D-1C0E64893254}] => C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe
FirewallRules: [{DDE06BB6-CC0C-4D84-A839-20F4016EB459}] => C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe
FirewallRules: [{0DCE0E0E-FD2E-4435-81C7-E5D12EF2C630}] => G:\Games\StarCraft II\Versions\Base24944\SC2.exe
FirewallRules: [TCP Query User{55EA7BC1-0D4F-4990-B812-0D91FDA6AC9D}G:\games\call of duty black ops 2\t6sp.exe] => G:\games\call of duty black ops 2\t6sp.exe
FirewallRules: [UDP Query User{6DE5962B-D4DF-47A3-995E-C19CB0C9FDD5}G:\games\call of duty black ops 2\t6sp.exe] => G:\games\call of duty black ops 2\t6sp.exe
FirewallRules: [{7763C62F-B6EB-4E84-A4D4-F7C9AD9C740F}] => %USERPROFILE%\Desktop\mbar\mbar.exe
FirewallRules: [{4852B790-F206-4148-B4CD-2D35A81C4274}] => %USERPROFILE%\Desktop\mbar\mbar.exe
FirewallRules: [{A3C1B775-B2A1-4282-947A-A7DC3FABAF09}] => %USERPROFILE%\Desktop\mbar\mbamdor.exe
FirewallRules: [{09A7A9FC-29B8-41AB-B6E1-7258726FEEB0}] => %USERPROFILE%\Desktop\mbar\mbamdor.exe
FirewallRules: [TCP Query User{5FC6DA22-358D-4752-B4F7-DEE028ED2C92}C:\program files (x86)\games\farcry 3\bin\farcry3.exe] => C:\program files (x86)\games\farcry 3\bin\farcry3.exe
FirewallRules: [UDP Query User{2D0B7557-52C2-4DDD-9385-2EC493E57313}C:\program files (x86)\games\farcry 3\bin\farcry3.exe] => C:\program files (x86)\games\farcry 3\bin\farcry3.exe
FirewallRules: [TCP Query User{49F5A7DD-9328-4E81-8318-8CE80558BE2D}G:\games\dying light\dyinglightgame.exe] => G:\games\dying light\dyinglightgame.exe
FirewallRules: [UDP Query User{CD2C2BA9-6C9A-48BF-AC0C-C3C8D3965DDC}G:\games\dying light\dyinglightgame.exe] => G:\games\dying light\dyinglightgame.exe
FirewallRules: [TCP Query User{CEF16071-CF1C-4E96-B910-887AF09DF66C}G:\games\call of duty black ops 2\t6zm.exe] => G:\games\call of duty black ops 2\t6zm.exe
FirewallRules: [UDP Query User{FD414A49-255D-4D32-9011-FC80D3C5F100}G:\games\call of duty black ops 2\t6zm.exe] => G:\games\call of duty black ops 2\t6zm.exe
FirewallRules: [{6A731557-7B88-4A82-8CB0-C0B43C4BE6B8}] => G:\Games\Call of Duty Black Ops 2\t6sp.exe
FirewallRules: [{25F0E3D3-1683-4853-9F82-905B06587860}] => C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{3C759EA9-017B-4D9B-9929-E53F55DF3928}] => C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{88628CA2-3548-4299-A3DB-BEFA685AB868}] => G:\Needful Things\CreativeCloudSet-Up.exe
FirewallRules: [{380E378A-D595-4A65-9114-C71F33B91BE9}] => G:\Needful Things\CreativeCloudSet-Up.exe
FirewallRules: [{2E049E01-8950-44D3-BD0E-21820E5622D5}] => %ProgramFiles% (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
FirewallRules: [{3B73D895-CEAC-4D29-A5D0-692A63269CA9}] => %ProgramFiles% (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
FirewallRules: [{F4069482-624B-4DE4-ADE6-65E9EB2EA29A}] => %ProgramFiles% (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\Adobe Installer.exe
FirewallRules: [{B87DEDA3-0BCE-484D-A80A-BBC22547DBF3}] => %ProgramFiles% (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\Adobe Installer.exe
FirewallRules: [{AAA56D4E-D097-4D29-B586-109D8DA57B0F}] => %ProgramFiles% (x86)\Dacia Media Nav\Toolbox\toolbox.exe
FirewallRules: [{CDB65DA2-9FD4-4D22-AF7A-C6D695E19F99}] => %ProgramFiles% (x86)\Dacia Media Nav\Toolbox\toolbox.exe
FirewallRules: [TCP Query User{0488A768-3F77-4385-80D9-FD1342445016}G:\games\freespace\fs.exe] => G:\games\freespace\fs.exe
FirewallRules: [UDP Query User{D1D57B63-C8DE-4952-B756-84BA0E08A61A}G:\games\freespace\fs.exe] => G:\games\freespace\fs.exe
FirewallRules: [{51C2476B-52E3-44C8-A113-4806B0128519}] => %SystemDrive%\Users\Teng\Downloads\ageofconan-en.exe
FirewallRules: [{D9DEE0DC-2B71-4E11-94F2-697C3B728D01}] => %SystemDrive%\Users\Teng\Downloads\ageofconan-en.exe
FirewallRules: [TCP Query User{F39D0671-F160-469C-8816-05C3301BC706}H:\games\age of conan\conanpatcher.exe] => H:\games\age of conan\conanpatcher.exe
FirewallRules: [UDP Query User{5F556993-D1A7-47FD-9D8D-A4D9E9BFC868}H:\games\age of conan\conanpatcher.exe] => H:\games\age of conan\conanpatcher.exe
FirewallRules: [{43DF27E8-258D-4940-817E-BA9E2A105E2F}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{7E88C2FD-C213-45D5-A699-36E73042A979}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{56E77248-851C-4C91-96A4-BCED33B5B4D4}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{367E94B8-9E3D-45D2-A9A9-BE8C2634F091}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{8242B6EE-E727-49FF-87C1-ACC7079E06DF}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
FirewallRules: [{5FBA1AAF-5B24-47FC-A6FF-5E92D9DF30E8}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{B7C6205D-27A1-4E93-AC3E-2BE25ECD7697}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{FB6B8565-049C-41CC-89D6-8CE581EF4DFB}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{39E2E4BF-4C8E-44E6-9FFC-E39CABE0D7BD}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{11588CD1-B05A-4397-83A1-D8441F2DCCE6}] => C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
FirewallRules: [{1C2F6B4B-F50D-481E-899F-EC4C5B792571}] => C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/04/2016 07:58:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 50.0.1.6171, time stamp: 0x58367404
Faulting module name: mozglue.dll, version: 50.0.1.6171, time stamp: 0x58366d59
Exception code: 0x80000003
Fault offset: 0x0000ed4b
Faulting process id: 0x38c
Faulting application start time: 0x01d24e5864893d50
Faulting application path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
Faulting module path: C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
Report Id: 9abc6a70-ba53-11e6-bb87-001d60863ea4

Error: (12/04/2016 07:58:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 50.0.1.6171, time stamp: 0x58367404
Faulting module name: mozglue.dll, version: 50.0.1.6171, time stamp: 0x58366d59
Exception code: 0x80000003
Fault offset: 0x0000ed4b
Faulting process id: 0x194
Faulting application start time: 0x01d24e15eed6a5d0
Faulting application path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
Faulting module path: C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
Report Id: 94bdfdf0-ba53-11e6-bb87-001d60863ea4

Error: (12/03/2016 10:19:58 PM) (Source: SideBySide) (EventID: 63) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (12/03/2016 06:21:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 50.0.1.6171, time stamp: 0x58367404
Faulting module name: mozglue.dll, version: 50.0.1.6171, time stamp: 0x58366d59
Exception code: 0x80000003
Fault offset: 0x0000ed4b
Faulting process id: 0xb70
Faulting application start time: 0x01d24d8905fd9990
Faulting application path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
Faulting module path: C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
Report Id: e7ff72a0-b97c-11e6-bb87-001d60863ea4

Error: (12/03/2016 06:15:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 50.0.0.6152, time stamp: 0x581d7ed2
Faulting module name: mozglue.dll, version: 50.0.0.6152, time stamp: 0x581d788d
Exception code: 0x80000003
Fault offset: 0x0000ed40
Faulting process id: 0x1b44
Faulting application start time: 0x01d24d87badcec50
Faulting application path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
Faulting module path: C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
Report Id: 0b593de0-b97c-11e6-bb87-001d60863ea4

Error: (11/27/2016 02:56:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: bc4

Start Time: 01d248200ef0c860

Termination Time: 225

Application Path: C:\Windows\Explorer.EXE

Report Id: 35c0f691-b4a9-11e6-bb87-001d60863ea4

Error: (11/14/2016 12:58:58 AM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Word: Rejected Safe Mode action : Word hat festgestellt, dass sie die STRG-Taste gedrückt halten. Möchten Sie Word im abgesicherten Modus starten?.
Rejected Safe Mode action : Microsoft Word.

Error: (11/05/2016 03:05:55 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (11/05/2016 03:05:55 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (11/04/2016 11:38:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 49.0.2.6136 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a88

Start Time: 01d236af6a8da490

Termination Time: 236

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 6a0e7d41-a2df-11e6-bf1e-001d60863ea4


System errors:
=============
Error: (12/10/2016 12:03:08 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (12/08/2016 07:43:37 PM) (Source: WMPNetworkSvc) (EventID: 14365) (User: )
Description: Proximity detection failed due to unknown error '0x80004004'.  The best proximity time detected was -1 milliseconds.

Error: (11/14/2016 11:36:11 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (11/05/2016 12:35:44 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.

Error: (11/04/2016 09:30:28 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (11/04/2016 09:30:02 PM) (Source: WMPNetworkSvc) (EventID: 14365) (User: )
Description: Proximity detection failed due to unknown error '0x80004004'.  The best proximity time detected was -1 milliseconds.

Error: (10/25/2016 09:33:34 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (10/23/2016 02:02:19 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (10/22/2016 11:48:51 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

Error: (10/22/2016 02:22:02 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2014-10-16 21:43:04.096
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-16 21:43:04.058
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.803
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\m\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.756
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\m\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.444
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.413
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info =========================== 

Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+
Percentage of memory in use: 71%
Total physical RAM: 4094.49 MB
Available physical RAM: 1175.79 MB
Total Virtual: 16376.16 MB
Available Virtual: 12266.21 MB

==================== Drives ================================

Drive c: (Satan) (Fixed) (Total:97.56 GB) (Free:10.97 GB) NTFS
Drive d: (Old C) (Fixed) (Total:195.31 GB) (Free:41.47 GB) NTFS
Drive e: (Old D) (Fixed) (Total:195.31 GB) (Free:55.1 GB) NTFS
Drive f: (Old E) (Fixed) (Total:75.14 GB) (Free:23.73 GB) NTFS
Drive g: () (Fixed) (Total:292.97 GB) (Free:53.66 GB) NTFS
Drive h: () (Fixed) (Total:540.89 GB) (Free:110.23 GB) NTFS

==================== MBR & Partition Table ==================

==================== End of Addition.txt ============================

--- --- ---

--- --- ---

cosinus · 14.12.2016, 00:17

So wird das nix, wir brauchen Adminrechte. Du musst dem betroffenen Useraccount Adminrechte geben.

cmdr · 14.12.2016, 09:17

Ich logge mich gleich mit meinem Admin-Account ein und lass das Programm nochmal durchlaufen...

cosinus · 14.12.2016, 09:29

Gib dem betroffenen Account Adminrechte. Das ist etwas anderes als wenn das mit einem anderen Konto machst.

cmdr · 14.12.2016, 11:54

so?

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by m (administrator) on SATAN (14-12-2016 11:51:24)
Running from G:\Needful Things\Trojaner Board
Loaded Profiles: m & Teng (Available Profiles: m & Teng)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(DT Soft Ltd) C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
() C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
(Gemalto N.V.) C:\Users\Teng\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe
(www.bid-o-matic.org) C:\Program Files (x86)\Biet-O-Matic\Biet-O-Matic.exe
(Apple Computer, Inc.) C:\Program Files (x86)\QuickTime\qttask.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\SCSI Host\scsihost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winamp.exe
(Malwarebytes) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-10-01] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-03-22] (Apple Computer, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [SCSI Host] => C:\Program Files (x86)\SCSI Host\scsihost.exe [1521664 2016-04-18] ()
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-14] (Microsoft Corporation)
HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\m\AppData\Local\Temp\IXP000.TMP\" <===== ATTENTION
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [Rainlendar2] => C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe [4411488 2014-03-16] ()
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [StartOn arrangeQueue->Count()Wizard] => 1
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [StartOn cs->itemsWizard] => My Documents
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [H:\Musik\Selbermachen] => [X]
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [] => [X]
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Run: [StartOn With Windows] => C:\Users\m\AppData\Local\Temp\TranscendElite\TranscendElite.exe [8847872 2014-08-13] (Transcned Information Inc.) <===== ATTENTION
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\RunOnce: [DeleteMarkAny] => C:\Windows\SysWOW64\MASetupCleaner.exe [24576 2013-05-22] ((주)마크애니)
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C0].txt
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [4910912 2011-08-02] (DT Soft Ltd)
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Steam] => "C:\Program Files (x86)\Steam\Steam.exe" -silent
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Rainlendar2] => C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe [4411488 2014-03-16] ()
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [SanDiskSecureAccess_Manager.exe] => C:\Users\Teng\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [27311232 2011-06-29] (Gemalto N.V.)
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [koxgzz.exe] => \koxgzz.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Run: [Mark.of.the.Ninja.Special.Edition-SKIDROW.exe] => Mark.of.the.Ninja.Special.Edition-SKIDROW.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: K - K:\LaunchU3.exe -a
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {0bc57b94-ddb3-11e2-8036-001d60863ea4} - N:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {28d2cd41-447c-11e3-a4f4-001d60863ea4} - J:\autorun.exe
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\MountPoints2: {b9d494f1-5692-11e1-be88-001d60863ea4} - L:\LaunchU3.exe -a
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Biet-O-Matic.lnk [2011-10-28]
ShortcutTarget: Biet-O-Matic.lnk -> C:\Program Files (x86)\Biet-O-Matic\Biet-O-Matic.exe (www.bid-o-matic.org)
Startup: C:\Users\m\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameStop Now.lnk [2013-10-26]
ShortcutTarget: GameStop Now.lnk -> C:\Program Files (x86)\GameStop\Now\GameStopNow.exe (No File)
BootExecute: autocheck autochk * OODBS

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.2
Tcpip\..\Interfaces\{1D1813E2-57DB-459F-9DBE-2087AB259659}: [NameServer] 69.164.196.21,5.134.115.112
Tcpip\..\Interfaces\{1D1813E2-57DB-459F-9DBE-2087AB259659}: [DhcpNameServer] 192.168.0.1 192.168.0.2
Tcpip\..\Interfaces\{7B365E17-81AA-4E61-BE18-136661F4713A}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-896307261-3574068607-3140626432-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll [2014-10-22] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-22] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-10-22] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-22] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-08-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-08-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default [2015-05-24]
FF Extension: (Adblock Plus Pop-up Addon) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\adblockpopups@jessehakanen.net.xpi [2013-01-14] [not signed]
FF Extension: (Element Hiding Helper for Adblock Plus) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\elemhidehelper@adblockplus.org.xpi [2013-01-14] [not signed]
FF Extension: (LittleFox) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\{29852C08-1E91-4889-A6BF-C77F91D6A8F3}.xpi [2013-01-14] [not signed]
FF Extension: (Flashblock) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi [2011-10-23] [not signed]
FF Extension: (Adblock Plus) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-01-14] [not signed]
FF Extension: (Tab Mix Plus) - C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2013-01-14] [not signed]
FF SearchPlugin: C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\searchplugins\darklyrics.xml [2012-10-21]
FF SearchPlugin: C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\searchplugins\encyclopaedia-metallum---google.xml [2012-10-21]
FF SearchPlugin: C:\Users\m\AppData\Roaming\Mozilla\Firefox\Profiles\njp5z7ep.default\searchplugins\youtube.xml [2012-10-21]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_250.dll [2014-10-22] ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-10-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-10-22] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_250.dll [2014-10-22] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-08-26] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-10-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-10-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-10-01] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-10-01] (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244392 2015-04-10] (Foxit Software Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163712 2016-10-01] (NVIDIA Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-10-01] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3632576 2016-10-01] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-10-01] (NVIDIA Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-10-26] (DT Soft Ltd)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-10-01] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56376 2016-10-01] (NVIDIA Corporation)
S3 PRESONUS_AUDIOBOX_USB; C:\Windows\System32\Drivers\psabusbu.sys [462968 2009-12-04] (Ploytec GmbH)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz135; \??\C:\Program Files (x86)\CPUID\PC Wizard 2012\pcwiz_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-13 20:15 - 2016-12-13 20:15 - 00000000 ____D C:\New folder
2016-12-12 23:21 - 2016-12-12 23:21 - 00001136 _____ C:\Users\Teng\Desktop\PC Konfiguration.txt
2016-12-12 22:34 - 2016-12-12 22:34 - 00000000 ____D C:\566551856fee234bbde9c7606c559e
2016-12-06 20:48 - 2016-12-06 20:48 - 00000000 ____D C:\Users\Teng\AppData\LocalLow\Knuckle Cracker
2016-12-06 20:46 - 2016-12-06 20:48 - 00000000 ____D C:\Users\m\AppData\Roaming\ParticleFleet
2016-12-06 20:30 - 2016-12-06 20:30 - 00000000 ____D C:\Users\Teng\AppData\Roaming\CreeperWorld3
2016-11-23 10:28 - 2016-12-04 18:56 - 00000000 ____D C:\Users\Teng\AppData\Roaming\Audacity
2016-11-23 10:28 - 2016-11-23 10:28 - 00001024 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2016-11-23 10:28 - 2016-11-23 10:28 - 00001012 _____ C:\Users\Public\Desktop\Audacity.lnk
2016-11-23 10:28 - 2016-11-23 10:28 - 00000000 ____D C:\Users\Teng\AppData\Local\Audacity
2016-11-23 10:28 - 2016-11-23 10:28 - 00000000 ____D C:\Program Files (x86)\Audacity
2016-11-21 10:50 - 2016-11-21 10:50 - 00059403 _____ C:\Users\Teng\Desktop\Tickets Killerz 3.pdf
2016-11-18 18:57 - 2016-12-12 22:22 - 00000000 ____D C:\Users\Teng\AppData\LocalLow\Mozilla
2016-11-18 14:26 - 2016-12-14 10:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-14 11:51 - 2014-10-16 12:28 - 00000000 ____D C:\FRST
2016-12-14 11:51 - 2011-10-28 10:43 - 00000000 ____D C:\Program Files (x86)\Biet-O-Matic
2016-12-13 20:15 - 2012-04-25 20:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-12 22:38 - 2009-07-14 05:45 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-12 22:38 - 2009-07-14 05:45 - 00014752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-12 22:16 - 2009-07-14 06:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-12 22:16 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-12-12 22:10 - 2016-10-12 14:48 - 00000000 ____D C:\ProgramData\NVIDIA
2016-12-12 22:10 - 2011-10-26 17:54 - 00000000 ____D C:\Users\Teng\.rainlendar2
2016-12-12 22:10 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-12 12:05 - 2014-09-12 01:28 - 00000000 ____D C:\Users\Teng\AppData\Roaming\F21A5342-74C1-4E8D-BAC3-006C36D75143
2016-12-12 11:32 - 2011-10-27 23:11 - 00000000 ____D C:\Users\Teng\AppData\Roaming\vlc
2016-12-08 22:10 - 2012-02-08 00:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KnuckleCracker
2016-12-04 19:58 - 2015-05-15 15:31 - 00000000 ____D C:\Users\Teng\AppData\Local\CrashDumps
2016-12-04 19:47 - 2011-10-28 15:59 - 00000000 ____D C:\Users\Teng\AppData\Roaming\FileZilla

==================== Files in the root of some directories =======

2015-08-04 16:58 - 2015-08-04 16:58 - 0000098 _____ () C:\Users\m\AppData\Roaming\SDC_Path_Meihua2_U.ini

Files to move or delete:
====================
C:\Users\m\AppData\Local\Temp\TranscendElite\TranscendElite.exe


Some files in TEMP:
====================
C:\Users\m\AppData\Local\temp\libeay32.dll
C:\Users\m\AppData\Local\temp\msvcr120.dll
C:\Users\m\AppData\Local\temp\nvSCPAPI64.dll
C:\Users\m\AppData\Local\temp\nvStInst.exe
C:\Users\m\AppData\Local\temp\sqlite3.dll
C:\Users\m\AppData\Local\temp\Uninstall.exe
C:\Users\m\AppData\Local\temp\_isF203.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-04 00:45

==================== End of FRST.txt ============================

--- --- ---

--- --- ---

[CODE]Additional
FRST Logfile:

FRST Logfile:

Code:

ATTFilter

scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by m (14-12-2016 11:52:30)
Running from G:\Needful Things\Trojaner Board
Windows 7 Professional Service Pack 1 (X64) (2011-10-23 17:17:32)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-896307261-3574068607-3140626432-500 - Administrator - Disabled)
Guest (S-1-5-21-896307261-3574068607-3140626432-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-896307261-3574068607-3140626432-1002 - Limited - Enabled)
m (S-1-5-21-896307261-3574068607-3140626432-1001 - Administrator - Enabled) => C:\Users\m
Teng (S-1-5-21-896307261-3574068607-3140626432-1004 - Limited - Enabled) => C:\Users\Teng

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.2.8870 - Adobe Systems Inc.)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 13 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 13.0.0.250 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Amnesia: A Machine for Pigs (HKLM-x32\...\Amnesia: A Machine for Pigs_is1) (Version:  - )
Ansel (Version: 373.06 - NVIDIA Corporation) Hidden
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.10 - Michael Tippach)
Audacity 2.1.2 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.2 - Audacity Team)
Auslogics DiskDefrag (HKLM-x32\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 5.4.0.0 - Auslogics Labs Pty Ltd)
Avidemux 2.5 (HKLM-x32\...\Avidemux 2.5 (64-bit)) (Version: 2.5.6.7716 - )
Biet-O-Matic v2.14.8 (HKLM-x32\...\Biet-O-Matic v2.14.8) (Version: 2.14.8 - BOM Development Team)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Broken Sword 2.5 (HKLM-x32\...\Broken Sword 2.5_is1) (Version:  - mindFactory)
Bullzip PDF Printer 7.2.0.1304 (HKLM\...\Bullzip PDF Printer_is1) (Version: 7.2.0.1304 - Bullzip)
calibre (HKLM-x32\...\{D47B7229-AC24-4D79-96AB-880649FFC892}) (Version: 2.19.0 - Kovid Goyal)
Canon iP2700 series Printer Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.05 - Piriform)
CDisplay 1.8 (HKLM-x32\...\CDisplay_is1) (Version:  - dvd8n)
Command & Conquer Generals (HKLM-x32\...\InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}) (Version: 0.50.0000 - Electronic Arts)
Command & Conquer Generals (x32 Version: 0.50.0000 - Electronic Arts) Hidden
Creeper World (HKLM-x32\...\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1) (Version: 0182 - UNKNOWN)
Creeper World (x32 Version: 0182 - UNKNOWN) Hidden
Creeper World 2 (HKLM-x32\...\CreeperWorld2.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1) (Version: 3.63.0 - UNKNOWN)
Creeper World 2 (x32 Version: 3.63.0 - UNKNOWN) Hidden
Dacia Media Nav Toolbox (HKLM-x32\...\Dacia Media Nav Toolbox) (Version: 3.18.4.502485 - NNG Llc.)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.41.3.0173 - DT Soft Ltd)
Desura (HKLM-x32\...\Desura) (Version: 100.53 - Desura)
Dungeon Keeper 2 (HKLM-x32\...\GOGPACKDUNGEONKEEPER2_is1) (Version: 2.0.0.32 - GOG.com)
Dying Light (HKLM-x32\...\RHlpbmdMaWdodA==_is1) (Version: 1 - )
ElsterFormular (HKLM-x32\...\ElsterFormular) (Version: 16.2.24.20150630 - Landesfinanzdirektion Thüringen)
Fallout 4 (HKLM-x32\...\Fallout 4_is1) (Version:  - )
FileZilla Client 3.22.2.2 (HKLM-x32\...\FileZilla Client) (Version: 3.22.2.2 - Tim Kosse)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 3.3.76.410 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.1.5.425 - Foxit Software Inc.)
Free Audio Converter version 5.0.61.805 (HKLM-x32\...\Free Audio Converter_is1) (Version: 5.0.61.805 - DVDVideoSoft Ltd.)
Freespace (HKLM-x32\...\GOGPACKFREESPACE_is1) (Version: 2.0.0.7 - GOG.com)
GOG.com Dungeon Keeper 2 (HKLM\...\{b6462b67-caf5-4a74-99df-cc2811bd1957}.sdb) (Version:  - )
GOG.com Freespace (HKLM\...\{cade436f-07c5-47f2-b1f3-10be3bd121da}.sdb) (Version:  - )
GPL Ghostscript Lite 9.04 (HKLM-x32\...\GPL Ghostscript Lite_is1) (Version:  - )
Guitar Pro 5.0 (HKLM-x32\...\Guitar Pro 5_is1) (Version:  - Arobas Music)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.30 - Irfan Skiljan)
Java 8 Update 25 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java(TM) 6 Update 29 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.290 - Oracle)
Java(TM) 7 Update 2 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217002FF}) (Version: 7.0.20 - Oracle)
Last.fm Scrobbler 2.1.37 (HKLM-x32\...\LastFM_is1) (Version:  - Last.fm)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}) (Version: 1.2.0241 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{e6e75766-da0f-4ba2-9788-6ea593ce702d}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 12.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 12.0 (x86 en-US)) (Version: 12.0 - Mozilla)
Mozilla Firefox 50.0.2 (x86 en-US) (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Mozilla Firefox 50.0.2 (x86 en-US)) (Version: 50.0.2 - Mozilla)
Naviextras Toolbox Prerequesities (HKLM-x32\...\{537575D6-3B96-474C-BD8F-DFF667363DBD}) (Version: 1.0.0 - NNG Llc.)
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 373.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 373.06 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.11.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.11.4.0 - NVIDIA Corporation)
NVIDIA Graphics Driver 373.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 373.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.15 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.15 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
One Unit Whole Blood (HKLM-x32\...\One Unit Whole Blood_is1) (Version:  - GOG.com)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Pathway Professional - Film Analysis (HKLM-x32\...\{9AA9F79E-3EFA-415F-99E9-E18529A0AFF4}) (Version: 31897 - Bildungshaus Schulbuchverlage Westermann Schroedel Diesterweg Schöningh Winklers GmbH)
PDFTK Builder 3.5.3 (HKLM-x32\...\PDFTK Builder_is1) (Version:  - )
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Phase 5 HTML-Editor (HKLM-x32\...\{20B1B020-DEAE-48D1-9960-D4C3185D758B}) (Version: 5.6.2.3 - Systemberatung Schommer)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.140.248 - Google, Inc.)
Pidgin (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Pidgin) (Version: 2.10.1 - )
QuickTime (HKLM-x32\...\QuickTime) (Version:  - )
Rainlendar2 (remove only) (HKLM-x32\...\Rainlendar2) (Version:  - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6482 - Realtek Semiconductor Corp.)
RemoteControl for Winamp (HKLM-x32\...\RemoteControl for Winamp1.00) (Version: 1.00 - Martin Schlodinski)
SABnzbd 0.7.14 (HKLM-x32\...\SABnzbd) (Version: 0.7.14 - The SABnzbd Team)
SanDiskSecureAccess_Manager.exe (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\@@__UNKNOWN__@@SanDiskSecureAccess_Manager.exe) (Version: 1.1.19269 - Gemalto N.V.)
Scrolls (HKLM-x32\...\{F7F74F7F-C458-4B7C-A6F4-80A28ED7AF0B}) (Version: 1.0.2.0 - Mojang)
SHIELD Streaming (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.11.4.0 - NVIDIA Corporation) Hidden
Sins of a Solar Empire Rebellion (c) Stardock version 1 (HKLM-x32\...\Sins of a Solar Empire Rebellion (c) Stardock_is1) (Version: 1 - )
Smart Organizing Monitor (HKLM-x32\...\{AD66DDE3-33AC-4F26-9EC6-A37454423C4F}) (Version: 1.00.0000 - RICOH)
Stronghold HD (HKLM-x32\...\GOGPACKSTRONGHOLDHD_is1) (Version: 2.0.0.3 - GOG.com)
Ulead GIF Animator Lite Edition 1.0 (HKLM-x32\...\Ulead GIF Animator Lite Edition 1.0) (Version:  - )
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
Winamp (HKLM-x32\...\Winamp) (Version: 5.623  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Z (HKLM-x32\...\1207664893_is1) (Version: 2.3.0.8 - GOG.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {28151D7F-F331-4209-B8CD-F0866F8928C1} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-04-23] (Piriform Ltd)
Task: {DEBF029E-3A7A-43C3-BC67-7B8FB42CC746} - System32\Tasks\Update\google update => Chrome.exe  <==== ATTENTION
Task: {DFD78365-BD49-477E-B34A-D2ACA5DBABAD} - System32\Tasks\Update\WindowsFirewall => C:\Users\Teng\AppData\Roaming\svchost.exe <==== ATTENTION
Task: {EB618EAC-7362-4F9D-B82A-7370E1F7B091} - System32\Tasks\{A55CD8E2-97A0-4CC2-9A98-11314F53CD26} => pcalua.exe -a "C:\Users\m\Desktop\Needful Things\vcredist_x86.exe" -d "C:\Program Files (x86)\Mozilla Firefox"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-10-12 14:48 - 2016-10-01 20:44 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 00367552 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\MessageBus.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 01147328 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\libprotobuf.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 03611584 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Poco.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 00288192 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 01988544 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvPortForwardPlugin.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 02665920 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvMdnsPlugin.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 01840576 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\RtspPlugin.dll
2016-10-12 14:50 - 2016-10-01 22:15 - 00207296 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\RtspServer.dll
2016-10-12 14:49 - 2016-10-01 22:15 - 00034240 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_system-vc120-mt-1_58.dll
2016-10-12 14:49 - 2016-10-01 22:15 - 00920000 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_regex-vc120-mt-1_58.dll
2010-01-30 01:40 - 2010-01-30 01:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2016-11-01 19:10 - 2016-11-01 19:10 - 00052400 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2014-03-16 18:42 - 2014-03-16 18:42 - 04411488 _____ () C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
2012-05-16 20:12 - 2012-05-16 20:12 - 00179200 _____ () C:\Program Files (x86)\Rainlendar2\lua52.dll
2014-03-14 11:24 - 2014-03-14 11:24 - 00324608 _____ () C:\Program Files (x86)\Rainlendar2\libical.dll
2014-03-16 18:42 - 2014-03-16 18:42 - 00082528 _____ () C:\Program Files (x86)\Rainlendar2\plugins\iCalendarPlugin.dll
2014-03-14 11:24 - 2014-03-14 11:24 - 00080384 _____ () C:\Program Files (x86)\Rainlendar2\libicalss.dll
2014-03-16 18:44 - 2014-03-16 18:44 - 00346208 _____ () C:\Program Files (x86)\Rainlendar2\plugins\GoogleCalendarPlugin.dll
2012-06-17 14:21 - 2012-06-17 14:21 - 00015360 _____ () C:\Program Files (x86)\Rainlendar2\lfs.dll
2016-05-03 00:21 - 2016-04-18 12:16 - 01521664 _____ () C:\Program Files (x86)\SCSI Host\scsihost.exe
2016-10-12 14:49 - 2016-10-01 22:15 - 00018880 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2011-06-29 09:54 - 2011-06-29 09:56 - 11483264 _____ () C:\Users\Teng\AppData\Roaming\SanDisk\My Vaults\dmBackup.dll
2010-01-30 01:41 - 2010-01-30 01:41 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2011-12-09 18:23 - 2012-04-27 14:10 - 00417280 _____ () C:\Program Files (x86)\Winamp\nsutil.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00078848 _____ () C:\Program Files (x86)\Winamp\nde.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00023040 _____ () C:\Program Files (x86)\Winamp\System\albumart.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00019456 _____ () C:\Program Files (x86)\Winamp\System\bmp.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00047616 _____ () C:\Program Files (x86)\Winamp\zlib.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00016896 _____ () C:\Program Files (x86)\Winamp\System\dlmgr.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00019456 _____ () C:\Program Files (x86)\Winamp\System\gif.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00016384 _____ () C:\Program Files (x86)\Winamp\System\gracenote.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00623616 _____ () C:\Program Files (x86)\Winamp\System\jnetlib.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00154624 _____ () C:\Program Files (x86)\Winamp\System\jpeg.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00084480 _____ () C:\Program Files (x86)\Winamp\System\playlist.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00103936 _____ () C:\Program Files (x86)\Winamp\System\png.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00013824 _____ () C:\Program Files (x86)\Winamp\System\primo.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00021504 _____ () C:\Program Files (x86)\Winamp\System\tagz.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00090112 _____ () C:\Program Files (x86)\Winamp\System\xml.w5s
2011-12-09 18:23 - 2012-04-27 14:10 - 00068608 _____ () C:\Program Files (x86)\Winamp\Plugins\in_avi.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00102400 _____ () C:\Program Files (x86)\Winamp\Plugins\in_cdda.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00072192 _____ () C:\Program Files (x86)\Winamp\Plugins\in_dshow.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00061440 _____ () C:\Program Files (x86)\Winamp\Plugins\in_flac.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00043008 _____ () C:\Program Files (x86)\Winamp\Plugins\in_flv.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00109568 _____ () C:\Program Files (x86)\Winamp\Plugins\in_midi.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00049152 _____ () C:\Program Files (x86)\Winamp\Plugins\in_mkv.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00165376 _____ () C:\Program Files (x86)\Winamp\Plugins\in_mod.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00290304 _____ () C:\Program Files (x86)\Winamp\Plugins\in_mp3.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00052736 _____ () C:\Program Files (x86)\Winamp\Plugins\in_mp4.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00075264 _____ () C:\Program Files (x86)\Winamp\Plugins\in_nsv.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00023552 _____ () C:\Program Files (x86)\Winamp\Plugins\in_swf.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00253440 _____ () C:\Program Files (x86)\Winamp\Plugins\in_vorbis.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00016896 _____ () C:\Program Files (x86)\Winamp\Plugins\in_wave.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00253440 _____ () C:\Program Files (x86)\Winamp\libsndfile.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00313344 _____ () C:\Program Files (x86)\Winamp\Plugins\in_wm.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00022528 _____ () C:\Program Files (x86)\Winamp\Plugins\out_disk.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00052224 _____ () C:\Program Files (x86)\Winamp\Plugins\out_ds.dll
2011-12-09 18:23 - 2012-04-27 14:10 - 00018432 _____ () C:\Program Files (x86)\Winamp\Plugins\out_wave.dll
2016-11-01 19:10 - 2016-11-01 19:10 - 00048304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [494]
AlternateDataStreams: C:\Users\Public\Desktop\Amnesia: A Machine for Pigs.lnk [1458]
AlternateDataStreams: C:\Users\Teng\Cookies:X7IeMuZWMtAtWneF5qqjxy4jMIO6Z [2364]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-896307261-3574068607-3140626432-1001\...\line6.net -> line6.net
IE trusted site: HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\microsoft.com -> hxxps://update.microsoft.com
IE trusted site: HKU\S-1-5-21-896307261-3574068607-3140626432-1004\...\microsoft.com -> hxxp://update.microsoft.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-10-16 20:43 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-896307261-3574068607-3140626432-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\m\AppData\Roaming\Mozilla\Firefox\Desktop-Hintergrund.bmp
HKU\S-1-5-21-896307261-3574068607-3140626432-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Teng\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 69.164.196.21 - 5.134.115.112
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Users^m^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk => C:\Windows\pss\OpenOffice.org 3.3.lnk.Startup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: DAEMON Tools Lite => "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
MSCONFIG\startupreg: NeroFilterCheck => C:\Windows\system32\NeroCheck.exe
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\Steam.exe" -silent

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{D818B8A3-C591-408D-97DD-FCFE031ED0AF}] => %ProgramFiles% (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F9965F4C-7EEF-489F-AA2F-3462F02CF282}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{18519143-8B84-444A-8413-4D03E2337838}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{C97F3F47-31DD-4D5D-B94B-9E32E841B225}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{5EC81B49-7716-4536-A6E9-257972400C4C}] => C:\Program Files (x86)\Last.fm\LastFM.exe
FirewallRules: [{D802A2B1-4140-4B87-BA4C-5E7E18F949D1}] => %ProgramFiles% (x86)\Last.fm\LastFM.exe
FirewallRules: [{F336331D-32B8-4C1E-BE2E-56E427457430}] => %ProgramFiles% (x86)\Rainlendar2\Rainlendar2.exe
FirewallRules: [{902F5112-8525-404C-AFEE-72E0285218C2}] => %ProgramFiles% (x86)\SABnzbd\SABnzbd.exe
FirewallRules: [{7E030C8B-B048-4B9E-B7B1-3DF466C2B546}] => %ProgramFiles% (x86)\Biet-O-Matic\Biet-O-Matic.exe
FirewallRules: [{C2B1EE59-B6EA-4333-9256-8EC7DFE92C69}] => %ProgramFiles% (x86)\Biet-O-Matic\BOMUpdate.exe
FirewallRules: [{1D8B1F05-475E-4EFE-BA92-99D42CE238F0}] => %ProgramFiles% (x86)\Biet-O-Matic\BOM Logging Config Tool.exe
FirewallRules: [TCP Query User{42E16501-95EE-40C3-A415-7598C2CAA9A7}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [UDP Query User{536C437E-A628-4805-920E-55BCED5ED45B}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [{1464E782-28E2-48E0-A707-D9ABDA655C06}] => %ProgramFiles% (x86)\FileZilla FTP Client\filezilla.exe
FirewallRules: [{CA3A851B-6575-4719-867D-5FEEE905CA00}] => %ProgramFiles% (x86)\Biet-O-Matic\Biet-O-Matic.exe
FirewallRules: [{DE3BDCCB-9CAF-4877-B7E3-C48904A69B8F}] => %ProgramFiles% (x86)\Biet-O-Matic\BOM Logging Config Tool.exe
FirewallRules: [{78857152-4C79-4CDA-8F4E-00853F56ACFF}] => %ProgramFiles% (x86)\Biet-O-Matic\BOMUpdate.exe
FirewallRules: [{6EC31C6D-D7D8-46D0-BDB9-3A40D627D65F}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{3DD30B62-D3B2-4EAB-A08F-D944348A8162}] => %ProgramFiles% (x86)\ImgBurn\ImgBurn.exe
FirewallRules: [{6D2C788A-4B01-4871-B090-02A4985A1AF2}] => %ProgramFiles% (x86)\YouTube Download\FreeYouTubeDownload.exe
FirewallRules: [{DF665DB2-E823-4F06-8E75-05D9546D6DE7}] => G:\Needful Things\Mediathek\Starten_Windows.exe
FirewallRules: [{D80925EB-D229-4BD3-87D4-15C983996C6F}] => G:\Needful Things\Mediathek\Starten_Windows.exe
FirewallRules: [{8208ADE5-F3CB-410E-A785-8D58822D9158}] => %ProgramFiles% (x86)\Desura\desura.exe
FirewallRules: [{52D7F7C6-734C-4A2A-88E9-647D44B529DF}] => %ProgramFiles% (x86)\Desura\desura.exe
FirewallRules: [{965346D4-725E-44B1-A544-C90E53A15BEA}] => G:\Needful Things\jxpiinstall.exe
FirewallRules: [{BE204C14-F2F0-4BA7-9D59-5F8DF3E5F771}] => %SystemDrive%\Users\Teng\AppData\Roaming\Microsoft\Windows\Pidgin\pidgin.exe
FirewallRules: [{255A9E4E-7A1F-4A57-84B9-02806A08ADA4}] => %SystemDrive%\Users\Teng\AppData\Roaming\Microsoft\Windows\Pidgin\pidgin.exe
FirewallRules: [TCP Query User{A86C2083-EA78-4487-BCAE-83E3A9512E74}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [UDP Query User{68DCB21D-40B2-4003-95CA-5236D2F0B6BC}H:\games\dead island\deadislandgame.exe] => H:\games\dead island\deadislandgame.exe
FirewallRules: [{E589C869-FFF5-45C7-A1A7-BEA808AB9FDD}] => C:\ProgramData\Battle.net\Agent\Agent.524\Agent.exe
FirewallRules: [{1C7D2188-1B52-4837-ACC7-1F1F97927967}] => C:\ProgramData\Battle.net\Agent\Agent.524\Agent.exe
FirewallRules: [{DAB60054-3165-4F35-9C84-3AA1D837EB14}] => C:\Program Files (x86)\Sins of a Solar Empire\Sins of a Solar Empire.exe
FirewallRules: [{44D8A06E-670D-46A9-9B6D-374199FD3DD4}] => C:\Program Files (x86)\Sins of a Solar Empire\Sins of a Solar Empire.exe
FirewallRules: [TCP Query User{9189F5A1-B40E-40B9-BD78-94CDC23FA4BF}C:\program files (x86)\java\jre7\bin\javaw.exe] => C:\program files (x86)\java\jre7\bin\javaw.exe
FirewallRules: [UDP Query User{3320C074-19E9-4205-8893-9243649887D8}C:\program files (x86)\java\jre7\bin\javaw.exe] => C:\program files (x86)\java\jre7\bin\javaw.exe
FirewallRules: [{8F9209E9-1ABE-4AF8-9FD6-5A9AC56FB396}] => %ProgramFiles% (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{46CD6534-BA66-42D4-94FC-EE9A5910E420}] => %ProgramFiles% (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe
FirewallRules: [{FD5239EF-7079-45C0-8070-9AE26A29160E}] => G:\Needful Things\Hearthstone-Setup-enUS.exe
FirewallRules: [{EA57DA4A-9939-4D18-835E-23203A0264F7}] => G:\Needful Things\Hearthstone-Setup-enUS.exe
FirewallRules: [{A31EFED0-4871-42BF-B90D-1C0E64893254}] => C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe
FirewallRules: [{DDE06BB6-CC0C-4D84-A839-20F4016EB459}] => C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe
FirewallRules: [{0DCE0E0E-FD2E-4435-81C7-E5D12EF2C630}] => G:\Games\StarCraft II\Versions\Base24944\SC2.exe
FirewallRules: [TCP Query User{55EA7BC1-0D4F-4990-B812-0D91FDA6AC9D}G:\games\call of duty black ops 2\t6sp.exe] => G:\games\call of duty black ops 2\t6sp.exe
FirewallRules: [UDP Query User{6DE5962B-D4DF-47A3-995E-C19CB0C9FDD5}G:\games\call of duty black ops 2\t6sp.exe] => G:\games\call of duty black ops 2\t6sp.exe
FirewallRules: [{7763C62F-B6EB-4E84-A4D4-F7C9AD9C740F}] => %USERPROFILE%\Desktop\mbar\mbar.exe
FirewallRules: [{4852B790-F206-4148-B4CD-2D35A81C4274}] => %USERPROFILE%\Desktop\mbar\mbar.exe
FirewallRules: [{A3C1B775-B2A1-4282-947A-A7DC3FABAF09}] => %USERPROFILE%\Desktop\mbar\mbamdor.exe
FirewallRules: [{09A7A9FC-29B8-41AB-B6E1-7258726FEEB0}] => %USERPROFILE%\Desktop\mbar\mbamdor.exe
FirewallRules: [TCP Query User{5FC6DA22-358D-4752-B4F7-DEE028ED2C92}C:\program files (x86)\games\farcry 3\bin\farcry3.exe] => C:\program files (x86)\games\farcry 3\bin\farcry3.exe
FirewallRules: [UDP Query User{2D0B7557-52C2-4DDD-9385-2EC493E57313}C:\program files (x86)\games\farcry 3\bin\farcry3.exe] => C:\program files (x86)\games\farcry 3\bin\farcry3.exe
FirewallRules: [TCP Query User{49F5A7DD-9328-4E81-8318-8CE80558BE2D}G:\games\dying light\dyinglightgame.exe] => G:\games\dying light\dyinglightgame.exe
FirewallRules: [UDP Query User{CD2C2BA9-6C9A-48BF-AC0C-C3C8D3965DDC}G:\games\dying light\dyinglightgame.exe] => G:\games\dying light\dyinglightgame.exe
FirewallRules: [TCP Query User{CEF16071-CF1C-4E96-B910-887AF09DF66C}G:\games\call of duty black ops 2\t6zm.exe] => G:\games\call of duty black ops 2\t6zm.exe
FirewallRules: [UDP Query User{FD414A49-255D-4D32-9011-FC80D3C5F100}G:\games\call of duty black ops 2\t6zm.exe] => G:\games\call of duty black ops 2\t6zm.exe
FirewallRules: [{6A731557-7B88-4A82-8CB0-C0B43C4BE6B8}] => G:\Games\Call of Duty Black Ops 2\t6sp.exe
FirewallRules: [{25F0E3D3-1683-4853-9F82-905B06587860}] => C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{3C759EA9-017B-4D9B-9929-E53F55DF3928}] => C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{88628CA2-3548-4299-A3DB-BEFA685AB868}] => G:\Needful Things\CreativeCloudSet-Up.exe
FirewallRules: [{380E378A-D595-4A65-9114-C71F33B91BE9}] => G:\Needful Things\CreativeCloudSet-Up.exe
FirewallRules: [{2E049E01-8950-44D3-BD0E-21820E5622D5}] => %ProgramFiles% (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
FirewallRules: [{3B73D895-CEAC-4D29-A5D0-692A63269CA9}] => %ProgramFiles% (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
FirewallRules: [{F4069482-624B-4DE4-ADE6-65E9EB2EA29A}] => %ProgramFiles% (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\Adobe Installer.exe
FirewallRules: [{B87DEDA3-0BCE-484D-A80A-BBC22547DBF3}] => %ProgramFiles% (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\Adobe Installer.exe
FirewallRules: [{AAA56D4E-D097-4D29-B586-109D8DA57B0F}] => %ProgramFiles% (x86)\Dacia Media Nav\Toolbox\toolbox.exe
FirewallRules: [{CDB65DA2-9FD4-4D22-AF7A-C6D695E19F99}] => %ProgramFiles% (x86)\Dacia Media Nav\Toolbox\toolbox.exe
FirewallRules: [TCP Query User{0488A768-3F77-4385-80D9-FD1342445016}G:\games\freespace\fs.exe] => G:\games\freespace\fs.exe
FirewallRules: [UDP Query User{D1D57B63-C8DE-4952-B756-84BA0E08A61A}G:\games\freespace\fs.exe] => G:\games\freespace\fs.exe
FirewallRules: [{51C2476B-52E3-44C8-A113-4806B0128519}] => %SystemDrive%\Users\Teng\Downloads\ageofconan-en.exe
FirewallRules: [{D9DEE0DC-2B71-4E11-94F2-697C3B728D01}] => %SystemDrive%\Users\Teng\Downloads\ageofconan-en.exe
FirewallRules: [TCP Query User{F39D0671-F160-469C-8816-05C3301BC706}H:\games\age of conan\conanpatcher.exe] => H:\games\age of conan\conanpatcher.exe
FirewallRules: [UDP Query User{5F556993-D1A7-47FD-9D8D-A4D9E9BFC868}H:\games\age of conan\conanpatcher.exe] => H:\games\age of conan\conanpatcher.exe
FirewallRules: [{43DF27E8-258D-4940-817E-BA9E2A105E2F}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{7E88C2FD-C213-45D5-A699-36E73042A979}] => C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{56E77248-851C-4C91-96A4-BCED33B5B4D4}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{367E94B8-9E3D-45D2-A9A9-BE8C2634F091}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{8242B6EE-E727-49FF-87C1-ACC7079E06DF}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
FirewallRules: [{5FBA1AAF-5B24-47FC-A6FF-5E92D9DF30E8}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{B7C6205D-27A1-4E93-AC3E-2BE25ECD7697}] => C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{FB6B8565-049C-41CC-89D6-8CE581EF4DFB}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{39E2E4BF-4C8E-44E6-9FFC-E39CABE0D7BD}] => %ProgramFiles% (x86)\Winamp\winamp.exe
FirewallRules: [{11588CD1-B05A-4397-83A1-D8441F2DCCE6}] => C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
FirewallRules: [{1C2F6B4B-F50D-481E-899F-EC4C5B792571}] => C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe

==================== Restore Points =========================

03-12-2016 22:26:21 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/14/2016 11:51:54 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:49 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:49 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:49 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:49 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:49 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:40 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:39 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:30 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (12/14/2016 11:51:30 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.


System errors:
=============
Error: (12/10/2016 12:03:08 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (12/08/2016 07:43:37 PM) (Source: WMPNetworkSvc) (EventID: 14365) (User: )
Description: Proximity detection failed due to unknown error '0x80004004'.  The best proximity time detected was -1 milliseconds.

Error: (11/14/2016 11:36:11 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (11/05/2016 12:35:44 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.

Error: (11/04/2016 09:30:28 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (11/04/2016 09:30:02 PM) (Source: WMPNetworkSvc) (EventID: 14365) (User: )
Description: Proximity detection failed due to unknown error '0x80004004'.  The best proximity time detected was -1 milliseconds.

Error: (10/25/2016 09:33:34 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (10/23/2016 02:02:19 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The NVIDIA Streamer Service service did not shut down properly after receiving a preshutdown control.

Error: (10/22/2016 11:48:51 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

Error: (10/22/2016 02:22:02 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2014-10-16 21:43:04.096
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-16 21:43:04.058
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.803
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\m\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.756
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\m\AppData\Local\Temp\EverestDriver.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.444
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-02-23 01:42:44.413
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\EVEREST Home Edition\kerneld.amd64 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info =========================== 

Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+
Percentage of memory in use: 72%
Total physical RAM: 4094.49 MB
Available physical RAM: 1128.24 MB
Total Virtual: 16376.16 MB
Available Virtual: 12317.75 MB

==================== Drives ================================

Drive c: (Satan) (Fixed) (Total:97.56 GB) (Free:10.93 GB) NTFS
Drive d: (Old C) (Fixed) (Total:195.31 GB) (Free:41.47 GB) NTFS
Drive e: (Old D) (Fixed) (Total:195.31 GB) (Free:55.1 GB) NTFS
Drive f: (Old E) (Fixed) (Total:75.14 GB) (Free:23.73 GB) NTFS
Drive g: () (Fixed) (Total:292.97 GB) (Free:53.66 GB) NTFS
Drive h: () (Fixed) (Total:540.89 GB) (Free:110.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 603D2E21)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=293 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=540.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 4B4A643B)
Partition 1: (Active) - (Size=195.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=270.5 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

--- --- ---

--- --- ---

cosinus · 14.12.2016, 12:01

1. Schritt: Malwarebytes Anti-Rootkit (MBAR)

Downloade dir bitte

Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

Starte bitte die mbar.exe.
Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
Klicke auf den CleanUp Button und erlaube den Neustart.
Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
Nach dem Neustart starte die mbar.exe erneut.
Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers

2. Schritt: Kaspersky TDSS-Killer

Downloade dir bitte

TDSSKiller.exe und speichere diese Datei auf dem Desktop

Starte die TDSSKiller.exe - Einstellen wie in der Anleitung zu TDSSKiller beschrieben.
Drücke Start Scan
Sollten infizierte Objekte gefunden werden, wähle keinesfalls Cure. Wähle Skip und klicke auf Continue.
TDSSKiller wird eine Logfile auf deinem Systemlaufwerk speichern (Meistens C:\)
Als Beispiel: C:\TDSSKiller.<Version_Datum_Uhrzeit>log.txt

Poste den Inhalt bitte in jedem Fall hier in deinen Thread.

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit.
Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten.
Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

cmdr · 14.12.2016, 12:22

mbar updatet leider nicht (host not found). Ich habe bereits für mbar.exe und mbamdor.exe Ausnahmeregeln in der Win-Firewall erstellt, trotzdem klappt es nicht...

13.12.2016, 10:00	#4
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	50% CPU usage wenn idle... Was soll denn das als XML........poste das bitte in TXT damit man das einfacher lesen kann __________________ Logfiles bitte immer in CODE-Tags posten

13.12.2016, 19:42	#6
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	50% CPU usage wenn idle... Noch dassselbe posten bringt da rein garnix. Du sollst aus Malwarebytes heraus TXT und nicht XML wählen! __________________ --> 50% CPU usage wenn idle...

14.12.2016, 00:17	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	50% CPU usage wenn idle... So wird das nix, wir brauchen Adminrechte. Du musst dem betroffenen Useraccount Adminrechte geben. __________________ Logfiles bitte immer in CODE-Tags posten

14.12.2016, 09:29	#12
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	50% CPU usage wenn idle... Gib dem betroffenen Account Adminrechte. Das ist etwas anderes als wenn das mit einem anderen Konto machst. __________________ Logfiles bitte immer in CODE-Tags posten

50% CPU usage wenn idle...

Log-Analyse und Auswertung: 50% CPU usage wenn idle...